Modern API Security Risks and Challenges Solved with Web App and API Protection (WAAP) Solutions

Ian Dinno サムネール
Ian Dinno
Published July 21, 2023

Modern apps require an advanced set of capabilities in order to sufficiently protect their entire threat surface. Web app firewalls (WAFs) still play a role, but as apps evolve and APIs persist, more is needed to monitor, track, and secure the entire app surface including a growing web of API connections.

Some Potential Limitations of WAFs in Supporting API Security

While WAFs are valuable tools for API security, not all WAFs are created equal, with some having limitations when it comes to protecting APIs. Such limitations could include:

  • Handling Complex API Authorization: APIs often employ more complex authorization mechanisms beyond the traditional session-based authentication used in web applications. WAFs may struggle to handle complex authorization schemas such as OAuth 2.0, JWT (JSON Web Tokens), or custom token-based authentication.
  • Analyzing Protocol and Payload Variations: APIs can utilize various protocols (REST, GraphQL, SOAP) and payload formats (JSON, XML) with different data structures and schemas. WAFs may have limited support for parsing and validating these variations, potentially leading to limited visibility and more false positives—or false negatives—in threat detection.
  • Rate Limiting: API rate limiting is crucial to protect against abusive behavior and API resource exhaustion. WAFs may face difficulties in accurately rate limiting API traffic due to the dynamic nature of API requests and the requirement for rate limiting based on API-specific parameters.
  • Insights into API-Specific Attacks: APIs are susceptible to specific attack vectors such as parameter pollution, API-specific injection attacks, or API abuse scenarios. WAFs may not have specialized rules or heuristics to effectively detect and mitigate these API-specific attacks.
  • API Management Functionality: WAFs focus primarily on security aspects and may lack the comprehensive API management capabilities required for API governance, documentation, versioning, and developer portal functionalities.

Augmenting WAFs for API Security

It’s important to note that while WAFs remain the cornerstone of app security and are a foundational layer to protecting APIs—there is more that’s necessary. Organizations are considering and implementing a variety of approaches, for a mix of reasons—cost, complexity, misconceptions and misunderstandings about how to adequately secure APIs, and more. Many organizations are augmenting their existing WAFs with API gateways to create, manage, and publish their APIs while enforcing usage policies and controlling access. This is a good starting point but still leaves a lot of gaps in API security posture.

So, what’s next? How does one deal with unknown/shadow APIs? What about granular API endpoint control? What about third-party APIs you don’t necessarily control? Let’s just take the challenge with the unknown...shadow APIs. These can lead an organization to go search out a specialized API discovery and vulnerability tool to add in the mix as they work to cover all API bases.

Do you see where this is going? Things get very complex very quickly. Some organizations with budget, expertise, and resources prefer a best-of-breed approach, but for most, covering the API security threat surface with a patchwork of different solutions only perpetuates one of the biggest security challenges which is COMPLEXITY. Adding more point solutions can get untenable fast, not to mention making effective monitoring and visibility quite difficult.

How WAAPs Can Help – Delivering Comprehensive App and API Security

Enter web app and API protection (WAAP) solutions. Why would you stack more independent technologies, likely from different vendors, and that do not correlate insights cohesively to your already complex app security ecosystem? Hence the evolution toward (and development of) WAAP offerings. Modern WAAP solutions can be part of the answer security needs for modern, microservices-based, multi-cloud and hybrid app environments combining the capabilities found within traditional WAFs with specialized functions that are critical for monitoring and securing APIs—all in one consolidated solution (often delivered as SaaS).

Common Misconceptions about WAAPs and their Ability to Monitor and Protect APIs

There are misconceptions about WAAPs that they lack the necessary functionality to deliver comprehensive API security. Some of the myths you may have heard include that WAAPs can’t monitor and track APIs over time and identify anomalies, that they lack advanced learning capabilities to keep track of new and changing app and API endpoints, or they can’t track and discern end user intent.

These are simply untrue. Many modern WAAP solutions like F5 Distributed Cloud WAAP are developed with AI/ML capabilities that power critical API security functions like API auto-discovery, schema enforcement, user and API anomaly detection, and more. And unlike what is available with many API-only security point products which rely on out-of-band analysis, with WAAP solutions traffic analysis and blocking of app and API traffic happens within a single inline solution. There’s no need to stream or mirror data to a separate solution (or solutions) that can delay analysis, detection, and mitigation of threats.

To learn more about F5 Distributed Cloud WAAP and its API security capabilities, check out our website and a short demo of the solution in action.