One the challenges of embracing agile development and taking a DevOps approach to IT is incorporating security in such a way that it does not become a barrier to rapid, iterative release cycles.
A new report by information security and research firm Securosis, “Understanding and Selecting Runtime Application Security and Protection,” explores how DevOps teams are addressing today’s current application security issues and where the Runtime Application Self-Protection (RASP) model can provide immediate and measurable benefits within the agile development process.
Just as DevOps has developers supporting the applications they develop, RASP is gaining traction as a way to integrate development with security. Mike Milner, co-founder and CTO of Montreal-based Immunio, said the company was founded two-and-half years ago in recognition of that shift, as well as the reality that web application security is difficult to do well. “It’s difficulty for companies to maintain expertise.”
RASP is a term initially coined in a 2012 Gartner report titled Runtime Application Self-Protection: A Must-Have, Emerging Security Technology; since Immunio’s launch, the company has focused on making web application security easier via the model. With other players coming into the market, said Milner, the concept is starting to mature. “We feel the technology is coming into its own.”
How enterprises are using RASP varies quite a but, he said. Some organizations are already doing agile and DevOps. “They’re having trouble meshing it with their existing security requirements. RASP works well for them.” Milner said it allows for better integration and feedback loops. “It provides the immediate benefit they are looking for.”
At the other end of the spectrum are organizations that have existing web applications that don’t have the best security protection and there are challenges integrating them well with their firewall. “They are looking for a step change in security they can deploy a cross range of applications,” said Milner. “They are looking to deploy RASP across the organization for baseline protection. These evaluations tend to be a little slower.”
Traditionally, developers would build a web application and then it would be up to a separate set of developers or a network security team to make sure it worked with the security parameters of the organization. “Every new deployment of an application needs an update to the firewall,” said Milner. This makes deployment slow and puts a wrench into rapid development. “It doesn’t make as much sense in a rapid release environment to have separate teams.”
Some organizations have seen RASP as a means for transformative change, he said, and the Securosis report provides those interesting learning more how it fits within the bigger picture, and also provides guidance on what questions need to be asked of a potential RASP provider.
Milner said it’s also important to remember that RASP is not a replacement for a security tool; what it does is allow for better integration and protection in real time. As the Securosis reports notes,
“For [DevOps] teams, security products must do more than address application security issues; they need to mesh with continuous integration and continuous deployment approaches, while offering automated capabilities and better integration with developer tools.”