What is Web Application and API Protection (WAAP)?

WAAP: How It Works, and Core Components

This isn’t to declare WAF obsolete – at the core of WAAP is a Web Application Firewall. WAAP also follows the same architectural design, since it’s also positioned as a reverse proxy that sits between users and backend services.

Instead of relying solely on WAF capabilities, however, WAAP benefits from several further components on top of it. Note that Gartner defines WAAP as cloud-based, since it requires not only integration with an organization’s pre-existing network tools, but also a backbone of threat intelligence that is updated on an ongoing basis.

Web Application Firewall (WAF)

The WAF continues to serve as an efficient and highly scalable layer of defense. It inspects all HTTP/S traffic going to and from the application and its users – a foundational baseline for securing a web application. Advanced WAF modules are based on a continuously-updated ruleset, which allows for virtual patching as threats are newly discovered. Real-time threat feeds can incorporate a provider’s full breadth of vulnerability intelligence feeds, allowing for near real-time protection.

Alongside that, an advanced WAF can offer Deep Packet Inspection (DPI). Traditional WAFs would examine the packet headers of user requests – which show where the packet is travelling to and from, alongside how it’s routed there. DPI supersedes this by examining the full content of data packets and their payload as they pass through a network.

This deeper analysis allows a WAF engine to block not just individually dangerous packets, but also more complex attacks, such as a compromised application that begins requesting connections to command-and-control servers. Contextually-driven protocols can therefore consider the broader context of each request, such as user identity, location, time, device, and where the data appears within the request.

Finally, all of this real-time HTTPS traffic data is fed into a behavioral analytics platform. This allows the WAF to build a profile of how each application is called over time, and how different users behave.

API Gateway

API security is a core component of WAAP. Architectured as an API gateway, the WAAP acts as a single point of entry that ingests each request, before either routing them to the appropriate backend service, or invoking any requested backend services and aggregating its results.

From a security visibility perspective, this allows for far better API visibility. API discovery can be semi-automated, as the WAAP solution scans traffic and associated endpoints to detect the APIs currently in use. Once added to an inventory, a manual review is then performed – verified APIs are moved into a baseline inventory, whilst any unexpected discoveries are flagged as shadow APIs and listed for further verification.

Part of this process includes validating what schema each API adheres to. When each API is discovered, the WAAP tool ingests its sampled request and response data and matches it against an internal list of common schemas. Any uncommon schema can be verified manually. Alongside schema, this WAAP discovery includes each API’s authentication elements.

The learned or imported API schemas allow for validation to be applied to incoming and outgoing requests. This, therefore, ensures that even third-party APIs are adhering to best practices such as OAuth 2.0 authentication, input sanitization, and rate limiting. Modern WAAP platforms often integrate API gateways for real-time traffic visibility and automated API inventory management.

Bot Management

While APIs and individual users are important to secure, there is one other actor to consider when securing applications: bots. Thankfully, bots often behave in ways that differentiate them from genuine users and API calls – for instance, humans move their mouse pointers in random, organic ways, while bots either simulate mouse movements in mechanical straight lines, or not at all. WAAP collects client-side activity, alongside parameters like device, browser, and network.

WAAP best practices then denote that a suspected bot must be issued with a challenge, such as JavaScript or CAPTCHA. Once verified as a bot, it can then be blocked or issued with sensible rate limits.

Access Management

Earlier, we touched on the importance of secure API authentication. WAAP grants visibility and enforcement to this, by integrating with an organization’s pre-existing Identity and Access Management (IAM) provider.

Once integrated, the WAAP can capture and validate all access tokens issued in API authentication – and ensure that each API call carries a valid, unexpired credential. This provides a framework through which an organization can detect and remove stolen access tokens, while enforcing regular token renewal within its active APIs.

From an end-user’s perspective, WAAP tools can make the authentication process faster, since they support federated identities and SSO integrations. This means that authentication for trusted devices can be done in the background.