Why do anyone need it?
Whether your organization is just getting started hosting web applications or already has an arsenal of security tools like RASP, SAST, DAST, CVM, and CNAPP, there’s one layer that’s often overlooked: The Web Application and API protection (WAAP)
In this era of SecDevOps, shift-left testing and cloud-native protections, it might seem like WAAP is redundant. But in practice, a WAAP solution plays a critical role in defending against real-time, high-velocity and zero-day web threats that those tools simply cannot stop.
This post explores why the WAAP matters, how it complements other layers of defense, and how it fits into compliance, risk-mitigation and operational resilience. Regardless of your current security maturity.
Let us take a step back, what exactly is a WAAP? How does it work?
A WAAP sits inline between the user and the web application. Because most web traffic today is encrypted, it terminates TLS using the application’s certificate, decrypts the request, inspects headers, cookies, and body content for malicious patterns, signatures and malware. Then — if clean — re-encrypts and forwards it to the backend.
IMAGE
This allows it to detect and stop threats like malware, SQL injection, and remote code execution before they ever reach your app.
IMAGE
In comparison runtime products such as RASP and Container runtime-security is only able to detect the malicious activity after it has reached the application.
IMAGE
Most modern WAAP solutions contain, at a minimum the following functionality
• DDoS protection, both for L4 and for L7 of the OSI model • API protection – able to enforce swagger files or OAS-schemas • Bot Management – only allow the bots you want • Web Application Firewall (WAF) • Virtual application patching
DDos Protection
The resilience of the function relies heavily on the chosen platform for the WAAP. But most include functionality for rate-limiting by source IP and also technology for withstanding full on layer 4/7 DDoS.
API Protection
Most modern WAAP solutions have functionality to at least define API endpoints to allow traffic to, limit methods and drop traffic to illegal API endpoints. Also some of them have full support for enforcing swagger files and OAS schemas defined in a CI/CD pipeline. Generally this reduces a lot of noise on the application getting rid of the unwarranted traffic.
Bot Management
In 2024 it is assumed that over 50% of all web-traffic was bots. Some of these bots are benign bots like search-engine crawlers and performance monitoring bots. However the bad bots is assumed to be around 32% of all internet traffic (Source). Those bots are active 24/7 scanning the entire internet for vulnerable applications, performing data-scraping etc. To be able to differentiate this and stop the bad bots will not only reduce noise on the application side, but will also keep your applications away from the radar of the threat actors operating the bots. IMAGE
Web Application Firewall (WAF)
A WAF is a tool for inspecting web-traffic for malware, SQL-injection, remote code execution etc. The way it does this is to stand between the user and the web-application. And as mostly all web-traffic today is encrypted the WAAP will hold the certificate and DNS of the web-application and decrypt the requests. After decrypting each request, the WAAP looks through the entire request from headers, cookies and body scanning for signatures or potentially harmful content.
If nothing malicious is found it re-encrypts the request and forwards it to the actual web-application. This means that the malicious content can be stopped before ever entering the actual application.
Virtual Patching
The last, but possibly most important functionality is virtual patching. As you may know most web-applications contains a myriad of combined technologies for hosting different parts of the application. Unfortunately, as the number of technologies increase, so does the number of vulnerabilities.
Every month, even week there are new publicized vulnerabilities for these platforms. Whether it be Apache, Node.js etc. And the vendors release patches for them as quick as they can. But from when a vulnerability is first discovered until a patch is released by the vendor may be several days and, in some cases, even weeks. In that window there’s often little to be done, one may set up scans to check if the vulnerability has been triggered by a threat-actor, but without a WAAP there is little to be done to prevent an attack. And as many of you know, the moment a CVE is published is often when attempted exploitation spikes — with thousands upon thousands of automated bots instructed to scan for vulnerable systems within hours by threat actors.
If the CVE is severe enough organizations might be forced to shut-down their applications or isolate them from the internet, until a patch is released. In other cases, patching might not be possible until the next window of planned downtime. Most serious WAAP vendors will have a virtual patch for the vulnerability released to their customers within few hours of the CVE becoming public, if not even before it is publicly available. It might even block it by default if it does not fit current user-behavior for the application. Those signatures are usually sent out from the vendors to the products at least once per 24hrs without service interruption.
IMAGE
Added benefits
There are some added benefits with a WAAP between the user and the applications as well. For one the WAAP has the possibility to modify the requests both ways, changing headers, URLs etc. It can cache content and divert traffic to custom error pages and depending on platform perform load-balancing between the applications, regions etc.
Conclusion
Even the best shift-left testing and runtime detection tools are limited by what they see. A WAAP sits at the traffic crossroads, giving you visibility, protection, and control — all in real time and before the traffic hits the application.
As attackers scale their automation and vulnerabilities surface faster than ever, WAAP is no longer a nice-to-have. It’s a strategic necessity.
But as with all security tools there is no silver bullet, so a layered approach with a combination of security tools is always the recommended solution.
Stay tuned for my next post explaining where in the infrastructure the WAAP solution fits!