WAAP (Web Application and API Protection)とは?

Web app and API protection (WAAP) refers to an integrated set of security services that work together to mitigate security risks from APIs and web applications.

WAAP solutions protect against application security risks from vulnerability exploits, bots, automated attacks, denial of service, fraud and abuse, and insecure third-party API integrations. 

Integrated security controls allow organizations to improve visibility with actionable insights that can stop specific attacks as well as identify coordinated threat campaigns that span multiple threat vectors.

Application programming interfaces (APIs) are the most common way to connect users, applications, and services to each other in a modern IT environment. Most modern apps are built using APIs—software interfaces that enable applications or services to communicate and allow for interactivity between products and services in the form of requests and responses. However, more APIs means more attack surface. As APIs become more common and are distributed across microservices architectures, additional infrastructure is needed to ensure scalability and security.

For microservices‑based applications, an API gateway acts as a single point of entry into the system and is responsible for request routing, composition, and policy enforcement. It handles some requests by simply routing them to the appropriate backend service, and handles others by invoking multiple backend services and aggregating the results.

API gateways also have built-in security features to protect APIs from common threats and also provide critical security functions, including managing the access control, authentication, and authorization for your APIs, ensuring that only authenticated and authorized users can access them.

An API gateway can be deployed in front of a Kubernetes cluster as a load balancer (multi-cluster level), at its edge as an Ingress controller (cluster-level), or within it as a service mesh (service-level). For API gateway deployments at the edge and within the Kubernetes cluster, it’s best practice to use a Kubernetes-native tool as the API gateway. Such tools are tightly integrated with the Kubernetes API, support YAML, and can be configured through standard Kubernetes CLI.

Using an API gateway alongside a WAAP solution can provide additional security layers that complement each other.  For instance, an API gateway primarily focuses on managing and securing access to APIs while a WAAP solution protects web applications and APIs from a wide range of security threats, including OWASP Top 10 vulnerabilities, DDoS attacks, and bot traffic, and offers advanced features such as threat intelligence and behavior-based anomaly detection.  

魅力的で安全性の高いデジタル エクスペリエンスで顧客を引き付けることはビジネスに必要不可欠であり、セキュリティおよびリスク対策担当者にとっても大きなポイントとなっています。リスクか報酬かを計算してセキュリティと使い勝手のバランスをとることは、現在の新しいデジタル経済の時代に入り、企業にとってこれまでになく困難かつ重要でありながら、利益を生むものともなっています。

前例のない選択肢が登場し、不満や障害に対するお客様の許容度は低下し、規制の影響は増大しており、従来、コスト センタと考えられていたセキュリティは、競争力のあるデジタル差別化要因へと変わりつつあります。また、アプリケーションは脱集中化と分散化がますます進み、異機種混在のマルチクラウド アーキテクチャに導入され、複雑なソフトウェア サプライ チェーンやCI/CDパイプラインの中で統合されています。

The growing sophistication of bots and automated attacks and proliferation of API endpoints from increased mobile app usage and modern app development dramatically expands the threat surface and introduces unforeseen risks from third-party integrations.

The industrialized attack lifecycle begins with automation and ends with account takeover and fraud.

WAAPの主な購入基準として、有効性と使いやすさがよく挙げられます。

クラス最高レベルのWAAPは、組織がビジネスのスピードに合わせてセキュリティ体制を改善し、摩擦や過度の誤検出なしで侵害を軽減し、運用をシンプルにして、重大な脆弱性、ビジネス ロジックの悪用、予期しないリスクからハイブリッドのマルチクラウド アーキテクチャを一貫して保護するのに役立ちます。

主な機能は以下のとおりです。

• クラウドネイティブ インフラストラクチャとアプリケーション スタック全体にわたる、共通の可観測性
• ダイナミックなAPI Discoveryと実施
• 攻撃者のツールの巧妙化、エスカレーション、回避時のレジリエンス