Changing Of The Guard: RASP Is Gradually Killing WAF

In last year’s “Vendor Landscape: Runtime Application Self-Protection,” I noted that eventually runtime application self-protection (RASP) would take over web application firewall (WAF) as the best way to combat web app attacks. They have deeper knowledge than WAFs of the applications that they protect, and they can virtually patch vulnerabilities and weaknesses. In an upcoming report, we’re predicting WAF market growth to significantly slow down over the 2021–2023 period as bot management and RASP tools fully cover traditional WAF capabilities. In fact, RASP will experience a healthy 26.2% CAGR in the same period. Likely seeing the same writing on the wall, Imperva jumped on an opportunity.

Imperva Expanded Its Portfolio At The Expense Of Product Clarity

Today, Imperva announced its intention to acquire Prevoty. Prevoty’s sole product is its RASP. Here’s what this acquisition means:

  • Imperva will have the most comprehensive portfolio for runtime protection. With the inclusion of Prevoty’s RASP, Imperva will have the trifecta of runtime application protection: WAF, RASP, and bot management.
  • Prospects will be confused about which product(s) to license. Imperva already has a product positioning problem with two WAF products (Incapsula and SecureSphere) and ineffectual product differentiation based on “context.” With Prevoty’s RASP in the mix, Imperva will need to clearly explain when to use RASP, when to use WAF, and when to use a combination.
  • Customers will demand better bot protection. Imperva does not currently sell bot management separately from its two WAFs and consequently suffers the same multiple product syndrome. With the purchase of Prevoty, bot management is now the weakest link in the portfolio.
  • The RASP market is beginning to leave its awkward teenage years behind. Now that we’ve seen the first RASP acquisition, expect more RASP tools to enter the market and push existing RASP tools to mature more quickly. For security pros that were putting off exploring RASP, now is the time. Evaluate tools based on deployment models and source code language support, which varies greatly between vendors. For more information about RASP, take a look at the following Forrester reports:
  1. Vendor Landscape: Runtime Application Self-Protection
  2. The Forrester New Wave™: Runtime Application Self-Protection, Q1 2018
  3. The State Of Application Security, 2018