By Amit Chaudhury, Vice President and Practice Head – Cloud and Security, Bharti Airtel
As the cloud and digital service trends get traction, living on the edge becomes the mantra for modern enterprises. Today, every business has a web presence through a website or mobile application, enabling customers to interact anytime from anywhere. Unfortunately, it also allows hackers to interact with the digital ecosystem, making every company, big or small, a reachable target with operations, reputation, and revenue pipelines at stake.
Recent research reveals that 26% of all breaches involve application attacks. The rise of low-code or no-code application development using third-party APIs further increases the risk. Clearly, a robust WAAP is crucial to shield your applications.
Understanding WAAP: What it is and what it is not
WAAP is a specialised tool to secure applications and APIs, unlike traditional firewalls that protect servers. It focuses on the application layer and resides on the network’s outer edge. WAAP monitors and analyses the incoming traffic as the users interact with the applications to ensure only safe packets pass through.
WAAP is crucial in today’s hyper-connected world as the applications directly access the backend database. Any breach into the application layer can mean significant data loss. Instead of protecting the network at large, WAAP protects dedicated edge-based applications and is well-equipped to interpret complex HTTP traffic. It impedes the intrusion before it can enter your system.
WAAP as a mandatory directive to modern businesses
The complexity and quantity of API adoption create security gaps in most applications. These applications are often exposed to the public Internet, making them easy bait for attackers. While traditional WAF (web application firewall) specifically monitors and filters web traffic, it struggles to deliver for modern apps with multiple API interfaces.
Here are some factors that drive WAAP adaptation.
Soared API security issues
Security breaches due to misconfigured APIs are piling up. Many major companies in various industries have reported infringements resulting in data theft, affecting millions of customers. APIs have emerged as a significant vector in these attacks, driving the need for an API-specific security solution with capabilities beyond traditional tools.
Constantly changing modern apps
Thanks to the rise in agile development and DevOps, modern applications constantly adapt to meet changing user demands. It pushes APIs in a state of persistent flux. Manual tuning and rule development for traditional WAF makes it challenging to keep up and calls for built-in automation and handy administration.
Insufficient port-level blocking
Traditional firewalls use port and protocol-level inspection to filter malicious traffic. However, web app and API attackers use valid ports and demand deeper probes to differentiate legitimate traffic and forthcoming attacks.
Traditional solutions losing relevance
Conventional solutions fall short of sophisticated attacks in many ways and summon a dedicated, comprehensive API security solution.
⦁ False negatives in vulnerability scanning
Traditional vulnerability scanners, not designed to detect API-specific weaknesses, result in many false negatives. You will likely miss 8 out of 10 vulnerabilities while scanning with them.
⦁ Signature matching limitation
Signature-based methods use the analysis of previous attacks. They fail against new attacks that do not match prior signatures. BOLA (Broken Object Level Authorisation) is a classic example and leads the OWASP top 10 API threats.
⦁ WAF’s static rules fall short
WAF filters traffic based on static rules that require manual fine-tuning. These firewalls cannot protect modern, ever-evolving applications, making automation essential. Also, these firewalls focus on external traffic and can leave internal threats undetected.
⦁ Misleading RASP patterns
RASP (Runtime Application Self Protection) is limited to apps engaging with microservices. They cannot at once monitor actions across the entire service. Also, RASP does not understand business logic and can consider a valid use case a threat.
⦁ Inspection of encrypted traffic
TLS encryption effectively stops hackers from surveilling the traffic. But it also prevents firewalls from inspecting the traffic. Intruders can hide anything they want in the incoming stream to trigger an attack.
WAAP protection for APPs and APIs: Key Capabilities
Since traditional solutions no longer satisfy API security requirements, the way forward is a consolidated solution – WAAP. It provides a comprehensive defence for monolithic or microservice apps and APIs. WAAP protects against a broad spectrum of cyberattacks without much oversight or hands-on management. Its core capabilities are:
⦁ Next-gen WAF (NGWAF)
WAAP includes a fully managed firewall that safeguards against zero-day attacks in addition to conventional signature-based protection. Through deep inspection of application behaviour and usage, defines the baseline behaviour and triggers actions when anomalies arise.
⦁ RASP
WAAP provides customised protection to applications based on their input, output, and behaviour using Runtime Application Self Protection (RASP). It helps address the zero-day attacks more effectively.
⦁ Bot protection
Bot attacks like scraping, credential stuffing, and reconnaissance is common. These are automated attacks targeting applications at scale. WAAP provides greater visibility and control over bot traffic, balancing application usability and security.
⦁ DDoS protection
WAAP effectively detects and mitigates API-centric DDoS attacks. It blocks traffic at the edge and ensures business continuity while maintaining performance and guaranteed uptime.
⦁ Account takeover protection
Cybercriminals use credentials from data dumps and password lists to access users’ accounts. WAAP detects and impedes such unauthorised access by the application’s user-facing authentication.
⦁ Protection for APIs and microservices
WAAP places security within serverless functions, applications, and microservices. It helps create a context and data-aware perimeter for each service and API.
⦁ ML-based threat detection
WAAP uses ML-based threat detection to overcome the bottlenecks of signature-based detection. It defends against zero-day attacks with minimum false positives.
⦁ Real-time attack analytics
WAAP provides complete visibility into your system. It monitors real-time security events and reveals threat patterns using ML techniques for proactive protection.
WAAP best practices
Proper development and implementation of WAAP services are crucial for comprehensive protection against top threats. Following the best practices ensures that your applications and APIs are secure.
⦁ API gateway management
In addition to securing microservices using authorisation, authentication, request throttling, and IP safelists, gateways also track API usage. Combined with NGWAF and RASP, it provides true in-depth security against partner API misuse, disallowed traffic sources, and other top 10 OWASP threats.
⦁ Authentication and authorisation
Properly implemented authentication and authorisation ensures users’ identity and access permissions at the perimeter and across all activities. It provides a frictionless experience to the users while safeguarding applications against multiple threats and sensitive data exposure.
⦁ Advanced rate limiting
Advanced rate limits throttles and thresholds abusive behaviour at the application layer. By identifying and limiting requests, it ensures availability for legitimate users. It protects against brute force attacks, API DoS, account takeovers, website content scraping, API abuse, and more.
In nutshell
Cybersecurity is a focal point of technological advancement in 2023 and beyond. As the threat surfaces and hackers’ capabilities expand, incidences of treachery and risks grow, making resilience and recovery a pressing need. With the rise in API-based applications, WAAP is quintessential for comprehensive protection.