Imperva
Imperva
A New Common Sense of "WAAP" to Protect Web Applications from Diversifying Threats
Summary of this article in 3 lines
- "WAAP" is a concept proposed by Gartner to protect web applications from various threats, and consists of four elements: WAF, malicious bot countermeasures, DDoS countermeasures, and WebAPI protection.
- A variety of highly developed threats require specialized solutions.
- There are total solutions based on the concept of "WAAP" that provide comprehensive security functions.
Introduction
Are you familiar with the term WAAP when it comes to web application security?
The web application environment has changed dramatically in recent years. Changes in the environment include the shift from on-premises to cloud/hybrid environments, changes in development (DevSecOps), increased use of APIs, and developments in various technology areas such as virtualization, containers, and orchestration technologies. With these changes, traditional product groups such as WAF are no longer sufficient for web application security measures.
So, what specific measures are required for modern web applications? WAAP, which we will introduce here, will help you consider appropriate security as various threats exist as the environment changes. In this blog, we will consider the security measures currently required for web applications based on the concept of WAAP.
table of contents
- What is "WAAP"?
- Diversifying threats to web applications 2.1. WAF
2.2. Measures against malicious bots
2.3. DDoS countermeasures
2.4. API Security - Total solution and WAAP
What is "WAAP"?
WAAP (Web Application and API Protection) is a concept proposed by Gartner in the US as an evolved version of cloud-based WAF. It defines the security requirements for modern web applications, and consists of a total of four elements, with three additional elements added to the traditional WAF.
| name | Functions provided |
| WAFs | Blocking attacks that target web application vulnerabilities |
| Measures against malicious bots | Detection and blocking of various accesses and attacks using malicious tools, including hoarding and unauthorized logins |
| DDoS countermeasures | Block attacks that place high loads on web services and maintain services |
| Web API protection | Detection and blocking of various attacks on Web APIs |
Diversifying Threats to Web Applications
This section explains each of the non-WAF items and threats that make up WAAP.
Measures against malicious bots
■Threats and trends
Bots are generally tools that perform automated tasks, and they are very useful tools. On the other hand, bots are often abused. Such bots are called "malicious bots" and they mechanically access websites and negatively impact business.
Examples of malicious bots are shown below.
- scraping
Information published on websites can be efficiently collected by scraping. Competitors seeking to gain a competitive advantage may steal your information or try to get the lowest price.
- Skillping
Because bots can automatically execute operations on web applications, scalping using malicious bots is occurring frequently on e-commerce sites. As a result, general users cannot get what they want to purchase, resulting in a decline in customer satisfaction and brand image, leading to user abandonment. From an e-commerce site's perspective, this will result in sales, but if scalping by malicious bots is left unaddressed, it will ultimately have a negative impact on business.
- Account takeover (ATO)
For many services, what you need to log into your account is an ID and password. If an attacker uses a bot and repeatedly attempts to log in to confirm success or failure, there is a possibility that the account ID and password will be stolen (account hijacking).
Malicious bots are used for such fraudulent activities.
Furthermore, data shows that malicious bot communications are increasing year by year, and account for approximately 30% of all internet traffic. As the number of malicious bots increases, many anti-bot solutions have been developed, but there are also sophisticated bots that can evade such countermeasures.
■About countermeasures
To combat malicious bots, it is essential to have a dedicated solution that can identify and block malicious bots with high accuracy. This is because it is important not only to block communications from malicious bots, but also to not affect the usability of the site or non-malicious communications. For example, CAPTCHA authentication is very commonly used to distinguish between bots and people, but it requires a very tedious task for users, which can lead to users turning away. It can also block non-malicious bots such as Google crawlers. Advanced, dedicated protection solutions provide effective protection against malicious bots.
DDoS countermeasures
■Threats and trends
DDoS attacks are attacks that place a significant load on services. Additionally, web services are made up of various elements, and if one of them goes down due to a DDoS attack, the entire web service will be affected. Therefore, countermeasures must be taken for all elements that make up the web service. In particular, countermeasures are extremely important because the impact range is large when the web server itself or DNS server goes down.
In fact, cases of damage caused by DDoS attacks are increasing, and their targets are becoming more diverse. DDoS attacks from all angles against web services are increasing, including Layer 7 DDoS attacks targeting the application layer, Layer 3-4 DDoS attacks targeting the network layer, and DDoS attacks against DNS services. Defense methods for DDoS attacks differ depending on the target, so countermeasures suitable for each attack are required.
Additionally, the purposes for which attackers conduct DDoS attacks are diversifying, and for example, the following DDoS attacks have been increasing in recent years.
- Ransom DDoS: RDoS (Ransom DDoS)
There have been reports of attackers continuing DDoS attacks, demanding ransoms, and conducting DDoS attacks in order to obtain money. - DoW (Denial of Wallet) attack
There are cases where cybercriminals target serverless applications such as pay-as-you-go Cloud services and try to inflate payments to cloud providers. - DDoS as a smokescreen
We have observed cases where DDoS attacks are used as a smokescreen to carry out attacks that are highly profitable for the attacker, such as account takeover (ATO), after or during the attack.
DDoS attacks like this can target anyone at any time. Additionally, with the increase in DDoS attack services (CaaS: Cybercrime-as-a-Service), anyone can easily carry out large-scale DDoS attacks. By industry, DDoS attacks against financial services tend to be the most likely to increase, but similar trends can be seen across all industries. Additionally, not only the number of attacks but also their scale has grown, with the largest DDoS attack observed by Imperva in 2022 being more than three times the size of the previous year.
■About countermeasures
Regarding DDoS attacks, it is important to take measures to maintain services without affecting general users even in the event of a DDoS attack. However, the content of DDoS attack communications itself may be the same as that of general users, making it difficult to identify attack communications. Therefore, for DDoS countermeasures, it is essential to have a solution specifically designed for DDoS attacks that has functions such as detecting attack communications with high precision in real time, quickly mitigating and minimizing downtime, alert notifications, and displaying analysis and results. is.
API security
■Threats and trends
Many familiar web services, including online payments, which are now indispensable in daily life, are based on web APIs. Because APIs often handle confidential information such as personal information, attacks targeting APIs are becoming a trend. Additionally, APIs are often released with security risks in them, and incidents such as personal information leaks have actually occurred in countries around the world. Therefore, it is important to implement measures with dedicated solutions for APIs as well.
■About countermeasures
During API development, the development team continually adds features to the API. The security team is required to work with the development team to implement API security measures during both the development and operation phases. To further strengthen API security, it is important to visualize API risks and detect and block unauthorized communications based on the actual communication destination and request content.
For more information on API security, please take a look at our separate blog.
https://mnb.macnica.co.jp/2023/02/post-32.html
Total solution and WAAP
WAAP focuses on the above four elements, but these are not the only security measures that should be taken in web applications. Other examples include the following elements:
- CSP (Client Side Protection)
This is a mechanism to protect clients from website tampering. Prevents information from being illegally stolen by malicious third parties. - Secure CDN
We provide site content quickly and stably. Improve user convenience and system availability.
In situations like this, where a wide range of security measures are required, an effective method is to implement a total solution. In addition to the four core elements of WAAP, Imperva Cloud WAF provides a total of important security measures for web applications. By choosing a total solution, you can achieve effective and comprehensive security measures.
If you are interested in web application security, please contact us below.
Next time preview
In the next installment, we will provide an in-depth look at API Protection.
Inquiry/Document request
In charge of Macnica Imperva Co., Ltd.
- TEL:045-476-2010
- E-mail:imperva-info@macnica.co.jp
Weekdays: 9:00-17:00