What happened to RASP?

Jun 03, 24

Wasn’t RASP supposed to save us? I’ll walk through the history and challenge of the RASP market, and look at whether the new “ADR” acronym will bring any better luck.

In the early 2010s, Gartner did its thing and gave us a four letter acronym: RASP (Runtime Application Security Protection).

In 2015, a RASP vendor (Waratek) won the RSA Innovation Sandbox.1

Sqreen was a stand out in the RASP market, and was acquired (in a top-20 YCombinator exit, for $260m) by Datadog in 2021.

But RASP seems to have sputtered. Waratek is still kicking, but appears to never have raised again post-2014 and never hit “venture scale.” Sqreen’s technology lives on in Datadog, but lacks the mindshare (and market share) it once threatened. RASP was always pitched as a WAF-killer, but it is self evidence that “WAFs” are still much bigger business.

Recent news around yet-another-acronym in runtime application security (“Application Detection and Response”), as well as funding and startup announcements (Miggo Security, Oligo, etc.) made this an opportune time to revisit the technology and market.

🙏 A huge thank you to Paul Bleicher, CPO & Co-Founder at Konvu. He generously took some time to share his perspective on the history of RASP - based on his time leading GTM at Sqreen. Konvu is getting some of the Sqreen band back together to tackle the vulnerability remediation space, check them out!

What’s RASP?

RASP is all about instrumenting the runtime and implementing proactive protection in the application. It has been pitched as a silver bullet for application security, because of its potential ability to detect novel (e.g. zero day) attacks behaviorally, work generically, and to prevent them automatically.

🧠 Securosis published two useful white papers on the market (in 2016 and 2019), that I referenced extensively. Check them out for a historic look at RASP!

Traditionally, RASP has used one of the following approaches for instrumentation, detection, and blocking attacks:

  • Servlet Filters & Plugins
  • Library/JVM Replacement
  • Native API Callbacks / Application Instrumentation using native application profiler
  • Virtualization or Replication for learning
  • Static Hybrid - e.g deploy as a reverse proxy, combine with SAST, etc.

Why RASP struggled

RASP struggled against both Technical and Non-Technical criticism, and never beat the allegations.

Not everyone is ready to endorse RASP. “I don’t think it’s ready for primetime,” said Cigital’s McGraw. RASP isn’t a bad idea in principle, he said, “but in practice, it’s only worked for one or two weak categories of bugs.”
“RASP helps apps protect themselves, but is it ready for the enterprise?”

First, we’ll break down the challenges RASP faced. Then, we’ll take a quick look at whether “ADR” will have any better luck.

Technical Critiques

  1. Performance, application load and stability impacts2 3 4: RASP’s runtime integration carried a lot of perceived (and manifested) risk of production disruption

  2. Added complexity and attack surface 3 5

  3. Efficacy of instrumentation and ergonomics of troubleshooting5

  4. Implementation cost/challenges, especially around support for language heterogony and support for legacy technologies and backwards compatibility in ecosystems like Java4

Non-Technical Critiques

  1. Unclear time-to-value: RASPs main value proposition lies in defense against zero-day attacks, which can constrain the ability to show immediate value without an active attack at time-of-procurement.
  2. RASP is a technology that offers more value in a correlated platform, especially tied to other observability or vulnerability date. This contributed to the rollup of RASP tools through acquisitions.
  3. RASP was a new category. It is always hard to sell a new budget line or category. Generally, budget was tied to “WAF” and had to be poached.
  4. Incentive problems and buyer personas: Only the folks who own security care about the problem RASP was pitched to solve. However, while security was often the buyer, RASP needed significant implementation/deployment investment from other teams. Those teams also would particularly have FUD around the technical critiques. Additionally, application security teams would care about finding and remediating vulnerabilities, making “prevention” a strange fit in their programs.
  5. Market and brand contamination: RASP proves that coining a category is easy (thanks Gartner), but defending one is hard. First, RASP tools all struggled against concerns driven by the worst market participants, in terms of the technical critiques mentioned above. Technical challenges rubbed off on competitors. A single RASP breaks production, and so even ones with a more resilient architecture gain a “smell.” Additionally, companies (looking at you, Signal Sciences), started to add noise to the market with terms like “RASP at the edge” for what was really just a “next-gen WAF.”

