Trusting Software - Runtime Protection Is the Third Alternative


Authors:   Jeff Williams


The presentation discusses the importance of incorporating threat intelligence and runtime protection into application security programs to prevent attacks and vulnerabilities.
  • Threat intelligence can dynamically change the risk of an attack and allow for prioritization of security measures.
  • Runtime protection can prevent a significant portion of vulnerabilities from being exploited.
  • Instrumentation and telemetry can provide real-time feedback to developers and production teams.
  • Trust boundaries and sandboxes can be implemented to prevent common vulnerabilities such as unsafe serialization and expression language injection.
The speaker worked with a Fortune 100 company on a runtime application self-protection (RASP) implementation and found that 95% of the 1600 vulnerabilities discovered could have been prevented with runtime protection. This highlights the importance of incorporating such measures into application security programs.


For 20 years, OWASP has been recommending two approaches to achieving trustworthy software: people and perimeters. The people approach is attempting to coerce your developers into making perfect software with requirements, vulnerability testing, threat modeling, security architecture, training, etc... The perimeter approach is attempting to monitor network traffic and perfectly detecting and blocking attempts to exploit vulnerabilities. Unfortunately, and despite Herculean effort by smart and dedicated people…these approaches simply aren't working. But there is a third approach.... consider how ASLR and DEP changed the curve on kernel exploits in the mid-2000's. Imagine we could automatically inject exactly the right defenses into your code, in exactly the right places, without having to change anything about the way you develop, build, test, or deploy your applications. In this talk, you’ll learn how easy it is to eliminate entire classes of vulnerability, like those in the OWASP Top Ten, by automatically infusing simple, lightweight trust boundaries into apps/APIs. This "runtime protection" is available in for a huge range of languages and platforms, and is widely used in large companies to secure apps/APIs at massive scale with almost no performance impact. Forrester reports 65% of companies are adopting runtime protection and 17% of companies are planning to adopt. Attendees will learn how runtime protection works, how you can deploy at scale, and about accuracy and performance. But more importantly, we'll explore real world runtime protection use cases that will benefit your entire appsec program, your development teams, and even your security culture.