Perhaps more than any other analyst in our industry, I’ve been bullish on the prospects for run-time application self-protection (RASP). And I’ve been covering (and admiring) RASP solution provider Prevoty for almost three years. So, when I read that Imperva had acquired Prevoty earlier this year, I was pleased on several fronts – but primarily, because I believe that the broad application security sector must begin to consolidate – and fast.
If you work in enterprise security today, and your job is to protect business applications, then you are presented with a plethora of strategic options that all take magnificently separate routes to the same target destination. For example, you might decide to follow the software process maturity route under the premise that the characteristics of the software development methodology used during DevOps will dictate the quality of what is produced.
Or you might take a more scenic route through the code, either with an automated scanner, or with your human eyeballs. This static approach toward application security is related to decades of work in software quality – and while the advances have been numerous, quite a bit of code remains of questionable correctness, to the delight of attendees at DEFCON each year. This method has thus helped, but not completely solved, the AppSec problem.
More recently, application security has seen the emergence of new routes within carefully-policed walled gardens. Apple serves as the iconic leader along this type of journey. If you have an iPad, for example, then the mobile apps you download are vetted through Cupertino, are never anonymous, and are executed in a highly-restricted run-time environment (think Flash). This approach has great merit, but creates Truman Show-like app bubbles.
The route followed by Prevoty involves embedding software directly into the application to provide behavioral telemetry and real-time mitigation. The telemetry context is valuable to security teams for obvious reasons – and herein lies the potential for Imperva: Data and run-time intelligence from the application environment will enrich the security context for the entire portfolio of Imperva offers – and most obviously, its Web application firewall (WAF).
Here is how I see it: If you buy into the device-to-cloud picture of the emerging enterprise computing world, then you know that security can be enforced through device controls, cloud-hosted app controls, or something in-between. Prevoty sits squarely in the application, and Imperva WAFs sit in-between. Passing accurate telemetry between these control points strikes me as a rational and effective enhancement. More companies should be doing this.
If you are customer of either Prevoty or Imperva, then I would expect that you’ll be pleased with this deal. It introduces no channel conflicts and both companies are well-managed with strong technologists. Expect to see both legacy companies start to offer versions of their existing solutions turbo-charged with context from their new partner. This will be a welcome addition to the tough challenges of any team trying to reduce risk in their applications.
My best wishes to both teams on a successful merger and a profitable engagement moving forward. We’ll keep an eye on the combined team progress and will report here as usual.