Imperva revealed it plans to more closely align application and data security after acquiring Prevoty, provider of runtime application self-protection (RASP) software designed to be embedded in an application. The all-cash transaction, expected to close in the third quarter of this year, is valued at $140 million.
Eldad Chai, vice president of product management for Imperva, said the eventual integration of (RASP) software with the application and database security software from Imperva will significantly advance DevSecOps.
Imperva will continue to make the Prevoty RASP software available, he said, but over time will move to converge the management of all its software under a single pane of glass. RASP software embeds agents in applications and can detect and prevent cybersecurity attacks in real time. It also creates a baseline for normal application behavior: Any deviation from the baseline that results in a new system call being made by that application is assumed to be a breach and automatically prevented.
Imperva acquired Prevoty in part because the RASP software it developed is based on agent software that is lightweight enough to work within the context of a microservices-based application environment, Chai said. As organizations embrace modern application development processes based on microservices, Chai said it’s important for security polices to remain attached to them even as those microservices shift or are updated across an extended enterprise.
In theory at least, reliance on microservices should result in more secure applications. Not only can security policies remain attached to the microservice, any microservice based on containers is easier to update. Rather than having to patch an entire monolithic application, developers can simply rip and replace any container in which a vulnerable piece of code might have been inadvertently packaged.
As DevSecOps evolves, Chai said it’s becoming more apparent developers are assuming more responsibility for securing applications, while cybersecurity and IT operations teams remain responsible for crafting cybersecurity policies. Adoption of DevSecOps processes inside most organizations today is nascent. In addition to transforming the cybersecurity culture of an organizations, DevSecOps typically requires organizations to adopt a range of cybersecurity tools that can be accessed programmatically via application programming interfaces (APIs). The average developer has little to no interest learning a graphical user interface (GUI) that most cybersecurity professionals today rely on to secure IT environments.
In general, Imperva expects that more focus on application security will drive additional interest in securing the data those applications reside on, Chai said. Many IT organizations historically have focused on securing perimeters. Once those defenses are bypassed, cybercriminals often discover that data within enterprise systems is often unprotected.
As cybercriminals become more adept at targeting specific applications, it’s clear that any layered defense approach to cybersecurity needs to be extended to include applications and data. The simple fact of the matter is that there’s not enough cybersecurity expertise available inside most organizations to accomplish that mission. That means application developers almost by definition need to become an integral element of any cybersecurity strategy.