The cybersecurity space is rife with terminology. With a growing number of attack types, security tools, and methodologies, it’s hard to keep track of what each one is and how it differs from the rest. This can make it difficult for companies working towards a stronger security posture to know where to start.
To help make things a little clearer, we’re taking a closer look at three prevalent concepts in the industry — WAF, API gateways, and API security. These are three important pillars in a cybersecurity strategy, which in turn is a core driver to business success.
Web Application Firewall (WAF)
What It Is:
A WAF is a security tool designed to protect web applications from application layer attacks that include cross-site scripting, DDoS attacks, SQL injection attacks, cookie poisoning, and more. It does this by monitoring the traffic of data packets that go in and out of the web application, blocking any malicious incoming data, and preventing unauthorised data from leaving the application. Set up as a reverse proxy, a WAF uses a set of policies that determine parameters for malicious traffic and acts as an intermediary that protects the web app server from being compromised.
Today, WAFs can be delivered in a number of ways — as an appliance, a piece of software, or delivered as a service. Each one can be set up with policies that are customised to the web application it’s protecting, and these policies need to be reviewed continually to account for new threats. In some cases, WAFs use machine learning to learn about new threats and automatically update their parameters.
Why It’s Important:
As web applications become smarter and more agile, they need to rely on more data from their customers, partners, and providers. This means they need to be adequately secure to protect these data troves and mitigate the threat of bad actors that can nefariously leverage that data. When it comes to financial services, healthcare, or public service apps — all of which host and share a wealth of sensitive personal information — a WAF is a necessary and vital security measure.
Application Programming Interface (API) Gateway
What It Is:
API gateways are also reverse proxies that sit in front of an API or a group of microservices. Their role is to facilitate and accept API calls from clients, acting as a single point of entry that then packages and routes these calls to the relevant services or microservices. It then gathers the appropriate data from these services, and returns it to the client.
Sitting where they do, API gateways are also responsible for setting standardised processes for the exchange of information between an organisation’s apps, data, and services — as well as internal and external customers.
Beyond its primary roles, API gateways can also support other important API management functions, including authentication, analytics, and rate limiting. Within microservices-based architecture, they can fulfil multiple functions including:
- Protocol translation
- Basic business logic
- Authentication and security policy enforcement
- Load balancing
- Monitoring and logging
Why It’s Important:
The API economy has been growing steadily over the last decade — they make it easier to take products to market and facilitate the sharing of information between tools and services. However, APIs tend to differ greatly from one to the other, so having a standardised approach for communicating with them, which an API gateway provides, is important for making the most of your APIs.
From a security standpoint, API gateways are useful as they ensure that sensitive API endpoints aren’t exposed. Their role as a reverse proxy that monitors information and requests also means they can protect APIs and microservices from attacks that leverage API vulnerabilities.
Beyond that, API gateways offer a number of benefits, including:
- Decreasing microservices complexity
- Supporting monitoring and analytics for API traffic
- Protecting APIs from being overused or abused
- Maintaining a consistent point of contact for clients, even when APIs are changed or updated
API Security
What It Is:
APIs have become the building blocks of modern applications, keeping users and applications connected to data and services. They enable critical business operations and functions across sectors, helping organisations to leverage available technologies and information. However, all the traits that make APIs such a vital part of today’s tech landscape — including their ability to share information quickly — also make them appealing targets for bad actors. Malicious API attack traffic surged 117% over the past year.
API security is the function of securing and protecting APIs from threats and vulnerabilities. Done properly, it includes a variety of techniques, such as:
- Promoting secure API design and development
- Security testing, including API fuzzing
- Maintaining a robust and dynamic API inventory
- Implementing continuous authentication and authorization
- Deploying runtime protection
- Blocking attackers vs. attacks
Why It’s Important:
Application security models like firewalls and API gateways aren’t necessarily equipped to handle API security. Unlike applications, APIs have a unique set of challenges that make them difficult to secure in the same manner:
- The API landscape is always changing, making it challenging to stay up to date on new and updated APIs.
- Bad actors use low-and-slow attacks on APIs, crafting unique attacks for each API and targeting specific vulnerabilities.
- Shift-left tactics don’t cover all the bases with APIs, as they don’t account for potential business logic gaps.
As organizations and businesses continue to enhance their security posture and protect their web applications, APIs, and microservices, it’ll be important to leverage these three security functions. At the end of the day, attackers are always on the lookout for chinks in the armor, so a comprehensive security strategy is a way to keep them out.
About the Author: Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire's State of Security blog, she's also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that's well suited for writing in the cybersecurity space. She is also a regular writer for Bora.