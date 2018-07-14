In the era of agile development and outsourcing, implementing a secure software development life cycle (SSDLC) is critical. However, it may not help you achieve the level of risk mitigation you desire. You may need to extend your software security approach to provide an additional layer of protection for applications once they have been deployed. That’s where runtime application self-protection comes in.

As I mentioned in my prior blog post, RASP security products integrate with an application to prevent attacks at runtime by analyzing traffic and end user behavior. When RASP products detect an attack, they issue alerts, block application execution for individual requests, and sometimes virtually patch the application to prevent further attack. They typically integrate with an application at either the language runtime or application server layer, providing function-level code visibility into the application. This allows them to identify attacks more accurately, reducing false positives and reporting or blocking only those actions that constitute legitimate threats.

The question is, should you replace any of your application security testing tools with a RASP solution? The answer is no. RASP should complement, rather than replace, your testing strategy.