This article explores the core principles, strengths, and limitations of four major application security testing approaches—Static (SAST), Dynamic (DAST), Interactive (IAST), and Runtime Application Self‑Protection (RASP)—and compares them in a concise table to guide developers in building a comprehensive security strategy.
The article details Meituan's large‑scale RASP (Runtime Application Self‑Protection) rollout, covering deployment challenges such as heterogeneous Java environments, performance impact of agent injection, upgrade difficulties, monitoring complexities, and the engineering solutions—including agentmain/premain hybrid loading, gray‑scale upgrades, hot‑update plugin architecture, and performance optimizations—validated with concrete metrics and benchmarks.
This article examines JD Cloud's Runtime Application Self‑Protection (RASP) technology, detailing its background, architecture, working principles, security advantages over traditional WAF and SAST/DAST, practical 0‑day protection examples, deployment scenarios, operational practices, and real‑world performance in large‑scale promotions and national‑level cyber‑exercises.
In a detailed interview, XMirror Security founder Zi‑Ya discusses the origins of his team, the core elements of DevSecOps, the innovative code‑vaccine technology combining IAST and RASP, maturity stages of development security in China, and future trends in software‑supply‑chain security.
Atlassian Confluence suffers a severe, easily exploitable remote code execution flaw (CVE-2022-26134) that allows unauthenticated attackers to run arbitrary commands, affecting multiple versions and prompting both official upgrade recommendations and detailed temporary mitigation procedures, while Xmirror's Cloud Shark RASP offers innate protection.
This article surveys IAST and RASP technologies, detailing Java bytecode instrumentation methods, passive probing techniques, taint analysis algorithms, integration with SkyWalking, and compares their capabilities with SAST and DAST, providing practical implementation guidance and reference resources.
The Log4j2 remote code execution flaw is hard to contain because it enables arbitrary code execution and hides its traffic signatures, but Runtime Application Self‑Protection (RASP) can detect malicious behavior at the application level, offering low false‑positives and automatic component discovery without relying on constantly updated rules.
The article explains the massive impact of the Log4j2 remote code execution vulnerability, details why its JNDI lookup is easily exploitable, lists affected software, and provides a concise four‑step guide using Alibaba Cloud ARMS RASP to detect, monitor, and block attacks while offering remediation recommendations.
This article describes Ctrip's practical deployment of OpenRASP‑based IAST, outlines the challenges of data pollution caused by traffic replay, and presents a Java bytecode instrumentation solution that intercepts SocketOutputStream writes to prevent dirty data from persisting in databases, caches, and message queues.
