# What you'll learn

After watching this video, you will be able to: 
* Define runtime protection.
* Describe interactive application security testing (or IAST) and runtime application self-protection (or RASP).
* List the benefits of IAST and RASP.

# What is runtime protection? 

Runtime protection is a modern security mechanism that shields applications against threats while the applications are running.

**How can you achieve runtime protection?**

Use security tools that can scan applications for weaknesses while the applications are running.
* **Interactive Application Self-testing** (or **IAST**) scans for vulnerabilities during the testing process.
* **Runtime Application Self-Protection** (or **RASP**) looks for assaults in the production environment.

# IAST scanning during testing

![image.png](attachment:88350bf3-5cce-4546-bb4b-c75ff7a243e0.png)

* During testing, when you implement **IAST**, it detects security flaws in real time before the application is released to the public.
* You get critical information about where to find the problem and fix it fast before it can cause data breaches.
* You can run **IAST** along with other automated testing procedures.

# Features of IAST

* IAST produces **low false-positive output** from examining your application in real time.
* Integrating IAST into continuous integration/continuous delivery (or CI/CD) is simple.
* It can connect smoothly with standard build, test, and quality assurance tools, and you don’t need to perform much configuration or tuning to reduce false positives.
* IAST enables earlier and less expensive fixes.
* It gives you an edge in detecting vulnerabilities and fixing them early in the development lifecycle when you are working closely with your code.
* That’s when fixing errors and vulnerabilities will be the least expensive in terms of resources and security risk.
* Next, IAST can scale up in any enterprise domain.
* IAST supports a range of different deployment methods, including automated and manual methods as well as Docker technology.

# RASP scanning in production

![image.png](attachment:84fc1f40-b1b0-48fd-ac44-b123eda9b46c.png)

* When you have deployed your application and it is running in production, RASP can provide runtime level protection in the production environment.
* It will give you visibility into risky sections of your code.
* Integrated into an application, RASP safeguards software from harmful inputs by assessing the program's behavior and the context of the activity.
* RASP helps identify and prevent assaults in real time without requiring human involvement.
* As it monitors the application, It observes and assesses the activity continuously.

# Features of RASP

* RASP protects against exploitation.
* It intercepts all types of traffic that could indicate malicious activity, including structured query language (or SQL) injection, exploits, and bots.
* When RASP senses a threat, it can terminate the user's session and notify the security team.
* RASP can work directly within an application.
* It is simple to deploy, and it is inherently capable of monitoring and self-protecting application behavior.
* RASP detects and prevents attacks with great precision, separating malicious requests from legal requests, and minimizing false positives.
* You can incorporate RASP into different DevOps systems.
* Securing the cloud is not an easy task and requires much effort because applications are running on someone else's infrastructure outside your secure network.
* Luckily, RASP is extremely compatible with cloud computing.

# Summary

In this video, you learned that: 
* Runtime protection is a security mechanism that protects your applications against vulnerabilities while applications are running.
* IAST and RASP are security tools that examine a running application for weaknesses.
* IAST scans for vulnerabilities during the testing process.
* RASP scans for assaults in the production environment.