This topic answers frequently asked questions (FAQs) about the application protection feature.
What are the differences between application protection and WAF?
You can use the application protection feature that adopts the Runtime Application Self-Protection (RASP) technology and Web Application Firewall (WAF) to protect applications. The feature can defend against zero-day vulnerabilities and encrypted traffic that target servers. WAF effectively mitigates volumetric attacks at the network ingress. To achieve comprehensive protection, we recommend that you use the feature together with WAF. For more information about the differences, see the following table.
Item | Application protection | WAF |
Focus | Ensures the security of applications, regardless of the traffic source. | Filters out and protects against attack traffic at the network layer. |
General protection scope | Provides defense against common web vulnerabilities such as SQL injection, remote code execution, file inclusion, and webshells. | |
Specialized protection scope | Provides defense against zero-day vulnerabilities, complex encoded or encrypted traffic, in-memory webshells, non-HTTP protocols, and horizontal penetration over internal networks. | Provides defense against DoS attacks such as HTTP flood attacks, crawler attacks, scan attacks, and attacks related to access control and API security. |
Detection method | Detects attacks. | Matches and filters out attack traffic based on traffic characteristics. |
Deployment location | Deployed on servers and injected into applications. | Deployed on a border gateway or before servers. WAF does not interfere with applications. |
Performance | Consumes server resources. | Consumes the resources of WAF and has no impacts on applications and origin servers. |
Vulnerability fixing | Uses virtual patches to fix vulnerabilities and locates the execution code that exploits the vulnerabilities. | Uses virtual patches to fix vulnerabilities and reports only the exploitable traits of the vulnerabilities. |
Zero-day vulnerability prevention | Supported by default. | Mitigates zero-day vulnerabilities by using the rules that are created based on vulnerability exploit methods. |
What types of applications can be added to the application protection feature?
The application protection feature is available only for Java and PHP applications, and their runtime environments must meet certain restrictions. For more information, see Enable application protection.
Does it support protecting Python, Go, .NET applications?
No. The application protection feature currently supports only Java and PHP applications.
Does the application protection feature affect the running of applications?
The application protection feature is carefully designed to control its impact on system performance, compatibility, and stability to minimize interference with application running. Tests have proven that after the application protection feature is enabled for a server, the excess CPU utilization of the server does not exceed 1%, the excess memory usage is less than 50 MB, and the excess application latency or response time is less than 1 millisecond.
The feature also provides emergency measures, such as the soft fuse escape mechanism, to minimize interference with applications. For more information, see Enable application protection.
How to choose the application protection mode?
The application protection feature detects attacks that pose actual security threats. The feature provides a lower false positive rate than traditional traffic-based detection technologies. Therefore, we recommend that you attach importance to the attacks that are detected by this feature. After you add an application to the application protection feature, the feature protects the application in Monitor mode, which is the default protection mode. After the application stably runs for a period of time, you can change the protection mode from Monitor to Block.
What is the role of the manager.key parameter when I add a containerized Java application to the application protection feature?
The manager.key parameter in the startup command is used to associate applications with the application protection feature. The vulnerability management feature of Security Center marks the application in which vulnerabilities are detected. If the RASP agent is installed on an asset that is associated with the detected vulnerability, the asset must be marked as protected. Security Center can associate the applications with the application protection feature by using the manager.key parameter.
Why is there no attack data on the Attack Statistics page?
This issue may be caused by the following reasons:
The application is not added to the application protection feature. You can re-add your application process to the application protection feature. For more information, see Enable application protection.
No real attacks are detected. Compared with traditional firewalls, the application protection feature records only real attacks. Traditional firewalls report attacks when the presence of malicious attack characteristics in packets is detected. However, the presence of malicious attack characteristics does not indicate real attacks. For example, the attack requests that exploit PHP vulnerabilities are ineffective in the Java environment. If a real attack is detected, the attacker has broken through the outer defense and can enter the internal environment of the application to perform risky operations. An application may not receive a large number of real attacks. However, you must intercept attacks or fix vulnerabilities at the earliest opportunity when real attacks are detected.
What is the difference between the weakness detection feature and the weak password baseline check?
The weakness detection feature is used to detect risks based on the application behavior and memory status during application runtime. The weak password baseline check is mainly used to scan system configurations, including the baseline check based on the internationally agreed best practices, classified protection compliance check, and static file detection.
Why did I fail to add my application to the application protection feature?
This issue may be caused by the following reasons:
Anti-virus software is installed on your server. The software may block the RASP agent or the Security Center agent. You can view related information in the blocking results of the software.
The password of the root user in the Linux system expires.
How do I identify a blocked threat?
If you find a runtime exception named AliCloudRaspSecurityException in your business logs, it means the application protection feature has detected exceptions or potential security threats and has blocked the access attempts of the related processes. To prevent the feature from blocking this process behavior, you can add the process to the whitelist. For more information, see Create whitelist rules.
How do I determine whether an application is successfully added to application protection?
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the RASP page, click the Application Configurations tab. Then, click the number in the Authorized Process column for the target application group.
In the instance details panel, view the list of added applications.
If the PID of the application process on the target server appears in the application list, the application has been successfully added to application protection.
