New NIST Standards on IAST and RASP Deliver State-of-the-Art AppSec

June 19, 2020

The world is changing faster than ever before. Technology is the primary instigator, turning the dial up to hyper speed and catapulting businesses into rapid digital transformation in order to maintain a needed competitive edge. As enterprises charge forward with digital innovation, more sensitive applications and workloads are inevitably making their way to the cloud.

Along with myriad benefits, Agile and DevOps also pose higher risks, which are exacerbated by a threat landscape that continues to evolve at breakneck speed. Traditional application security (AppSec) approaches simply cannot keep pace with the speed of modern Agile and DevOps. Constant security scans slow release cycles and increase developer inefficiencies. Overwhelming volumes of false positives consume valuable time, while false negatives create a false sense of security and ratchet up risks. And these problems extend across the software development life cycle—from development to production runtime. Suddenly, in the face of these challenges, the business outcomes of digital transformation initiatives shrink.

NIST Standards Bolster Secure Digital Initiatives

In response to these issues, the National Institute of Standards and Technology (NIST) released a revision to Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53 Revision 5. Those responsible for application security need to capitalize on two new standards that address interactive application security testing (IAST) and runtime application self-protection (RASP).

A critical enabler of both the IAST and RASP standards is security instrumentation, where AppSec telemetry is generated by microsensors embedded within the software. The following synopsis from each standard best summarizes the requirements:

SA-11(9): “Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.”
SI-7(17): “Implement [Assignment: organization-defined controls] for application self-protection at runtime.”

These new standards are certain to have a significant impact across all industries. The NIST Cybersecurity Framework is quickly becoming the default standard in the United States, with all federal government agencies mandated to comply with NIST and many state and local governments following suit. And the private sector is not far behind: Half of U.S. businesses will comply with NIST by the end of this year.

Getting Started with IAST and RASP

So, what is IAST and what can organizations do to meet the IAST requirement in NIST? IAST leverages security instrumentation that resides inside applications to observe applications while they run (whether in development, test, or production environments). Able to directly access code, user interaction, libraries, frameworks, back-end connections, and configurations to measure control effectiveness, IAST is able to identify a broad range of potential vulnerabilities continuously and in real time.

Deploying IAST is easy and fast. Developers simply need to add the IAST agent to their application. The IAST solution automates the identification of vulnerabilities, which developers can fix as part of the process of writing code. There are no development disruptions for code scans. In addition, the alert noise—generated by false positives—of traditional security scanning tools is eliminated due to the instrumentation approach of IAST.

Like IAST, RASP also leverages security instrumentation and can even be combined in the same agent as IAST. RASP is also fast and easy to use, as opposed to perimeter defenses (web application firewalls). Security and development teams simply add the RASP agent to applications running in their production runtime environment. RASP then continuously monitors application inputs and confirms exploitability. This includes the detection and prevention of both known and unknown (zero-day) threats at the point of the vulnerability. When a threat is detected, RASP prevents exploitation and takes other actions such as sending a warning message to the user, terminating a user’s session, terminating the application, or sending an alert to the SecOps team.

As security instrumentation is pivotal to both IAST and RASP, it enables a comprehensive approach to AppSec that starts in development and extends into production runtime. Security instrumentation eliminates development delays connected to security scans and false positives that incur significant inefficiencies. This “inside-out” approach also reduces risk by enabling teams to quickly address vulnerabilities that matter and respond to attacks by preventing vulnerabilities from being exploited in real time.

Modern Agile and DevOps Demand a Different AppSec Approach

Modern Agile and DevOps are measured in terms of velocity and the value they add. AppSec must enable rather than inhibit these outcomes. Because they require significant work by experts, it is impossible for traditional “outside-in” AppSec approaches that rely on signature-based models and scanning to match the pace of the digital business. A complete paradigm shift is necessitated, and just as instrumentation has transformed other areas of software development such as application performance monitoring (APM), it holds the keys to success for AppSec.

AppSec must be approached from inside the software—and this is what security instrumentation enables. This inside-out approach is continuous and is real-time security, as opposed to traditional AppSec that takes an outside-in approach that only provides point-in-time security views. The new NIST standards for IAST and RASP are a testament that outside-in AppSec approaches are antiquated, inefficient,and ineffective. Security instrumentation is more than a paradigm shift of the future—it is an opportunity for today.

Jeff Williams is a pioneer in application security and has more than 20 years of experience in software development and security. He is the co-founder and CTO of Contrast Security, a revolutionary application security product that enhances software with the power to defend itself, check itself for vulnerabilities, and join a security command and control infrastructure. Williams is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff holds a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.