While researching a DevOps project, Securosis found that developers were very interested in embedding security into their process and that DevOps provided a very real path to improve application security using continuous automated testing, run each time new code was checked in. They were surprised to discover the degree in which developers and IT teams were taking a larger role in selecting security solutions, and bringing a new set of buying criteria to the table.
For these developers, security products must do more than address application security issues; they need to mesh with continuous integration and continuous deployment approaches, with automated capabilities and better integration with developer tools. Securosis was particularly surprised that every team asked about Runtime Application Self-Protection (RASP). Each team was either considering RASP, or already engaged in a proof-of-concept with a RASP vendor. This was typically in response to difficulties with WAF and wanting more developer-centric security tools within their certification efforts — both prior to deployment and while in production.
Developer teams are seeking the ability to automate security, the ability to test in pre-production, balance the configuration skew between pre- production and production, and the ability for security products to identify where issues were detected in the code. For these teams, the security tools needed to be as agile as their development processes, and thus they were seriously looking into RASP solutions.
In this research paper Securosis discusses why development organizations look for new solutions and what advantages RASP provides in meeting these new requirements. For example: