I have found at least one common theme while working with different WAF solutions over the past 17 years. The first expectation of any WAF is not to block attacks. It is to not break the application. If a WAF impedes application functionality and negatively impacts the revenue the application is generating then the WAF’s primary functions don’t mean anything.

‍Darwin, Phillip, James, and Brian separate hype from reality for LLMs in application security today, how things are evolving on the front lines, and the future off the appsec role from the expert perspectives of Industry Analyst, Security Practitioner, SDLC founder, and Runtime founder.

The perceptions of the API security market have really shifted since we started Impart Security three years ago. When we first started Impart, API security was a new market; there were many different opinions about what API security was, how to approach the problem, and what good API security looked like. I remember back in 2020, although most security teams I spoke with thought of API security as a critical part of their security program, those same teams also had very different views of what specific problems and urgent pain points needed to be addressed. In this post I’ll unpack the current state of the API security market, where it’s going, and how security teams should be implementing it with API-first runtime protection.