Web Application API Protection (WAAP)

<< Back to Technical Glossary

Web Application API Protection (WAAP) Definition

According to Gartner, cloud web application API protection WAAP services are properly defined as an evolution of cloud WAF services. WAAP services combine a subscription model with as-a-service, cloud-delivered deployment of bot mitigation, WAF, API security, and DDoS protection.

Some WAAP security providers offer managed services that are core components of the product. Many vendors offer multiple versions of their WAAP web applications, sometimes divided into highly configurable offerings and ready-to-go, simple-to-use versions.

This image depicts the core components of web application api protection (WAAP): subscription model with as-a-service, cloud-delivered deployment of bot mitigation, WAF, API security, and DDoS protection.

WAAP FAQs

What is Web Application API Protection?

Web applications are a core component of the cloud infrastructure for many organizations. A web application is a program that users can access via a web browser, and it may also provide programmatic access to the application’s key capabilities via application programming interfaces (APIs). For this reason, web applications are central to cloud services, but also present a serious set of performance and security challenges.

Gartner analysts engineers Adam Hils and Jeremy D’Hoinne first coined the term WAAP meaning any suite of cloud-based services designed with the protection of APIs and web applications as their primary goal.

Cloud web application and API protection services offer multiple models for security, based on a multi-tenant, auto-scaling cloud infrastructure. Cloud WAAP security core features include API protection, bot mitigation, protection against DDoS, and web application firewalls WAFs.

Cloud WAAP services sometimes provide additional features that can enhance the performance of web applications. Each module can have its own strategy for security protection.

Why is WAAP Important?

APIs and web applications are a primary target for attackers because they provide access to sensitive data and are available via the public Internet. WAAP is essential because traditional security solutions don’t protect these applications effectively.

WAF vendors are enhancing their cloud WAF tools and services as enterprise web applications evolve by meeting WAAP requirements. There are several reasons why traditional solutions fail to effectively protect web applications:

Port-based blocking is ineffective

Traditional firewalls filter traffic based on ports and protocols in use. However, attackers use the same web ports and protocols as users—such as HTTP(s)—against web APIs and web applications so using this method to filter out malicious traffic alone is unfeasible. To distinguish legitimate traffic from potential attacks against web applications and APIs, a more granular level of inspection is required.

Signature-based attack detection also fails

Threats to web applications change continuously, making signature-based solutions unscalable. WAAP solutions help organizations stay ahead of an application security threat environment that is developing with real-time insights and continuous self-learning.

Encrypted traffic inspection is critical

Over half of all modern web traffic uses TLS encryption, which heightens privacy but presents a challenge for detecting malicious content such as malware. WAAP solutions can identify malicious content and sensitive data hidden in encrypted traffic as they inspect TLS connections.

HTTP traffic is complex

Web apps are involved, and cybercriminals conceal malicious content using this level of complexity. Conventional intrusion detection and prevention systems (IDS/IPS) offer inadequate tools for guarding against these threats.

Cloud hosting architecture is popular

This offers greater benefits, particularly when web applications serve users across disparate geographic regions, minimizing potential latency and bottlenecks. This also prompts solution providers to offer cloud-native application security solutions.

Positive security models have not been effective

WAF technology has demanded serious manual tuning and configuration, rather than learning automatically in real-time to create usable parameters and allow lists for URLs automatically.

Modern web applications change often

DevOps and agile practices mean that modern APIs and web applications are always in flux. The manual tuning and custom rule creation that traditional WAFs demand are not well suited to the way that applications constantly and quickly evolve.

A multi-cloud strategy is essential

Each cloud provider uses a unique architecture and offers different features. To achieve effective security controls, organizations operating across multiple clouds need to weave an intricate matrix of cross-provider capabilities. Cloud-based WAAP services are more adapted to a multi-cloud strategy and environment.

Key Features of WAAP Services

Complete web application and API protection services ensure APIs and web applications remain safe from a wide range of attacks. A WAAP service must identify and analyze requests before they access the application or API endpoint.

