Modern apps require an advanced set of capabilities in order to sufficiently protect their entire threat surface. Web app firewalls (WAFs) still play a role, but as apps evolve and APIs persist, more is needed to monitor, track, and secure the entire app surface including a growing web of API connections.
While WAFs are valuable tools for API security, not all WAFs are created equal, with some having limitations when it comes to protecting APIs. Such limitations could include:
It’s important to note that while WAFs remain the cornerstone of app security and are a foundational layer to protecting APIs—there is more that’s necessary. Organizations are considering and implementing a variety of approaches, for a mix of reasons—cost, complexity, misconceptions and misunderstandings about how to adequately secure APIs, and more. Many organizations are augmenting their existing WAFs with API gateways to create, manage, and publish their APIs while enforcing usage policies and controlling access. This is a good starting point but still leaves a lot of gaps in API security posture.
So, what’s next? How does one deal with unknown/shadow APIs? What about granular API endpoint control? What about third-party APIs you don’t necessarily control? Let’s just take the challenge with the unknown...shadow APIs. These can lead an organization to go search out a specialized API discovery and vulnerability tool to add in the mix as they work to cover all API bases.
Do you see where this is going? Things get very complex very quickly. Some organizations with budget, expertise, and resources prefer a best-of-breed approach, but for most, covering the API security threat surface with a patchwork of different solutions only perpetuates one of the biggest security challenges which is COMPLEXITY. Adding more point solutions can get untenable fast, not to mention making effective monitoring and visibility quite difficult.
Enter web app and API protection (WAAP) solutions. Why would you stack more independent technologies, likely from different vendors, and that do not correlate insights cohesively to your already complex app security ecosystem? Hence the evolution toward (and development of) WAAP offerings. Modern WAAP solutions can be part of the answer security needs for modern, microservices-based, multi-cloud and hybrid app environments combining the capabilities found within traditional WAFs with specialized functions that are critical for monitoring and securing APIs—all in one consolidated solution (often delivered as SaaS).
There are misconceptions about WAAPs that they lack the necessary functionality to deliver comprehensive API security. Some of the myths you may have heard include that WAAPs can’t monitor and track APIs over time and identify anomalies, that they lack advanced learning capabilities to keep track of new and changing app and API endpoints, or they can’t track and discern end user intent.
These are simply untrue. Many modern WAAP solutions like F5 Distributed Cloud WAAP are developed with AI/ML capabilities that power critical API security functions like API auto-discovery, schema enforcement, user and API anomaly detection, and more. And unlike what is available with many API-only security point products which rely on out-of-band analysis, with WAAP solutions traffic analysis and blocking of app and API traffic happens within a single inline solution. There’s no need to stream or mirror data to a separate solution (or solutions) that can delay analysis, detection, and mitigation of threats.
To learn more about F5 Distributed Cloud WAAP and its API security capabilities, check out our website and a short demo of the solution in action.