Confused about the difference between a Web Application Firewall (WAF) and a Web Application and API Protection Platform (WAAP)? Curious to know how smart a next-gen "smart WAF" really is? Wondering if you need dedicated API security if you have a WAAP? Can you really trust a WAAP to protect your critical data and services?
in session ofSalt Security API Security Summit, Mike Rothman, Techstrong Research, confirms:
“With WAAPs, you're basically throwing some API stuff into your WAF. It may be sufficient for some needs, but it is not for many needs. I want to make sure I have visibility into everything that's going on across all the different layers of my application stack. I don't think these existing solutions — which are actually being manipulated to try to meet a new need — are doing that.”
So what is – and what is not – a WAAP?
The term "WAAP" originated as a designation for a next-generation WAF designed to go beyond signature-based attacks and provide additional functionality for API protection. Essentially, a WAAP is just a more advanced WAF. Some research firms have even listed WAF as a sub-function of a WAAP. WAF vendors, keen to avoid obsolescence, were only too happy to adopt the moniker and promote themselves as API security vendors. But just because a WAF vendor now says they offer a WAAP doesn't mean they offer the capabilities needed for a holistic API security strategy.
When it comes specifically to API security, WAAPs include API documentation support, schema analysis and validation, and some API detection. WAAPs and their legacy WAF functionality and protections are still essential to protect APIs from a range of predefined attacks including SQLi, code execution and DDoS attacks. But WAAPs only solve part of the API security puzzle. Each API endpoint has its own underlying business logic and function, and protecting against abuse requires an understanding of API traffic over time. That's not what WAFs or their evolved WAAP brethren were made for. As enterprises embrace cloud-native infrastructure and microservices and the resulting rise in APIs, these legacy defenses are insufficient to stop today's most sophisticated API attacks and dynamics.
According to Rothman, there's always a point in technology where you need a different skill. Thinking that you can solve the problem with an existing set of solutions just won't work. Such is the case with WAFs/now WAAPs when it comes to API security.
Without context, there are loopholes in API security
The nature of API attacks differs significantly from traditional application attacks. APIs have proliferated with the digitization transition, transforming and expanding the attack surface of every organization. Because each API endpoint has its own unique business logic, each attack is unique, requiring attackers to do a lot of research to discover an API vulnerability they can exploit. This reconnaissance activity and any resulting exploits can take days, weeks, or even months to complete. consider therecent data breach by T-Mobile. The attack effort actually began in November 2022 but was only spotted by T-Mobile on January 5 after exfiltrating 37 million customer records. Without the right context, attackers can easily obfuscate their attack efforts throughout the attack lifecycle.
In the case of APIs, organizations need broad and deep context to fully understand and assess potential threats. Relying solely on a WAAP for runtime protection leaves APIs unprotected and vulnerable due to several key vulnerabilities in providing that context. In particular, WAAPs often lack contextual and informational capabilities to:
- Monitor longer attacks
- Identify behavioral abnormalities that are slowly developing
- Provide broad data classification
- Tap Active Learning
- recognize user intent
Even the most common API vulnerabilities described inTop 10 OWASP API SecurityList could not be reliably detected with a WAAP.
WAAPs cannot monitor prolonged API attacks
API attacks happen over long periods of time. Malicious attackers are constantly poking and prod APIs to uncover potential vulnerabilities that they can exploit to exfiltrate valuable data or cause other damage. Because WAAPs do not have visibility into transactions over time, they cannot identify the days and weeks of reconnaissance activity that malicious attackers need to attack today's APIs. By showing all traffic in the context of one or more transactions, a WAAP misses the light and slow nature of API attacks.
You need to see the recognition as it happens. To protect your APIs—and the sensitive data they contain—you can't just wait until you're actively attacked or notified of a successful attack in the form of a ransom demand. Even without having all the details of the T-Mobile attack, it's safe to say that this team could have detected the attack sooner if they had the right API context over time—rather than 41 days later. To spot attacks, you need an overall picture that has evolved over time.
WAAPs fail to detect many API behavior anomalies
Combined with long-term visibility, API security solutions must also be able to identify the anomalies associated with low and slow API attack campaigns, including advanced reconnaissance activities, API abuse and abuse, and business logic handling attacks. Many organizations with mature API security programs assume that there are flaws in business logic and potential abuse in today's production systems. This is because these organizations know that it is very difficult to reliably identify and eliminate business logic errors and potential misuse during the development and testing cycles.
