Merge WAF and RASP categories into Runtime Application Security (!16343) · Merge requests · GitLab.com / www-gitlab-com

Fabio Busatto requested to merge update-secure-categories into master Nov 09, 2018

Description

We have two categories in the Secure stage that are very similar in scope: Web Application Firewall (WAF) and Runtime Application Self-Protection (RASP).

They both focus to actively block attacks and prevent unauthorized access to deployed applications, instead of reporting problems in a "passive" way. This is very different from the approach Application Security Testing (SAST, DAST, etc) has.

They are often considered together, and RASP as an evolution of WAF. They are also bundled together in the same product (e.g., SignalSciences.com).

Another business case in favor of this merge is that Imperva (WAF vendor) recently acquired Prevoty (RASP vendor).

We don't want to call it just WAF, because it will confuse users that will think it is "just" traditional WAF, while it is more.

Proposal

The proposal here is to merge WAF and RASP categories in Runtime Application Security, that can be further expanded with other runtime-related features.

Note

This MR previously addressed a wider change that has been decoupled into other MRs.

Add Security Compliance category to Secure (Binary Authorization): !16491 (closed)
Remove IAST category: !16493 (merged)

Edited Nov 17, 2018 by Fabio Busatto

Merge WAF and RASP categories into Runtime Application Security

Description

Proposal

Note

Merge request reports