API Security - vendors look to develop NG-WAFs

API security is now a central concern for Web Application Firewalls (WAF).  For over a decade, WAFs have been  a necessary component of most web-based applications deployments. WAFs typically sit inline and protect inbound and outbound corporate traffic against vulnerabilities. These vulnerabilities have been cataloged by OWASP Top 10 for over 15 years. 2017, marks the first year where API security has made it in the OWASP Top 10 RC1.

Radware, a WAF solution provider has published an interesting article titled "Why there is no API security" where they make the following key points:

No single part of the application, nor any part of normal Internet filtering firewall defense, has enough visibility into the context to stop business exploits. Some examples of business logic exploits are:

• Modification of authentication flags and privilege escalations Business constraint exploitation/modification or business logic bypass to generate fraudulent transactions

• Requested parameter modification Developer’s cookie tampering and business process/logic bypass 

• Exploiting clients’ side business routines embedded in JavaScript, Flash, or Silverlight Identity or profile extraction 

• LDAP parameter identification and critical infrastructure access 

Business logic attacks are not trivial in their consequences and are successful on even the largest organizations. A few of the large organizations that fell victim to business logic flaws are Facebook, Nokia, and Vimeo.

Radware's perspective clearly shows that WAFs have to extend their world-view to address API security. It's not just about protecting websites - with APIs becoming a connective tissue of all portal, device, and cloud communications, corporations are looking at Next Generation WAFs to now include significant API-awareness and API-borne threat mitigation capabilities.