Web app and API protection (WAAP) refers to an integrated set of security services that work together to mitigate security risks from APIs and web applications.
WAAP solutions protect against application security risks from vulnerability exploits, bots, automated attacks, denial of service, fraud and abuse, and insecure third-party API integrations.
Integrated security controls allow organizations to improve visibility with actionable insights that can stop specific attacks as well as identify coordinated threat campaigns that span multiple threat vectors.
Engaging customers with compelling and secure digital experiences is a business imperative and key focus for security and risk leaders. The risk vs. reward calculus that attempts to balance security and usability has never been as difficult, important, or lucrative as it is now in the modern digital economy.
Unprecedented choice, low customer tolerance for friction or failure, and increasing regulatory implications are changing the perspective of security from a cost center to a competitive digital differentiator. Additionally, applications are increasingly decentralized and distributed, deployed across heterogeneous and multi-cloud architectures, and integrated within complex software supply chains and CI/CD pipelines.
Figure 1: apps are increasingly decentralized and distributed
The growing sophistication of bots and automated attacks and proliferation of API endpoints from increased mobile app usage and modern app development dramatically expands the threat surface and introduces unforeseen risks from third-party integrations.
The industrialized attack lifecycle begins with automation and ends with account takeover and fraud.
Figure 2: Application attacks are persistent and sophisticated
A WAAP solution represents the evolution of the WAF market into adjacent areas, specifically bot management, API security, and DDoS mitigation.
A WAF that integrates with cloud-based DDoS scrubbing centers historically qualified as WAAP, whether the WAF was a hardware or virtual appliance in a data center, private cloud, or public cloud. However, the market is at an inflection point where many organizations will prefer cloud-based WAAP platforms, in the form of as-a-Service security.
There are several drivers that are increasing interest in cloud-based WAAP platforms:
Appliance-based WAFs that integrate with cloud-based security services that focus on business outcomes will continue as viable, even preferred, options in highly regulated industries like Banking and Financial Services (BFSI).
Effectiveness and ease of use are often cited as key buying criteria for WAAP.
Best-in-class WAAP helps organizations improve their security posture at the speed of business, mitigate compromise without friction or excessive false positives, and reduce operational complexity to consistently protect hybrid, multi-cloud architectures from critical vulnerabilities, business logic abuse, and unforeseen risk.
Key capabilities include:
WAAP solutions mitigate the risk of compromise, data exfiltration, account takeover, and application downtime by integrating various security controls to protect applications, including:
WAAP solutions are available in several form factors:
WAAP solutions also include client-side security to detect malicious scripts/skimming (such as Magecart attacks), security controls to prevent attacks through malicious aggregators, and account protection that prevents account takeover from manual fraud.
Application Infrastructure Protection (AIP) solutions further strengthen app security and improve remediation through dynamic vulnerability discovery and cloud workload security—preventing exploitation and abuse of underlying infrastructure via integration with WAAP controls.
F5 WAAP solutions fit natively into any architecture, cloud, and operating model, providing security and risk teams with universal visibility and consistent policy enforcement to protect legacy and modern apps from core to cloud to edge. F5 WAAP solutions offer flexibility and choice with respect to deployment model and operating model.
F5 Distributed Cloud WAAP provides unparalleled observability coupled with a large real-world data lake and machine learning algorithms enables F5 customers to adopt AI-based Value-Added Services (VAS), for example, Authentication Intelligence, which optimizes legitimate customer transactions by improving personalization and removing friction to increase retention, conversion, and loyalty.