openrasp
OpenRASP is an open-source Runtime Application Self-Protection (RASP) solution that hooks into application servers to detect and block attacks at execution time. It monitors database queries, file operations, and network requests, offering context-aware threat detection with lower false positives than perimeter-based WAF solutions.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | baidu/openrasp |
| Owner | baidu |
| Primary language | C++ |
| License | Apache-2.0 — OSI-approved |
| Stars | 3k |
| Forks | 621 |
| Open issues | 62 |
| Latest release | v1.3.7 (2022-01-28) |
| Last updated | 2025-10-02 |
| Source | https://github.com/baidu/openrasp |
What openrasp is
Written in C++, OpenRASP instruments Java and PHP application servers (Tomcat, JBoss, Jetty, Resin, SpringBoot, WebLogic for Java; PHP 5.3–7.4) to intercept sensitive function calls and examine inputs before they execute. It logs alarms in JSON format compatible with standard log aggregation tools (Logstash, rsyslog, Flume), with reported performance overhead of 1–4% in stress tests.
Get the openrasp source
Clone the repository and explore it locally.
git clone https://github.com/baidu/openrasp.gitcd openrasp# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Agent installation is application-server-specific (separate modules for Tomcat, JBoss, Jetty, Resin, SpringBoot, WebLogic, WebSphere); plan for per-server configuration and testing.
- Plugin development is required to define detection rules beyond defaults; baseline effort is low but operational tuning to minimize false positives in production is ongoing.
- Performance overhead is stated as 1–4% in controlled tests; validate in your own load profile, especially if hooks are frequently triggered (high-traffic APIs with sensitive operations).
- JSON-formatted alarm logs must be ingested by downstream SIEM/SOC; ensure Logstash, rsyslog, or Flume instances are provisioned and log volume expectations are modeled.
- Stack trace logging can consume significant disk space in high-attack or false-positive scenarios; plan log rotation and retention policies upfront.
When to avoid it — and what to weigh
- Requires PHP 8.0+ or Modern Java Versions — Latest tested versions are PHP 7.4 (2022) and Java application servers from that era. If your stack is PHP 8.1+, Java 17+, or uses cutting-edge frameworks, compatibility is not documented and requires verification.
- Need Active Commercial Support or SLA Guarantees — Latest release is v1.3.7 from January 2022 with no documented security patches or feature releases since. Business inquiries reference a Baidu email address, but no SLA, commercial support tiers, or incident response commitments are stated.
- Low Tolerance for Stale Project Dependencies — While the repository shows recent pushes (October 2025), the latest versioned release is 3+ years old. Depending on your security and compliance posture, this lag may require internal security review before adoption.
- Microservices or Containerized Deployment at Scale — OpenRASP is designed for monolithic or traditional application server deployments. Kubernetes, service mesh, or highly distributed architectures require custom integration and operational overhead not clearly documented.
License & commercial use
Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license allowing commercial use, modification, and distribution with attribution and liability disclaimers.
Apache-2.0 permits commercial deployment without royalties or licensing fees. However, no formal commercial support, warranty, or SLA is documented from the Baidu project. Organizations using OpenRASP in production should evaluate their own indemnification, compliance, and support requirements independently, and consider establishing internal expertise or consulting relationships.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Moderate |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Good |
| Assessment confidence | Medium |
OpenRASP intercepts sensitive operations (database, file, network) at runtime, so the agent itself becomes a target for privilege escalation or bypass attacks. Code review is recommended before production deployment. The project does not publish a security policy or vulnerability reporting process; potential issues should be raised privately via the listed email contact. Lack of recent security updates relative to 2022 release suggests any vulnerabilities found after that date may not be patched in the mainline.
Alternatives to consider
Contrast Security Assess / Protect
Commercial RASP/IAST with broader language support, active development, and vendor SLA. Recommended if your budget allows and you require production support and frequent updates.
Imperva WAF / ModSecurity
Network-layer WAF solutions that require no agent installation. Trade-off: less context-aware detection than RASP, but simpler deployment and lower operational overhead for signature-based threat blocking.
Java/PHP-Native Frameworks (Spring Security, Symfony Security)
If your applications are new or refactorable, framework-level security controls may provide equivalent protection with tighter integration. Less suitable for legacy monoliths.
Build on openrasp with DEV.co software developers
OpenRASP offers context-aware threat detection for legacy Java and PHP deployments without code changes. Review its 3+ year release cycle, platform compatibility, and plugin model to determine fit for your RASP strategy. Consult with application server and security operations teams before production rollout.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
openrasp FAQ
Does OpenRASP work with Java 17+ or PHP 8.1+?
Is there commercial support available?
How does OpenRASP differ from a WAF?
What is the performance impact?
Work with a software development agency
Need help beyond evaluating openrasp? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Evaluate OpenRASP for Your Security Stack
OpenRASP offers context-aware threat detection for legacy Java and PHP deployments without code changes. Review its 3+ year release cycle, platform compatibility, and plugin model to determine fit for your RASP strategy. Consult with application server and security operations teams before production rollout.