on 20-Mar-2023 09:46 - edited on 04-Apr-2023 11:47 by JRahm
It wasn't too long ago that we saw Next Generation FireWall (NGFW) companies telling potential buyers that a Web Application Firewall (WAF) was unnecessary if you had a NGFW. These days, thankfully, most security professionals are educated enough to understand that a WAF - and really, WAAP today - is a critical component of a modern application infrastructure for just about any organization that needs to expose an application for consumption - whether external or internal.
So, what is WAAP? It is an evolution of the WAF, conceptually and it stands for Web Application & API Protection (WAAP). It is similar to WAF in that the primary focus is to defend against layer 7 attacks - slowloris, brute force, L7 DOS, etc. - and also to provide protocol enforcement at layer 4. Another similarity is that both WAF and WAAP focus on the OWASP Top 10 as a framework for development. The glaring difference between the two is the necessitated inclusion of the OWASP Top 10 for APIs, as it is estimated that some 80% of the internet's traffic is now API related. WAAP has an understood bot defense component, as well. In the days of WAF, this was not as prevalent, but I think we all know that bot traffic is nothing short of explosive these days.
The challenges that WAAP looks to resolve are a bit different than WAF, as you can imagine. One of the first issues is API awareness. With virtualization, we learned some lessons around sprawl. We see similar behaviors in cloud adoption today, as so many companies have found with their bottom-line cloud spending. So often, an API is developed and used and replaced, then left open and forgotten... a gaping risk for the foreseeable future.
Another challenge is business logic. With traditional data center firewalls, we protected the ip and port, but the business logic was always enforced on the application, itself. Firewalling an application is quite a bit different, as the minutia of how the application applies limits to defend the business become an enforcement point, rather than an irrelevant data point. Put more simply, we must defend those pieces of the application that are able to impact the overall business. APIs have glaringly been a way to manipulate business logic in ways that can really impact a business or brand. If we think about the rash of reseller bots in the past few years and what that has meant for concertgoers, comic-nerds and shoe-heads, alike, we see this damage in the headlines.
Then, there's the big one (heh)... volumetric attacks. This is a problem in SO many ways. Not only does it have the potential to diminish valuable system and network resources, but it is also the most common way to 'provide air cover' for some of the more intelligent application-level attacks. It does this by making system and network logs almost unreadable by security response engineers during an attack.
Lastly - and this is a big one - is security management. With more complex infrastructures and cloud resources to account for, our computing environments have become SO much more diverse. Mature organizations will have a mixture of monolithic and modern applications running. Not only do we need to be cognizant of our virtual infrastructures, but also our more modern containering environments. How many clouds? Does it feel like all of them? Learning the ins and outs of security tools in all of those different application environments is nearly impossible for existing staff and spending on expertise in personnel is... difficult? At best.
These challenges are tremendous, but WAAP, as a solution, provides tremendous 'bang for the buck' ratios for the types of attacks we see on the open internet today. Firstly, WAAP provides an awareness of applications and APIs. We need to custom tailor our solutions around what web server is being used, what database the application relies on, what functions an API endpoint might expose and so much more. With regards to APIs, we also need to have a way to discover APIs in our environments. All of this understanding allows for granular control and constraint of each application we secure.
Another solution is the concept of a managed ruleset and policy layering for our applications. With the aforementioned sprawl that is inherent with modern, distributed applications and even with monolithic applications that span many environments, we see a common theme, with regards to management: Division of responsibility is a brilliant way to overcome. With the ability to layer policies at various points in the journey of a packet within our environments, we can have an individual or team manage global policies, while another group of people divide microservice-specific responsibilities and even another could manage geographical security needs. Layers... through the application.
As a final thought, there are some specific advantages with the F5 Distributed Cloud WAAP offering. You get a high-speed fabric for application ingress that is unattainable by most organizations, out of the box. The platform is completely managed, so worries about global availability and infrastructure uptimes can be a thing of the past. You just need to worry about administering the security of it... which can also be managed by F5. Finally, a unified platform for application visibility is a very powerful benefit. Having the flex to use bot defense or DoS protection or endpoint-specific defenses based on the client to application traffic flows as they happen is an amazing power to be given, as a front-line security practitioner or even as a CISO. You can watch our journey to put it to community use here on our 'Build It Live' live stream:
When Gartner announced their decision to throw in the towel on the WAF magic quadrant and focus, more conceptually, on WAAP, I must admit... I was skeptical of the need for change at first. Years later, I completely get it. As we witness more and more applications rising up and out of the data center, I get it. As we witness applications that are really made up of hundreds of other tiny applications begin to dominate the technology landscape on the open internet, I get it. APIs and cloud present completely different challenges to and solutions for all of our security professionals - our front-line security operations people all the way up to the CISO. WAAP is the logical evolution of WAF, as a concept, which can help us meet the majority of our modern data security challenges with a real solution.
As API is the future, this will become more and relevant.