Modern apps require an advanced set of capabilities in order to sufficiently protect their entire threat surface. Web app firewalls (WAFs) still play a role, but as apps evolve and APIs persist, more is needed to monitor, track, and secure the entire app surface including a growing web of API connections.
Some Potential Limitations of WAFs in Supporting API Security
While WAFs are valuable tools for API security, not all WAFs are created equal, with some having limitations when it comes to protecting APIs. Such limitations could include:
- Handling Complex API Authorization: APIs often employ more complex authorization mechanisms beyond the traditional session-based authentication used in web applications. WAFs may struggle to handle complex authorization schemas such as OAuth 2.0, JWT (JSON Web Tokens), or custom token-based authentication.
- Analyzing Protocol and Payload Variations: APIs can utilize various protocols (REST, GraphQL, SOAP) and payload formats (JSON, XML) with different data structures and schemas. WAFs may have limited support for parsing and validating these variations, potentially leading to limited visibility and more false positives—or false negatives—in threat detection.
- Rate Limiting: API rate limiting is crucial to protect against abusive behavior and API resource exhaustion. WAFs may face difficulties in accurately rate limiting API traffic due to the dynamic nature of API requests and the requirement for rate limiting based on API-specific parameters.
- Insights into API-Specific Attacks: APIs are susceptible to specific attack vectors such as parameter pollution, API-specific injection attacks, or API abuse scenarios. WAFs may not have specialized rules or heuristics to effectively detect and mitigate these API-specific attacks.
- API Management Functionality: WAFs focus primarily on security aspects and may lack the comprehensive API management capabilities required for API governance, documentation, versioning, and developer portal functionalities.
Augmenting WAFs for API Security
It’s important to note that while WAFs remain the cornerstone of app security and are a foundational layer to protecting APIs—there is more that’s necessary. Organizations are considering and implementing a variety of approaches, for a mix of reasons—cost, complexity, misconceptions and misunderstandings about how to adequately secure APIs, and more. Many organizations are augmenting their existing WAFs with API gateways to create, manage, and publish their APIs while enforcing usage policies and controlling access. This is a good starting point but still leaves a lot of gaps in API security posture.
So, what’s next? How does one deal with unknown/shadow APIs? What about granular API endpoint control? What about third-party APIs you don’t necessarily control? Let’s just take the challenge with the unknown...shadow APIs. These can lead an organization to go search out a specialized API discovery and vulnerability tool to add in the mix as they work to cover all API bases.
Do you see where this is going? Things get very complex very quickly. Some organizations with budget, expertise, and resources prefer a best-of-breed approach, but for most, covering the API security threat surface with a patchwork of different solutions only perpetuates one of the biggest security challenges which is COMPLEXITY. Adding more point solutions can get untenable fast, not to mention making effective monitoring and visibility quite difficult.
How WAAPs Can Help – Delivering Comprehensive App and API Security
Enter web app and API protection (WAAP) solutions. Why would you stack more independent technologies, likely from different vendors, and that do not correlate insights cohesively to your already complex app security ecosystem? Hence the evolution toward (and development of) WAAP offerings. Modern WAAP solutions can be part of the answer security needs for modern, microservices-based, multi-cloud and hybrid app environments combining the capabilities found within traditional WAFs with specialized functions that are critical for monitoring and securing APIs—all in one consolidated solution (often delivered as SaaS).
Common Misconceptions about WAAPs and their Ability to Monitor and Protect APIs
There are misconceptions about WAAPs that they lack the necessary functionality to deliver comprehensive API security. Some of the myths you may have heard include that WAAPs can’t monitor and track APIs over time and identify anomalies, that they lack advanced learning capabilities to keep track of new and changing app and API endpoints, or they can’t track and discern end user intent.
These are simply untrue. Many modern WAAP solutions like F5 Distributed Cloud WAAP are developed with AI/ML capabilities that power critical API security functions like API auto-discovery, schema enforcement, user and API anomaly detection, and more. And unlike what is available with many API-only security point products which rely on out-of-band analysis, with WAAP solutions traffic analysis and blocking of app and API traffic happens within a single inline solution. There’s no need to stream or mirror data to a separate solution (or solutions) that can delay analysis, detection, and mitigation of threats.
To learn more about F5 Distributed Cloud WAAP and its API security capabilities, check out our website and a short demo of the solution in action.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...