OpenRASP is the most popular open-source Runtime Application Self-Protection solution, developed and maintained by the Baidu security team with 3k GitHub stars and 623 forks.
GitHub: baidu/openrasp | Last Release: v1.3.7 (January 2022)
What is OpenRASP?
OpenRASP (Open-source Runtime Application Self-Protection) is a free, open-source security solution that protects applications from attacks at runtime.
It hooks into the application runtime to monitor and block malicious operations.
Unlike commercial RASP solutions, OpenRASP provides core protection capabilities without licensing costs, making it accessible for organizations of all sizes.
Key Features
Plugin-Based Detection
OpenRASP uses a plugin architecture for attack detection:
- JavaScript plugins define detection logic
- Easy to customize and extend
- Community-contributed plugins available
Supported Attack Types
OpenRASP protects against:
- SQL injection
- Command injection
- File operations attacks
- XXE (XML External Entity)
- SSRF (Server-Side Request Forgery)
- Deserialization attacks
Cloud Management Console
OpenRASP includes a management console for:
- Centralized policy management
- Attack event visualization
- Agent status monitoring
- Report generation
How It Works
OpenRASP instruments the application runtime using Java Agent technology (for Java) or PHP extensions:
Application Runtime
βββ OpenRASP Agent
βββ Hooks security-sensitive functions
βββ Executes JavaScript detection plugins
βββ Blocks or logs malicious operations
Installation
Java Applications
Add the OpenRASP agent to your Java application:
# Download OpenRASP
wget https://github.com/baidu/openrasp/releases/latest/download/rasp-java.tar.gz
tar -xzf rasp-java.tar.gz
# Install to application
java -jar RaspInstall.jar -install /path/to/tomcat
PHP Applications
Install the PHP extension:
# Download the latest PHP release from GitHub Releases page
# https://github.com/baidu/openrasp/releases
wget https://github.com/baidu/openrasp/releases/download/v1.3.7/rasp-php-linux.tar.bz2
tar -xjf rasp-php-linux.tar.bz2
# Run the OpenRASP installer
php rasp-php-*/install.php -d /opt/rasp
Configuration
OpenRASP is configured via JSON files:
{
"block": {
"status_code": 302,
"redirect_url": "/blocked.html"
},
"inject": {
"urlprefix": "https://cdn.example.com/openrasp"
}
}
Limitations
- Currently supports Java and PHP only
- Requires application restart for installation
- Some performance overhead (typically 1-5%)
- Active development primarily focused on Chinese documentation
Why the project stopped
OpenRASP was developed by Baidu’s Xteam security research group and released under a BSD 3-Clause license in 2017. Its last tagged release on GitHub is v1.3.7 from January 2022. Since then, the repository has seen occasional plugin updates from the community but no new agent releases or JVM compatibility fixes.
The slowdown tracks with Baidu’s broader security-team reorganization in 2022. Several maintainers moved to internal projects or left the company, and no corporate successor picked the codebase up. The cloud console component (openrasp-cloud) still runs for existing deployments but is not being actively developed.
Because RASP agents hook into the JVM and PHP runtimes, staying on an unmaintained agent is risky: new Java versions, security advisories in bundled dependencies, and changes in application-server internals all require ongoing maintenance.
When to Use OpenRASP
OpenRASP is ideal for organizations wanting open-source RASP protection for Java or PHP environments.
Teams comfortable with self-hosted security tools and budget-conscious programs may find value, though the project’s inactivity since 2022 should be considered. For actively maintained alternatives, see Contrast Protect or Datadog ASM.
