What Is Web Application and API Protection (WAAP)?
Web Application and API Protection (WAAP) is a term used to describe advanced web application security solutions and services that protect both web applications and application programming interfaces (API) from vulnerabilities and cyberattacks. Centered around the third-generation web application firewall (WAF), the term WAAP grew in popularity as more and more WAF vendors expanded their offerings to incorporate additional security features on top of the WAF – most notably API protection, malicious bot mitigation, and DDoS protection – to adapt to the changing landscape of today’s web applications.
Therefore, WAAP isn’t a new technology in and of itself but a set of security measures based on the third-generation WAF. Compared to a legacy WAF, third-generation WAFs are based on AI algorithms and are usually more versatile and adaptable to hybrid and cloud environments. They can be deployed in software form on virtual machines or simply as a cloud-native SaaS, useful for organizations that host their web application servers in the cloud.
This blog takes a deep dive into the major components of WAAP and where they stand to protect modern web applications.
Third-Generation Web Application Firewall (Third-Gen WAF)
Most have heard of the term third-gen WAF, sometimes referred to as the next-gen WAF. Yet, its name provides very little explanation on how it differs from a legacy WAF. The primary difference lies in their detection mechanisms. A legacy WAF uses signature-based detection, which requires the administrator to list thousands of signatures of potential attack patterns. In order for the WAF to detect an attack, the attack pattern and attack vector must perfectly match the signature. This method has gradually become outdated in today’s environment because web applications today are much more dynamic than in the past, making it nearly impossible to update the signature list every time the application is modified.
The third-gen WAF uses rule-based detection instead of signatures. By running logic-based rules generated by AI, any attack patterns that fall within the logic of the rules can be effectively detected and mitigated. This allows for accurate and continuous protection as applications undergo modifications and updates.
Application Programming Interface (API) Protection
A modern web application is rarely built on a single system (i.e. monolithic application). Instead, individual functions are built into separate, smaller applications known as microservices. Developers prefer this distributed model because it is much easier and quicker to make function-specific modifications and upgrades to satisfy today’s fast-changing user demands. Hence, an “application” to the users’ eyes is in fact the combination of hundreds of these microservices.
The API acts as a central interface in the backend that stitches these microservice together to provide a complete and coherent frontend user experience. Given its important role, more and more threat actors are now attempting to target vulnerabilities in the API, since compromising the API means gaining potential access to hundreds of microservices hosted on various servers.
Protection for the API and microservices is the second pillar of WAAP solutions. This is achieved through multiple approaches, including making custom configurations to the third-gen WAF, generating SSL certificates, and scanning an application’s source code for vulnerable dependencies.
Malicious Bot Mitigation
Publicly accessible websites receive requests from all across the globe. Among all the requests, bots tend to make up a significant portion of website traffic. Many bots are used for website automation, such as automated contact forms and email forwarding services and the increasingly common live chat feature seen on many websites. On the other end, threat actors also use bots to launch automated attacks that can serve a range of purposes, including paralyzing an application’s functions, sending spam and phishing emails, interfering with the good bots and data analytics, or even stealing data.
Therefore, an integral aspect of web application security today is bot mitigation. Blocking malicious bots is especially important for time-critical applications such as financial and trade platforms, ticketing websites, as well as websites for critical infrastructure. Although it is difficult to accurately identify all malicious bots, WAAP solutions use advanced detection techniques and AI-based rules to filter out the majority of malicious bots, even when they come from botnets utilizing hijacked residential IP addresses.
Speaking of botnets, distributed denial-of-service (DDoS) attacks are one of the most commonly used attack methods worldwide as it requires very little hacking knowledge. The size of today’s botnets is expanding at a fast rate and many of them are available at affordable prices, making DDoS a common tool used by non-professional hackers.
The same set of mechanisms is used for malicious bot mitigation and DDoS protection. However, since it is difficult to completely block a wave of DDoS attacks, a load balancer is necessary to prevent a server from being overwhelmed and to evenly distribute traffic among multiple servers to ensure that the web service remains functional during an attack.
Penta Security’s WAAP Solution
Penta Security’s WAPPLES and WAPPLES SA are a pair of third-gen WAFs built for today’s most advanced web attacks. Run on Penta Security’s COCEPTM (Content Classification and Evaluation Processing) detection engine, WAPPLES is capable of detecting both existing and new attack patterns based on logic-based rules.
Whereas WAPPLES is a hardware appliance for on-premises environments, WAPPLES SA is a software appliance installable on virtual machines, dedicated to hybrid and cloud environments. For organizations that prefer a cloud-native WAF for deployment within the cloud, Cloudbric WAF+ is a fully-managed cloud-native WAAP solution that operates on the same logic-based detection engine.
Both WAPPLES and Cloudbric are all capable of the advanced WAAP capabilities mentioned above, ensuring that websites and APIs are protected from the latest web security threats.
Contact us to learn more about Penta Security’s WAAP Solution.
For more information on security implementation, check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: iSIGN+
Automotive, Energy, Industrial, and Urban Solutions: Penta IoT Security