11 Reasons Your WAF Can’t Secure Your APIs

Dan Gordon
|
August 29, 2023

What is a WAF?

WAF (web application firewall) technology is mature, with capabilities for protecting your web applications that have been recommended by security organizations such as OWASP (the Open Web Application Security Project) and compliance standards such as PCI-DSS (payment card industry security requirements). As a result, some type of WAF is deployed in most organizations and covers typical Layer 7 vulnerabilities and other common threats exploited by automatic scanners.WAFs work by inspecting each incoming and outgoing request and comparing it to a combination of rule-based logic, parsing, and signatures to detect and prevent web application attacks such as cross-site scripting and SQL injection. If the WAF detects a potentially dangerous request, it can block it from reaching your web application.WAFs are an important part of securing your web applications, but they are not enough on their own.

What WAFs are missing

WAFs are not effective at protecting APIs.Protecting APIs requires a different core set of capabilities that WAFs don't have (even the "next generation" ones). To do this effectively, here’s what Traceable has that WAFs don’t:

  • API runtime detection and protection
  • Ability to detect unknown attacks
  • Ability to see 3rd party APIs
  • Ability to see East-West traffic
  • Ability to see inside encrypted traffic
  • User behavior tracking
  • Proactive posture management
  • Data loss prevention (DLP) for APIs
  • API security testing - DAST for APIs
  • External attack surface analysis
  • Broad and deep coverage

API runtime detection and protection

WAFs specialize in stopping web application attacks but fall short in addressing API attacks like those in OWASP API Top 10, often due to treating APIs like ordinary web transactions. API attacks are distinct, spanning multiple transactions and demanding contextual awareness for effective detection and blocking - something WAFs lack.By tracking user and application behavior, and identifying anomalies across seemingly unrelated transactions, Traceable detects and protects against this wider range of API-based attacks: OWASP API Top 10 issues, business logic attacks, data leaks, and digital fraud.

Ability to detect unknown attacks

WAFs use rules and signatures to identify known attacks. This means that they can’t detect and block new attack behaviors that haven’t been previously seen, and which a rule hasn’t been created for. Since APIs work together to form the application business logic specific to each application, every API business logic attack is effectively a zero-day attack (unknown), which a WAF won’t catch.Traceable uses application and user behavioral analysis to detect and block unknown attacks.

Ability to see 3rd party APIs

WAFs watch the whole environment that contains the applications, not how different applications are talking to each other - including their APIs. As a result, WAFs don’t identify 3rd party API traffic differently than any other application traffic.Traceable watches all API transactions, which means it can identify APIs connecting with 3rd party tools such as SalesForce, Paypal, and other sites that have more nefarious intentions, such as phishing sites. More importantly, Traceable analyzes headers and bodies of all transactions so it can see and block all the sensitive data leaving your organization through these 3rd party API calls.

Ability to see East-West traffic

WAFs watch the edge traffic (North-South) of the whole environment that contains all the applications, but they typically do not see the traffic of the different application components talking to each other. This can result in missing critical business logic context required to detect and stop API-based attacks.Traceable can see all traffic including East-West. Due to the multitude of ways that it can do data collection (see “Coverage”), it can easily fit into all architectures and organizations, ensuring that it sees and protects API transactions at more than just the edges of the applications.

Ability to see inside encrypted traffic

WAFs can not detect malicious payloads or see sensitive data inside API transactions unless they are configured as encryption termination points, requiring extra configuration that is not a natural part of the application flow.Traceable can analyze and detect issues inside encrypted traffic when using either in-app data collection or eBPF-based data collection. This enables Traceable to satisfy PCI/PHI zone requirements while still having visibility over encrypted traffic.

User Behavior Tracking

WAFs do not track user behavior. They operate using IP addresses. This means they can not identify and stop users who are exploiting API business logic vulnerabilities or abusing APIs for fraud.Traceable can track and block exactly what users are logged in, or their session information, using the API’s full request context. This is important because

  • Knowing who the user is allows many customers to block based on the user, instead of IP addresses.
  • IP addresses keep changing. It’s easy for hackers to create new ones.
  • Many organizations make their users go through gateways, if you block one IP, you would block all users in that organization

Proactive posture management

WAFs are generally focused on runtime application protection and do not track API inventories or show their vulnerabilities.Traceable automatically identifies all API endpoints (internal, external, shadow, zombie, 3rd party) and proactively performs risk assessments on each one, including identifying known vulnerabilities. This is done by continuously monitoring HTTP/HTTPS traffic.

Data loss prevention (DLP) for APIs

Some WAFs are able to monitor for a static list of PIIs for masking, and tracking of PII seen in headers, but they are focused on non-API frameworks, which makes it hard for them to automatically recognize PII within API calls (as seen in the recent DuoLingo data breach).Traceable provides an actively maintained list of PII dictionaries separated into data sets for multiple cases, such as HIPAA, PCI-DSS, AWS Credentials, geo-specific PII, etc. Traceable looks for key-value pairs throughout the API traffic, including within bodies/payloads.

API security testing - DAST for APIs

WAFs don’t provide proactive security testing of APIs. It’s just not what they are built to do. Not security testing APIs before production can lead to costly vulnerabilities and, worse, exploits, in production.Traceable provides API security testing that can be run from a CI/CD pipeline and/or manually to find API vulnerabilities and misconfigurations in APIs before they get exposed in production.But it’s not just typical security testing. Traceable uses its access and analysis of live API traffic to simplify the setup for testing APIs. Traceable does this by

  • Using Traceable generated specifications or importing developer-provided specifications
  • Replaying live traffic to create test attacks and more accurate fuzzing data
  • Using authentication from live traffic to avoid authN setup for testing

External attack surface analysis

WAFs provide visibility of the traffic that goes through them, with an inside-out view based on the edges where they are deployed. They have limited visibility of the entire application attack surface from an outside-in view.Traceable provides an external attack surface analysis capability (called Sonar) which scans and prods your applications from the outside looking inward to identify exposed and attackable APIs. This outside-in view enhances the discovery of publicly exposed APIs and the detection of vulnerabilities and misconfigurations they might have.

Broad and deep coverage

WAFs only analyze and block the traffic going through the WAF itself.Traceable can collect data and block from a multitude of technologies, such as

  • Load balancers
  • API management tools and API gateways
  • Proxies
  • Kubernetes & meshes
  • Serverless architectures
  • Using out-of-band traffic mirroring techniques
  • From within the apps themselves

Most application architectures have traffic flowing through many of these different technologies.

Better together

Traceable adds API intelligence and protection to your existing WAFs by integrating with them and leveraging them as security control points. If you have WAFs (and who doesn’t) then consider the need for API security, as WAFs are not built for this. Traceable was built from the ground up as a complete API security platform, focused on securing application microservices and API-driven cloud apps. Enhance your WAFs with intelligent API security capabilities with Traceable AI.

About Traceable

Traceable is the industry’s leading API Security company that helps organizations achieve API protection in a cloud-first, API-driven world. With an API Data Lake at the core of the platform, Traceable is the only intelligent and context-aware solution that powers complete API security – security posture management, threat protection and threat management across the entire Software Development Lifecycle – enabling organizations to minimize risk and maximize the value that APIs bring to their customers. To learn more about how API security can help your business, book a demo with a security expert.

Download Blog Post

The Inside Trace

Subscribe for expert insights on application security.

Thanks! Your subscription has been recorded.

or subscribe to our RSS Feed

Read more

See Traceable in Action

Learn how to elevate your API security today.