WAF is dead - long live WAAP
Web applications and APIs have been an attractive target for cyber criminals for years, making them a constant challenge for IT security. How can the security gaps they contain be eliminated or at least ensure that they are not exploited? As with WAFs, there are specialized API security solutions for this purpose. Combined solutions for protecting web applications and APIs are also being used more and more frequently. This has given rise to the acronym WAAP, which stands for Web Application and API Protection.
This article consists of two parts: This first part shows how modern security solutions counter these threats: With multiple protection mechanisms and artificial intelligence. The second part deals with how an identity-based zero-trust architecture can be implemented to protect cloud-native applications in particular from unauthorized access.
The real weak point is the human being
Around half of all web applications and APIs are vulnerable today (source). The cause of the error is almost always human, be it in programming or configuration. Hacks and leaks are therefore unfortunately commonplace and can lead to irreparable damage to a company's image and major financial losses.
Improvements from development to operation
In order to increase the security of web applications, all stages of the software life cycle must be addressed, from development to operation. It makes sense: The earlier a vulnerability is found, the faster and cheaper it is to correct. The training and sensitization of software developers and architects tackle the problem at the root, even if this will not provide 100% security.
In addition, regular penetration tests by security experts are necessary, but they are time-consuming and only ever a snapshot. To reduce the error rate, people therefore need further technical support. This includes automated testing tools that detect dangerous areas in the code or known security gaps in open source libraries. However, even these tools cannot prevent a vulnerability from being discovered once the application is already live.
This is why another measure is needed: exposed and sensitive data must also be protected during operation. The credit card industry recognized this very early on and explicitly prescribed protection by a web application firewall (WAF) in its industry security standard (PCI-DSS 4.0). Such a WAF is placed between the user and the running web application and also protects the latter from attacks and misuse if all other measures have failed.
From WAF to WAAP
In addition to web applications, APIs are becoming increasingly popular. This is also due to the fact that modern web applications and many mobile apps obtain their data via APIs. However, APIs bring new and specific problems with them. The OWASP therefore published its own top 10 list for API security risks in 2019. As with WAFs, there are specialized API security solutions for this. Combined solutions for protecting web applications and APIs are also being used more and more frequently. This has given rise to the acronym WAAP, which stands for Web Application and API Protection. The scope of a WAAP solution includes the following functional areas: Web Application Firewall, API Security, Denial of Service Protection and Bot Defense. In addition to benign search engines, there are more and more unwanted bots that collect unauthorized information or carry out automated attacks remotely controlled by cyber criminals.
Virtual plasters as a quick stopgap
WAAP makes life difficult for all unwanted visitors, whether amateur hackers or professional cyber criminals. For normal, authorized users, however, a WAAP solution is invisible. Ideally, the protective measures can even ward off unknown attacks. An important additional benefit of WAAP is “virtual patching”: what happens if a sensitive vulnerability in an application becomes known during operation? On average, it takes over 250 days (source) for a critical vulnerability to be fixed! Until the fix is available, WAAP operators can create a virtual patch that immediately prevents the vulnerability from being exploited. Even if an application patch is available soon, a virtual patch can shorten the vulnerability window even further and the update can be tested and rolled out without time pressure.
How does WAAP actually work?
Application firewalls work on layer 7 of the OSI model and can intercept numerous threats such as injections, cross-site scripting (XSS) and other attacks. Protection is therefore provided for the server application and its data, not the browser or device accessing it. From a technical perspective, it is usually a reverse proxy that breaks open the encrypted (HTTPS) connection, controls the data flow in both directions and changes it if necessary. Alternatively, the protection functions are embedded in the application; this variant is called Runtime Application Self Protection (RASP) and is less common because integration into the application is significantly more complex.
A variety of protection mechanisms are used to prevent the different types of attack:
- Negative security filters: Block lists are used to detect and block suspicious patterns and known types of attack such as cross-site scripting or injection attacks.
- Positive security filters: The best security is achieved if you know exactly what the application expects. These filter rules block everything that is not explicitly permitted. Such a white list can be created using a learning mode. In the case of APIs, an existing interface specification can be used for this.
- Authentication and access control: The attack surface can be significantly reduced if only authorized users can access the application. In cooperation with an identity provider, each user is authenticated in advance. This means that an attacker without valid access cannot even search for vulnerabilities.
- Rate limiting & quotas: By limiting the throughput, brute force attacks or content scraping can be made more difficult. Ideally, these limits are dependent on the identity of the call, especially when calling APIs.
- Anomaly detection: Artificial intelligence can be used to detect conspicuous deviations from “normal” user behavior. If there is a suspicion that an unwanted bot is at work, a new login or a captcha can be requested.
- Threat Intelligence: Some users may be less trustworthy simply because of their location or IP address. This allows you to reject anyone coming from the darknet or deliberately disguising their origin.
- Cookie protection: Cookies are often used to track user sessions on a web application. WAAP solutions can prevent the modification of cookies and thus also session hijacking.
- Session protection: A hidden token prevents cross-site request forgery attacks in which the logged-in victim triggers unwanted actions without being aware of it.
OWASP Top 10
The Open Web Application Security Project (OWASP) regularly publishes a top 10 list of the most common vulnerabilities in web applications; there is also a corresponding ranking list for APIs. These lists are well suited for raising awareness and education.
The often cited OWASP Top Ten vulnerabilities are just the tip of the iceberg.
There are numerous other attack vectors on APIs and web applications, each of which requires different protection mechanisms. Modern WAAP solutions therefore combine positive and negative security models. Classic pattern recognition is also supplemented with machine learning: this is particularly suitable for combating bots and automated attacks (including DDoS).
On-premise or cloud form factor
Gone are the days of perimeter security, when classic WAFs were simply placed at the company boundary to control access from outside. Nowadays, both the applications and the users are often located outside the company. This is why WAAP solutions are increasingly moving to the cloud: in the spirit of SaaS, there are now numerous “WAAP as a Service” offerings. Content delivery providers now even offer simple protection functions for web applications.
Part 2: Zero trust with distributed access control
The shift to the cloud and the increasing freedom of movement of employees leads to new areas of attack. How can an identity-based zero trust architecture be implemented in this environment? How can cloud-native applications in particular be protected against unauthorized access?
You can find our answers in Part 2: Distributed WAAP with Microgateways.
![[Translate to Englisch:] Microgateways - Verteilte Application Security mit Microservices](/fileadmin/_processed_/b/d/csm_EGN_Service_Blog_WAAP-Content_Microgateway_2ee2d32950.webp)
Blognews straight to your inbox
The Airlock newsletter keeps you informed about new blog articles.