Therefore, the ability to accurately identify behavioral anomalies and discern user intent is considered by most organizations to be the most important part of their API security strategy. API attacks are behavioral and based on a series of activities. With a comprehensive view of behaviors, an advanced API solution provides an understanding of what constitutes "normal" behavior within a given ecosystem and what constitutes "extraordinary" behavior that could indicate a potential threat.
WAAPs (like their related WAF predecessors) were designed for yesterday's security landscape, analyzing only a small subset of transactions at a time. WAAPs look for known attack patterns. However, because all APIs are unique, most API vulnerabilities are zero-day vulnerabilities. Until someone abuses your API or exploits a flaw that exposes data, you simply don't know the vulnerability exists.
No matter how smart WAAPs get, they will always have these architectural limitations. Because there is no behavioral context, WAAPs cannot reliably differentiate between "ordinary" and "extraordinary" API behavior to provide an alert.
Consider the case ofLog4j vulnerability. The WAAP and WAF solutions failed to detect the zero-day security event because the subtle changes in the API parameter payloads did not generate any known attack rules or signatures that these solutions looked for. Additionally, these solutions were not designed for comprehensive detection of behavioral anomalies, so the small change in parameter loads could not be detected. As far as WAAP was concerned, the payload was valid.
However, Salt Security's API protection platform caught the bug in our customers' environments before the news even got public - we still didn't know what we were seeing, but we did discover Log4j exploits in our customers' environments. Our artificial intelligence (AI) and machine learning (ML) engine has flagged these exploits as deviations from the API's existing behavioral baselines. WAAPs do not have a baseline.
WAAPs lack extensive active learning capabilities
Given the time and attention, AI-powered solutions can "learn" from things they've seen before. Having this wealth of learned intelligence available in a security system allows for more accurate detection and generates a more effective response. By harnessing the power of big data at cloud scale, learning in one customer's environment enriches the algorithm, which in turn benefits all other customers, so learning occurs exponentially.
With its proven AI and ML algorithms, Salt's API security platform can provide deep insight and detail into the nature of many API vulnerabilities and how to fix them. WAAPs lack this intelligence.
WAAPs cannot detect the user's intent
Intelligence also provides information about user intent. Mature cloud-scale AI and ML models can analyze massive amounts of data and traffic, searching hundreds and thousands of structural and behavioral attributes for signatures and patterns. Salt API's security platform continuously analyzes user attributes and past behavior between users and APIs to not only look for behavioral anomalies, but also to understand user intent.
A WAAP is simply not designed to identify a rare unique IDbroken object-level authorization(BOLA) on an API with over a billion requests per month. And according to the OWASP API Security Top 10, BOLA is the top API security gap!
APIs are also often abused, even when someone uses them exactly as designed. If an attacker were to steal legitimate credentials and use them against a privileged API for nefarious purposes, a WAAP would typically not detect the attacker's unauthorized access and masqueraded attack. Without contextualizing user behavior, access seems reasonable for a WAAP. Because WAAPs don't provide full visibility into all the different layers of an application stack, they can't piece together related transactions over time to detect a potential threat.
API Security - more than an "add-on" to your WAF
In 2021, Gartner® included API security as a distinct pillar in its security reference architecture, distinguishing API security separately from WAFs, WAAPs, and API gateways. More recently in his2022 Innovation Insight for API Protection, Gartner® explained:
“Security leaders are looking for additional security features to protect their APIs. They are expanding beyond their existing API Gateways (GW) and Web Application and API Protection (WAAP) solutions – particularly in industries with high security requirements.”
Ultimately, WAAPs are more advanced than WAFs and play an important role in an organization's broader API security strategy, but they still do not and cannot holistically solve the API security problem. They almost all retain the same flaws in their architecture that prevent them from meeting the technology requirements for API security. WAAPs simply don't have the depth and breadth of visibility, intelligence, or context over time to defend against ever-changing and growing API attacks. Relying on WAAPs just for API security leaves today's blind spots and puts organizations at risk.
To protect today's ever-expanding and ever-changing API ecosystem, organizations need adequate runtime protection for API security on top of their WAAPs. OAPI-Schutzplattform Salt Securityprovides organizations with the context they need to fully secure their APIs in the build, deploy, and runtime phases. Forcustom demo,contact us.
*** This is a blog powered by Security Bloggers NetworkSalt Safety Blogwritten byNick Rago. Read the original post at:https://salt.security/blog/critical-api-security-gaps-in-waaps