Why Web Application Firewalls (WAFs) are inadequate against API Attacks

Why Web Application Firewalls (WAFs) are inadequate against API Attacks

Sep 18, 2024
appsentinels

During our various customer interactions, we often discuss how Appsentinels solution is different compared to a Web Applicaton Firewall (WAF) in protecting against API’s attack.

The core difference is that Appsentinels API Security Platform knows the context of what is it protecting while unfortunately WAF’s don’t.

Let me explain why I am saying this and why this is important:

WAF’s were built 2 decades ago to protect web applications. There is no standard way to describe what a web application does and how to interact with it. With that challenge, WAF’s start with a negative security model, i.e, a denylist. Such an approach leverages a library of threats or known attacks (which by definition puts it behind time) in the form of regular expressions, describing patterns to look for in the traffic. To execute this denylist, WAF’s match regex in a single network session and it does not have context to understand either the application or the user behaviour. In summary, WAF’s are a general purpose security solutions, protecting any web application in the same manner, regardless of the application’s functionality and purpose