Will ADR fix RASP?

A few years on from peak RASP hype, we have some frothing in the market about “Application Detection and Response.” But is this a rebrand or a pivot? Will it actually solve any of these limitations that prevented RASP from thriving as a product category?

The “ADR” Approach // “Modern RASP”

I see a few minor differences introduced by “ADR”, but the major one appears to be moving to use modern observability technologies (eBPF, oTel) for simpler instrumentation. For example, Ballistic Venture’s main pitch for “why now”3 was a belief that eBPF is in a place where RASPs’ limitations around “friction of complexity, adding application load and risking stability” can be surmounted. YL Ventures makes a similar point around Miggo Security, pitching “user-friendly and easy-to-integrate.”

Latio’s ADR analysis5 also points to cross Cloud/OS/App correlation, but this is mainly aspirational.

I also see a more effective focus on visibility as a value proposition, versus just protection, for example in Miggo Security’s marketing.

One fundamental challenge, with deployment, can be alleviated in some modern environments … when everything is just k8s. “Shift-left” and the move in Security Engineering towards prevention can also help with the incentive mismatch.

Will it be enough?

I’m skeptical. I still think the vision of RASP/ADR is compelling. I’d love a silver bullet. But there is insufficient information to tell whether the actually technology is there yet. Certainly, there are good reasons to doubt eBPF as a viable base for security tooling6 7.

Additionally, the tighter integration to standardized observability technologies like oTel feels like a double-edged sword. As we saw with the rollup of RASP tools, it seems likely that buyers will want these tools bundled with observability (congrats Datadog 🤑) or tied into their other runtime security tools like Latio proposes.

Finally … observability is expensive enough as it is8. The concept of paying similar rates for a single security SKU is daunting.

Takeaways

Let’s (very roughly) grade how ADR addresses historic criticism of RASP

Criticism ADR Approach Grade
Performance, application load and stability impacts Modern observability technologies A: These technologies are fairly battle tested and generally trusted along these axes
Added complexity and attack surface, difficulty troubleshooting Modern observability technologies B: These technologies are fairly battle tested and generally trusted along these axes. Troubleshooting seems like it would still be opaque.
Efficacy of instrumentation and ergonomics of troubleshooting Modern observability technologies C: Big promises, as with RASP, remains to be seen if this pays off though.
Implementation cost/challenges Modern observability technologies B: easier deployment, but still requires integration across a fleet. Rolling out net-new oTel could be substantial, same if you need to play well with existing observability or security tooling using the same rails.
Unclear time-to-value Pitch visibility and/or vulnerability reachability B: This is similar to where “better RASP vendors” landed
More value in a correlated platform N/A D: This frankly seems like even a bigger risk, building on observability technologies
Category creation / budget Use of acronym aligned to EDR/CDR budget C: Similar to RASP
Incentive problems and buyer personas N/A C: Same as RASP, but has benefitted from tailwinds around prevention in AppSec
Market and brand contamination N/A C: I expect to see the same challenges as RASP, if the market develops

Appendix: The RASP market

Company Color commentary
Contrast Security Markets against RASP and uses in branding, but seems to mostly deploy as IAST
Datadog (powered by Sqreen acquisition) Nice synergy with the existing observability platform, but shed the RASP terminology and positioning
Paraxial Elixir and Phoenix only
Imperva RASP (powered by Prevoty acquisition) Absolute gobbledygook marketing “Imperva RASP uses Language Theoretic Security (LANGSEC) to detect and neutralize known and zero-day attacks, ensuring applications are secure by default”
Trend Vision One™ – Cloud Security (immunio acqusition) TKTK
ProtectOnce Seems to have pivoted to API security
Fastly (Signal Sciences acquisition) Signal Sciences always branded their WAF as RASP, but Fastly seems to have dropped that practice
Waratek Java only