software/application-defender | why | h1/h2

Runtime Application Self Protection (RASP)

The Fortify Application Defender is a RASP solution that helps you mitigate risk from homegrown or third-party applications. It provides visibility into application abuse while protecting software vulnerabilities from exploits in real time.

RASP via Fortify Application Defender

Sometimes you need to protect it now and remediate later. Protect your enterprise from some of the most damaging exploits like the OWASP Top 10.

(PDF 127 KB)

애플리케이션 자가 방어가 필요한 이유

애플리케이션 자가 방어가 필요한 이유

애플리케이션은 기업 보안에서 가장 취약한 연결 지점이 될 수 있습니다. 취약성을 없애는 것이 늘 가능하지만은 않지만, 배포 속도가 빨라지면서 프로덕션 이전 단계에서 애플리케이션 보안 테스트를 실시하는 것이 더욱 까다로워지고 있습니다.

In this HPE newsletter, featured Gartner research says RASP is “transformational” and, they recommend “that Gartner clients evaluate emerging vendors and plan RASP adoption when RASP's level of maturity meets their policies.”

HPE newsletter

Application Defender 개요

  • 언제든 발생할 수 있는 취약점


    애플리케이션 보안 테스트는 특히 예방에 효과적이어서 알려진 취약점이 있는 프로덕션 환경으로 애플리케이션이 이동하지 않도록 하는 데 유용합니다. 그러나 아무리 빈틈없는 애플리케이션 보안 프로그램을 갖춘 조직이라도 모든 애플리케이션을 스캔하고 수정하는 것은 실용적이지 않을 수 있습니다. 그러는 동안에도 공격자들은 개발 과정에서 예상하지 못했던 새로운 위협을 계속 가합니다.

  • 네트워크 확인 이상의 보안 필요

    Network code view

    기존 위협과 새로운 위협에 대처하기 위해 코드를 변경하려면 몇 주 혹은 몇 달씩 시간이 소요됩니다. 코드를 변경하는 동안에는 보완 관리가 필요합니다.

    웹 애플리케이션 방화벽(WAF)과 같은 네트워크 보안은 많이 이용하는 방법이지만 애플리케이션 자체 내 가시성이 필요한 공격은 놓칠 수 있습니다.

  • 안에서부터 확인하고 방어하는 전략 필요


    애플리케이션을 활용하면 규칙을 학습 또는 조정하거나 코드를 재작성할 필요 없이 애플리케이션 동작을 로깅하고 공격을 정확하게 감지 및 차단할 수 있습니다. App Defender는 코드 라인 취약성 정보를 토대로 개선 시간을 단축하는 동시에 취약한 부분을 보호합니다.

Application Defender is the RASP solution from app sec industry leader, Fortify.

Proven technology

First to market (2007) with App Defender agent instrumentation technology that is also used in Fortify WebInspect and other products

Proven vendor

Experience and security research from a market leader


Part of Fortify’s end-to-end application security capabilities

Application Defender Benefits


  • Install quickly and easily with a three-step deployment, get protection up and running in minutes
  • Out-of-the-box protection via preconfigured vulnerability detection rules
  • Efficiently manage, report and scale on-premise or in the cloud



  • Faster time to remediation with line-of-code detail for security issues
  • Actionable information through interactive dashboards and real time alerting
  • Continuous security monitoring of actual attacks to pinpoint vulnerabilities for protection or remediation
  • Flexible output to enable SOC to see application security logs and software vulnerability exploits
  • Configurable reporting for risk prioritization and communicating across the organization



  • Stop attacks or security violations categorically or granularly, using context from inside the application with a click of a button
  • Runtime application self-protection (RASP) with real time analysis of application logic and data flows to see threats invisible to network security
  • Accurately distinguish between an actual attack and a legitimate request, greatly improving protection accuracy and reducing the chance of false positives

What can Fortify Application Defender, our Runtime Application Self-Protection (RASP) Solution, Do for you?

The common factor for many Application Defender customers is the need to buy time and gain control. As a compensating control, Application Defender can help you protect vulnerabilities while you decide when and how to best remediate them in the long term. For some, this virtual patch is used permanently.

See How Our Customers Are Applying RASP

To Buy Time

A U.S. Pharmaceutical company found more vulnerabilities than they had resources to fix. They use App Defender to defend those vulns as a virtual patch.

For Rapid Resolution

A European cloud-based software company had customers anxious for resolution of a critical vulnerability. To quickly protect the vulnerability across all 60 instances, they deployed App Defender and had their customers immediately protected.

To Broaden Testing

A European major manufacturer’s backlog of vulnerabilities already identified was preventing them from testing additional applications. To protect the vulnerabilities found in Fortify on Demand, with a click of a button, App Defender monitors and protects those vulnerabilities enabling them to scan and test more applications, further reducing their risk.

For Compliance Audit

A U.S. Company had failed a compliance audit and was given 30 days to resolve the issue. Remediation was estimated to require several months to fix. App Defender’s use as a compensating control relieved the immediate audit issue.

For SOC Visibility

A U.S. services company uses App Defender to immediately and consistently see application and user activity and potential exploits, at enterprise scale, without creating custom log parsers for apps not instrumented to create logs.

To Enable DevOps Speed

A U.S. service company uses App Defender to protect vulnerabilities found during rapid DevOps sprints. This compensating control enables DevOps speed while managing risk.

Where RASP fits

Monitor and protect applications, after pre-production security testing, to identify and stop actual exploits.

(PDF 3.21 MB)


Why RASP if I have a WAF?

Context-sensitive instrumentation can distinguish a potential exploit from a successful one so you can confidently identify and stop attacks. See why you need RASP in addition to – or instead of – a WAF.


Try Application Defender Free

Protect one JAVA or .NET application as long as you choose.





Build application security into the entire SDLC


(PDF 3.21 MB)



Are You Addressing Your Greatest Vulnerability?


Data sheet


Application Defender: An application self-protection solution


(PDF 127 KB)



Build Security into DevOps


(PDF 476 KB)



Application Self-Protection Use Cases


White paper


Application Defender performance metrics for Java


(PDF 718 KB)

Related Products, Solutions and Services

Application Security

Fortify Application Security

Static and dynamic application security testing to find and fix vulnerabilities before they can be exploited.


ArcSight ESM

Prioritize security events, so you can protect your business.

Mobile Security

Mobile App Security

Secure your mobile stack from device to network communications to server.

Enterprise Security Consulting

Security Consulting Services

Consulting services to help you get most out of your investment in HPE security solutions.

Enterprise Security Training

Enterprise Security University

Expert instruction to optimize your security operations and your security investments.

Engage with our Application Security Community

Protect Your Assets Blog

Get IT security insights to protect your business ahead of attackers anywhere in the world.

Security Research Blog

Get innovative research, observations and updates to help you proactively identify threats and manage risk.

Protect724 Community

Join the HPE Security community to share, search, collaborate for solutions and gain feedback.

HPE Security on Twitter

Get the latest tweets on hybrid environment risks and defending against advanced threats.

HPE Security on LinkedIn

Connect with experts and discuss the latest info on new threats and risk in hybrid environments.

HPE Software on Facebook

Join with peers and experts to discuss how to make your HPE software work for you.

HPE Software on Google+

Discuss the latest on how to make your enterprise applications and information work for you.

HPE Business Insights

Gain strategic insights from IT leaders who help others define, measure and achieve better IT performances.