The core features and capabilities of a comprehensive, effective WAAP strategy include:

Next-generation or intelligent web application firewall (next-gen or iWAF)

A next-gen WAF monitors and protects web applications at the application layer where they are deployed—from a wide range of attacks. And in contrast to a traditional WAF, an iWAF uses artificial intelligence (AI), machine learning (ML), and/or behavioral analysis, not just manual security rules or known attack patterns, to prevent attacks on apps and APIs.

Malicious bot protection

This type of protection isolates suspicious bots and stops them from attacking while allowing safe bot traffic to reach the application.

Runtime application self-protection (RASP)

RASP defends web applications and APIs in real-time, embedded in the application runtime domain.

Comprehensive protection against distributed denial-of-service (DDoS) attacks

WAAP solutions scale up to safeguard against massive DDoS attacks targeting the application and network layers of APIs, applications, and microservices.

Individual protection for APIs and microservices

WAAP strategies retain security within the application, microservice, or serverless function to surround all individual services with micro perimeters that are data- and context-aware.

Load balancing

WAAP solutions scale up to safeguard against massive DDoS attacks targeting the application and network layers of APIs, applications, and microservices.

Advanced rate limiting

This enhances API and website performance by preventing abusive activity at the application level.

Account takeover protections

This aspect of web application and API protection uses an application’s customer-facing authentication process or authentication APIs to detect unauthorized access to customer accounts. Account takeover protection prevents cybercriminals from using lost, stolen, or otherwise compromised credentials from password lists and data dumps.

How to Implement Web Application and API Protection WAAP

There are several challenges to implementing WAAP web application and API protection strategies and tools.

Concern about legal liability, cultural and regulatory constraints and old-fashioned organizational pushback can all hamper the adoption of cloud WAAP services and other cloud-based security services. Finding enough common ground between the budget and the pricing model and SLAs of possible providers is another key hurdle.

Another sensitive area is the need to allow a third-party cloud solution to manage application secret keys, decrypt TLS connections, and log sensitive client data, which might fall under the purview of data residency conditions.

Any cloud WAAP solution adopted by an organization ultimately has to be integrated into the current incident response workflow. The ease or possibility of this will be based on which security information and event management (SIEM) tool is already in place.

Along these lines, technical architecture presents an additional challenge, especially for bespoke WAAP services that are not built on established WAF solutions. These WAAP solutions can miss out on SIEM and application security testing (AST), and other integration with the enterprise ecosystem. Many also offer configuration and log retention options that are limited. Cloud consoles for WAAP monitoring may not offer entry to logs in real-time.

Finally, solution maturity is a factor in how effective cloud WAAP services are. Many are missing some key characteristics WAF appliances provided, such as cookie signing, form protection, and cross-site request forgery (CSRF) tokens. For organizations searching for a lift-and-shift means for tackling their cloud application security strategy challenges, this slows uptake, because they are already using these other techniques.

Does Avi Offer a WAAP Security Solution?

Yes. Avi’s comprehensive, software-defined application services platform provides a comprehensive web application security architecture, including DDoS mitigation, SSL/TLS encryption, load balancing, bot management, ACL and application rate limiting. It also features an Intelligent Web Application Firewall with distributed security fabric to enforce security through closed-loop analytics and WAF learning mode that covers open web application security project (OWASP) CRS protection, support for compliance regulations such as PCI DSS, HIPAA, and GDPR, and signature-based detection.

Avi Pulse cloud services provide new threat updates including IP reputation, bot detection, CRS signatures and more, and minimize false positives with advanced application security analytics, detection, and enforcement modes to detect common application vulnerabilities. Avi provides an optimized security pipeline to maximize the efficiency for traditionally resource-intensive operations. With real-time app security insights and analytics, the Advanced NSX Load Balancer from Avi Networks provides actionable insights on performance, end-user interactions and security events in a single dashboard with end-to-end visibility.

Learn more about how Avi’s platform delivers comprehensive protection for APIs, applications, and microservices.