DEV.co
Open-Source Security · baidu

openrasp

OpenRASP is an open-source Runtime Application Self-Protection (RASP) solution that hooks into application servers to detect and block attacks at execution time. It monitors database queries, file operations, and network requests, offering context-aware threat detection with lower false positives than perimeter-based WAF solutions.

Source: GitHub — github.com/baidu/openrasp
3k
GitHub stars
621
Forks
C++
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorybaidu/openrasp
Ownerbaidu
Primary languageC++
LicenseApache-2.0 — OSI-approved
Stars3k
Forks621
Open issues62
Latest releasev1.3.7 (2022-01-28)
Last updated2025-10-02
Sourcehttps://github.com/baidu/openrasp

What openrasp is

Written in C++, OpenRASP instruments Java and PHP application servers (Tomcat, JBoss, Jetty, Resin, SpringBoot, WebLogic for Java; PHP 5.3–7.4) to intercept sensitive function calls and examine inputs before they execute. It logs alarms in JSON format compatible with standard log aggregation tools (Logstash, rsyslog, Flume), with reported performance overhead of 1–4% in stress tests.

Quickstart

Get the openrasp source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/baidu/openrasp.gitcd openrasp# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Legacy Java Application Security Hardening

Organizations running Tomcat, JBoss, or WebLogic instances can deploy OpenRASP as an in-process agent to detect SQL injection, command injection, and file-access attacks without application code changes. Particularly valuable for monolithic enterprise Java stacks where WAF rules alone are insufficient.

Context-Aware IAST / RASP Integration in DevSecOps Pipelines

Teams needing detailed stack traces and forensic context for security incidents benefit from OpenRASP's hook-based approach. Logs integrate directly with SIEM/SOC platforms and enable rapid incident response analysis compared to signature-based WAF alerts.

PHP Application Runtime Threat Detection

PHP 5.3–7.4 deployments can leverage OpenRASP to monitor database operations, file I/O, and network calls at the interpreter level, bridging the gap between WAF and code-level security controls for shared-hosting or multi-tenant environments.

Implementation considerations

  • Agent installation is application-server-specific (separate modules for Tomcat, JBoss, Jetty, Resin, SpringBoot, WebLogic, WebSphere); plan for per-server configuration and testing.
  • Plugin development is required to define detection rules beyond defaults; baseline effort is low but operational tuning to minimize false positives in production is ongoing.
  • Performance overhead is stated as 1–4% in controlled tests; validate in your own load profile, especially if hooks are frequently triggered (high-traffic APIs with sensitive operations).
  • JSON-formatted alarm logs must be ingested by downstream SIEM/SOC; ensure Logstash, rsyslog, or Flume instances are provisioned and log volume expectations are modeled.
  • Stack trace logging can consume significant disk space in high-attack or false-positive scenarios; plan log rotation and retention policies upfront.

When to avoid it — and what to weigh

  • Requires PHP 8.0+ or Modern Java Versions — Latest tested versions are PHP 7.4 (2022) and Java application servers from that era. If your stack is PHP 8.1+, Java 17+, or uses cutting-edge frameworks, compatibility is not documented and requires verification.
  • Need Active Commercial Support or SLA Guarantees — Latest release is v1.3.7 from January 2022 with no documented security patches or feature releases since. Business inquiries reference a Baidu email address, but no SLA, commercial support tiers, or incident response commitments are stated.
  • Low Tolerance for Stale Project Dependencies — While the repository shows recent pushes (October 2025), the latest versioned release is 3+ years old. Depending on your security and compliance posture, this lag may require internal security review before adoption.
  • Microservices or Containerized Deployment at Scale — OpenRASP is designed for monolithic or traditional application server deployments. Kubernetes, service mesh, or highly distributed architectures require custom integration and operational overhead not clearly documented.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license allowing commercial use, modification, and distribution with attribution and liability disclaimers.

Apache-2.0 permits commercial deployment without royalties or licensing fees. However, no formal commercial support, warranty, or SLA is documented from the Baidu project. Organizations using OpenRASP in production should evaluate their own indemnification, compliance, and support requirements independently, and consider establishing internal expertise or consulting relationships.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceModerate
DocumentationAdequate
License clarityClear
Deployment complexityHigh
DEV.co fitGood
Assessment confidenceMedium
Security considerations

OpenRASP intercepts sensitive operations (database, file, network) at runtime, so the agent itself becomes a target for privilege escalation or bypass attacks. Code review is recommended before production deployment. The project does not publish a security policy or vulnerability reporting process; potential issues should be raised privately via the listed email contact. Lack of recent security updates relative to 2022 release suggests any vulnerabilities found after that date may not be patched in the mainline.

Alternatives to consider

Contrast Security Assess / Protect

Commercial RASP/IAST with broader language support, active development, and vendor SLA. Recommended if your budget allows and you require production support and frequent updates.

Imperva WAF / ModSecurity

Network-layer WAF solutions that require no agent installation. Trade-off: less context-aware detection than RASP, but simpler deployment and lower operational overhead for signature-based threat blocking.

Java/PHP-Native Frameworks (Spring Security, Symfony Security)

If your applications are new or refactorable, framework-level security controls may provide equivalent protection with tighter integration. Less suitable for legacy monoliths.

Software development agency

Build on openrasp with DEV.co software developers

OpenRASP offers context-aware threat detection for legacy Java and PHP deployments without code changes. Review its 3+ year release cycle, platform compatibility, and plugin model to determine fit for your RASP strategy. Consult with application server and security operations teams before production rollout.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

openrasp FAQ

Does OpenRASP work with Java 17+ or PHP 8.1+?
Not documented. Latest tested versions in README are Tomcat/JBoss/WebLogic (circa 2018–2020) and PHP 7.4 (2020). Requires review before upgrading.
Is there commercial support available?
Business inquiries are directed to an openrasp-support email address at Baidu. No SLA, support tiers, or commercial entity is mentioned in public documentation.
How does OpenRASP differ from a WAF?
WAF matches signatures at the network perimeter; OpenRASP hooks into the application to examine inputs in context before they reach sensitive functions. This reduces false positives and logs detailed stack traces for forensics.
What is the performance impact?
Stated as 1–4% overhead in worst-case stress tests (continuous hook triggering). Real-world impact depends on your traffic volume and hook frequency; internal validation is advised.

Work with a software development agency

Need help beyond evaluating openrasp? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Evaluate OpenRASP for Your Security Stack

OpenRASP offers context-aware threat detection for legacy Java and PHP deployments without code changes. Review its 3+ year release cycle, platform compatibility, and plugin model to determine fit for your RASP strategy. Consult with application server and security operations teams before production rollout.