Merge WAF and RASP categories into Runtime Application Security
Description
We have two categories in the Secure
stage that are very similar in scope: Web Application Firewall (WAF) and Runtime Application Self-Protection (RASP).
They both focus to actively block attacks and prevent unauthorized access to deployed applications, instead of reporting problems in a "passive" way. This is very different from the approach Application Security Testing (SAST, DAST, etc) has.
They are often considered together, and RASP as an evolution of WAF. They are also bundled together in the same product (e.g., SignalSciences.com).
Another business case in favor of this merge is that Imperva (WAF vendor) recently acquired Prevoty (RASP vendor).
We don't want to call it just WAF, because it will confuse users that will think it is "just" traditional WAF, while it is more.
Proposal
The proposal here is to merge WAF
and RASP
categories in Runtime Application Security
, that can be further expanded with other runtime-related features.
Note
This MR previously addressed a wider change that has been decoupled into other MRs.
- Add Security Compliance category to Secure (Binary Authorization): !16491 (closed)
- Remove IAST category: !16493 (merged)