The final version of NIST SP 800-53 Revision 5 was released yesterday, in what NIST calls an “historic” update to its flagship security and privacy guidance, Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations.
In addition to privacy controls, the new NIST SP 800-53 includes two major updates that boost the importance of application security. The new framework includes requirements for both Runtime Application Self-Protection (RASP) and Interactive Application Security Testing (IAST). These important additions reflect an increased need for better application security in the light of growing data breaches and cyber attacks.
Unlike perimeter security solutions such as WAFs, a RASP solution sits on the same server as the application,and provides continuous security for the application during runtime to protect vulnerabilities in the application from being exploited by attacks. By residing on the server, a RASP solution has complete visibility into the application, can analyze the application’s execution for better validation, and can understand the context of the application’s interactions. RASP solutions benefit by being close to the application in a way that network perimeter security solutions can not.
With the update to require IAST, application security gets a new focus in development as part of the mainstream NIST framework and should help developers catch security flaws before an application is launched.
While NIST frameworks are requirements for Federal governmental agencies and the organizations that work with them, these new requirements around RASP and IAST should encourage all organizations to take a fresh look at their application security and the tools they use in their own infrastructure.