Web app and API protection (WAAP) refers to an integrated set of security services that work together to mitigate security risks from APIs and web applications.
WAAP solutions protect against application security risks from vulnerability exploits, bots, automated attacks, denial of service, fraud and abuse, and insecure third-party API integrations.
Integrated security controls allow organizations to improve visibility with actionable insights that can stop specific attacks as well as identify coordinated threat campaigns that span multiple threat vectors.
Engaging customers with compelling and secure digital experiences is a business imperative and key focus for security and risk leaders. The risk vs. reward calculus that attempts to balance security and usability has never been as difficult, important, or lucrative as it is now in the modern digital economy.
Unprecedented choice, low customer tolerance for friction or failure, and increasing regulatory implications are changing the perspective of security from a cost center to a competitive digital differentiator. Additionally, applications are increasingly decentralized and distributed, deployed across heterogeneous and multi-cloud architectures, and integrated within complex software supply chains and CI/CD pipelines.
Figure 1: apps are increasingly decentralized and distributed
The growing sophistication of bots and automated attacks and proliferation of API endpoints from increased mobile app usage and modern app development dramatically expands the threat surface and introduces unforeseen risk from third-party integrations.
The industrialized attack lifecycle begins with automation and ends with account takeover and fraud.
Figure 2: application attacks are persistent and sophisticated
A WAF that integrates with cloud-based DDoS scrubbing centers historically qualified as WAAP, whether the WAF was a hardware or virtual appliance in a data center, private cloud, or public cloud. However, the market is at an inflection point where many organizations will prefer cloud-based WAAP platforms, in the form of as-a-Service security.
There are several drivers that are increasing interest in cloud-based WAAP platforms:
Appliance-based WAFs that integrate with cloud-based security services that focus on business outcomes will continue as viable, even preferred, options in highly regulated industries like Banking and Financial Services (BFSI).
WAAP solutions mitigate the risk of compromise, data exfiltration, account takeover, and application downtime by integrating various security controls to protect applications, including:
WAAP solutions are available in several form factors:
WAAP solutions also include client-side security to detect malicious scripts/skimming (such as Magecart attacks), security controls to prevent attacks through malicious aggregators, and account protection that prevents account takeover from manual fraud.
Application Infrastructure Protection (AIP) solutions further strengthen app security and improve remediation through dynamic vulnerability discovery and cloud workload security—preventing exploitation and abuse of underlying infrastructure via integration with WAAP controls.
F5 Distributed Cloud WAAP fits natively into any architecture, cloud, and operating model, providing security and risk teams with universal visibility and consistent policy enforcement to protect legacy and modern apps from core to cloud to edge. Distributed Cloud WAAP solutions offer flexibility and choice with respect to deployment model and operating model.
Unparalleled observability coupled with a large real-world data lake and machine learning algorithms enables F5 customers to adopt AI-based Value-Added Services (VAS), for example, Authentication Intelligence, which optimizes legitimate customer transactions by improving personalization and removing friction to increase retention, conversion, and loyalty.