The evolution of WAF and RASP
Rami McCarthy did a great post last month touching on some of the history of RASP. I thought the post was great and did a great job focusing on the competitive landscape, industry factors, and technical barriers to entry. In this post, I wanted to dig deeper into the future of both WAF and RASP in the modern era.
A new wave of appsec technology
eBPF is making things easier
Recent platform technology advancements in cloud observability (Hi, eBPF) have now made it easier for security teams and security vendors to access even more security context with which to detect threats. Instead of spending cycles finding ways to ingest more data, instrument application behavior, and update routing configuration settings, security teams and tools can now rely on largely open source technologies to deploy sensors and gather information.
For example, eBPF and Kubernetes have driven a new wave of innovation the WAF space, spawning a wave of API security companies like Impart which offer security teams deep runtime protection just by annotating a helm chart. These companies are focused on the outcome of blocking attacks via the network, innovating in how they ingest and use additional context from runtime and from the developer lifecycle to better inform network blocking and rate limiting decisions. The innovation frontier in this space is pushing the limits of network based blocking to be able to utilize the smarts and context of eBPF based detections, while maintaining the proven reliability and predictability of a WAF.
Similarly, eBPF has also driven a refresh of the RASP market, with a new generation of ADR companies promising the same outcomes as RASP (host based blocking) except with easier to install instrumentation methods such as eBPF which can also be installed through annotations in a helm chart. They frontier of innovation in this space will be to evolve the RASP approach into something that is easier to install, maintain, and troubleshoot for both security and engineering teams.
Lastly, SAST/DAST has also been transformed by eBPF as well, with SAST/DAST scanners becoming more aware of what is happening at the network level. What this does is allow SAST/DAST tests to become more targeted and relevant, which makes the testing process more efficient for security teams. The frontier of innovation in this space is whether these test findings can be made relevant and actionable enough to improve time to remediation which has traditionally been an industry challenge with the mean time to remediate vulnerabilities being 270 days according to Dark Reading.
Convergence of Outcomes
While there are a lot of companies running towards eBPF as a core enabling technology, what still matters to security teams is the outcomes they can achieve with whatever tools they are using. And with eBPF as a whole making it easier and easier to get visibility into a wide range of application context, we are starting to see the consolidation and convergence of many of those outcomes.
For example, let's start with SAST/DAST. Though these two things are categorically different, with SAST traditionally examining source code through static testing, and DAST examining live applications through dynamic testing, they ultimately produce the same outcome, which is to "find application vulnerabilities." This is the same outcome for a security team, even though there are two categories. Similarly, WAF and RASP produce the same outcome. Though WAF is traditionally a network based security control and RASP is traditionally a host based control, both WAF and RASP produce the same outcome, which is to 'stop application attacks." Two categories, one outcome.
What we are seeing from industry analysts is that these outcomes are already being consolidated into a new platform category, ASPM, with many vendors offering both SAST and DAST functionality, as well as many other types of scanners like SCA, IAST, and secrets scanning.
On the "Stop application attacks" security outcome side, we have not yet seen Gartner consolidate these categories with a shared outcome (WAF and RASP) outcomes into a single category. We have seen some incremental changes, with WAF evolving to WAAP, as APIs become the dominant volume of internet traffic. We have also seen a revamp of the RASP concept, with RASP being reborn as ADR due to the innovations in eBPF.
It is clear that these segments have the same outcome, and so it is obvious that these two categories are going to converge in the near future. What remains to be seen is what approach is going to be the winner to solve for the security outcome of "stop application attacks," and also what is the proper classification of tools that provide this outcome? WAF/WAAP? RASP/ADR? CNAPP/CWPP? The jury is still out and there are problems with many of the existing categories - WAAPs traditionally lack the full app context, ADRs are still emerging, CNAPPs/CWPPs rely on WAFs to actually block attacks, etc.
Will the increased application context that eBPF can offer make network blocking the de-facto approach? Or will the improvements in instrumentation make host/application based blocking the new standard? Or will integrations and web-hooks with WAFs win the day?
Ultimately the winner in this market is going to be the company and the approach who can deliver the security outcome of "stop application attacks" with the highest cost for attackers, the lowest cost for security teams, and the lowest cost for engineering teams.