Cloud WAAPs Are the Future of Application Security. But What Does That Mean?

Millions of Verizon FIOS broadband users vulnerable to hackers controlling and surveilling their home networks.

Thousands of GPS watches whose maps were open to attackers tracking and eavesdropping on children and elderly users.

A zero-day hole in Microsoft’s Edge and Internet Explorer browsers that could reveal usernames and passwords.

What’s the common denominator for these security vulnerabilities, all revealed last month (April 2019) alone? In all of these cases, poorly-secured APIs were to blame.

It’s not a surprise that APIs are fast becoming an attacker’s best friend. For the past decade, enterprises have been actively moving away from monolithic applications in favor of microservices-based application architectures that are accessible to external developers and services. Such open architectures enable more instant, agile forms of digital business to flourish, leading some pundits to declare that we are living in an API Economy.

However, APIs can also become points of entry for intruders, or easy targets for DDoS attacks.

Enterprises are starting to realize the danger. According to the CyberThreat Defense Report 2019 survey of IT and security leaders, deployments of API protection such as gateways were the fastest-growing category in 2018, increasing 6.1% to 51.2% of enterprises deployed in early 2019. Moreover, API protection remains the hottest security technology, with 38.8% of respondents saying it is currently planned for acquisition.

Protecting APIs isn’t the only thing on IT buyers’ lists. Cloud applications and services are also become hugely popular — and a huge surface for attack, too. Enterprises are recognizing this, and investing. According to the CyberThreat Defense Report, more than half of organizations are retraining existing IT security staff to tackle cloud security challenges.

They’re also demanding that their security vendors provide them with not only Web Application Firewalls (WAFs) to protect them, but also solutions like Runtime Application Self-Protection (RASP), which 34% of enterprises are planning to deploy, according to the CyberThreat Defense Report 2019.

Gartner analysts Jeremy D’Hoinne and Adam Hils have coined an acronym for what they see as the next stage of application security — cloud-based Web Application and API Protection, or WAAP for short.

In a recent report, D’Hoinne and Hils offer what they think will be the core features defining a state-of-the-art cloud WAAP service, what future capabilities cloud WAAP services are adding, and the key risks IT must anticipate when evaluating a cloud WAAP service.

They also offer concrete predictions, such as: “By 2023, more than 30% of public-facing web applications will be protected by cloud web application and API protection (WAAP) services that combine DDoS protection, bot mitigation, API protection and web application firewalls (WAFs). This is an increase from fewer than 10% today.”

And: “Organizations could gain increased visibility and control through agents deployed on application back ends.”

(Note: Imperva already offers an integrated suite of application security solutions offering all of the above, including DDoS protection, bot mitigation, web application firewall, API protection, and our agent-based RASP product, acquired from Prevoty and recently updated. And to accommodate your business wherever it is on its digital journey, we can protect your infrastructure whether it is primarily on-premises, in the cloud, or equally split between both (hybrid).)

For any business or IT decisionmaker involved with their company’s web application or network security, the Gartner report is essential reading. Get your copy along with other useful research and data from Imperva.com’s Resource Library.

***

Gartner, Defining Cloud Web Application and API Protection Services, 26 February 2019, Jeremy D’Hoinne, Adam Hils

Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.