Why WAF Solutions

are Limited and Fails to Keep APIs Completely Safe?

Why WAF Solutions are Limited and Fails to Keep APIs Completely Safe?

Why WAF Solutions are Limited and Fails to Keep APIs Completely Safe?

September 9, 2021 9:11 am

Application Programming Interfaces (APIs) are the building blocks of today’s applications ranging from maps to fitness-tracking apps and login authentication to banking apps to customer service communications in e-commerce apps, accounting for more than 80% of all internet traffic. Enterprises are making APIs an integral part of their growth strategies with end customers and 3rd parties, shifting from monolithic on-premises software to cloud-based applications. 

Their popularity and widespread use did not go unnoticed by threat actors who are abusing APIs more and more as a favorite attack vector. According to research and advisory firm Gartner, API abuse will be the most frequent attack vector resulting in data breaches for enterprise web applications by 2022.

To defend against cyberattacks, enterprises have been relying on Web Application Firewalls (WAFs) solutions for decades, trusting that the filtering, monitoring, and blocking of malicious traffic to their servers would keep their enterprise cybersafe. Although this worked well in the past, it has become more and more ineffective during the last few years.

One reason is that API attacks are complex, consisting of technical and functional attacks. Technical API attacks consist of abusers exploiting known vulnerabilities using Bots and DDoS techniques, and service disruption using brute force, credential stuffing, etc. These types of attacks require functionality agnostic and policy-based protection. Functional API attacks consist of legitimate users exploiting vulnerabilities for personal gain and API manipulations to disrupt business logic. These types of attacks require full payload analyses.

Another reason is, that the traditional perimeter does not exist anymore since organizations are more and more using cloud-native infrastructure, moving data and operations to the cloud. This has resulted in new attack vectors, new opportunities for leaks, new challenges, and the need for a new approach to security.

But enterprises are still relying on WAFtechnology, trusting that their advanced perimeter firewalls will be able to identify and mitigate these types of new cyberattacks. This is a misconception. For instance, in the case of an account takeover attack, which involves an abuser gaining access to an account inside an organization, the WAF solution will only detect attacks injected into isolated Web requests and not e.g., (spear) phishing attacks. This is especially problematic for enterprises with a large attack surface that often fall victim to threat actors taking over privileged accounts or stuffing credentials to gain access to the system undetected WAF solutions. Furthermore, WAF solutions cannot prevent the exfiltration of account data from privileged accounts.

All this poses a huge problem, since enterprises need to protect their ever-growing numbers of enterprise applications and APIs. The rapid publishing and updating of APIs often leave unseen, yet major, APIs vulnerabilities, which puts an enormous burden on development teams that are tasked by keeping the APIs of their companies secure. Although WAF vendors are adding more features to their WAF solutions to move closer to a more comprehensive web application and API protection (WAAP), this is simply not enough.

Therefore, it’s time for a new approach, where each API is protected separately to shield from complex attack patterns involving multiple APIs and sessions, and from time-correlated, still unconnected by type, attacks.

 To learn more, contact us here