Application Security Showdown: WAF vs. WAAP vs. ADR

Web application firewalls (WAFs), Web application and API protection (WAAP), and Application detection and response (ADR) are three paradigms for protecting applications. WAF is a mature technology, introduced in the 1990s, while WAAP and ADR are newer and offer more advanced security features. In this article I’ll explore the differences between these three solution categories, their key capabilities, and how to choose the right solution for your organization.

What Is a WAF?

Web application firewalls (WAFs) are a technology used to defend websites, APIs, and mobile applications from web-based security threats. They work by monitoring, filtering, and blocking data packets, which helps protect web applications from various threats. WAFs are programmed to detect and act against security flaws prevalent in web traffic.

These firewalls are especially important for online businesses such as retailers, banks, and healthcare, as well as for social media, where sensitive data requires protection from unauthorized access. A WAF can be deployed as a host-based, cloud-based, or network-based solution. It should enable HTTP application-layer visibility into application data.

Web application firewalls are important to use because web applications and APIs are often vulnerable to security risks, which could take up resources or disrupt operations. They help mitigate the most common web-based exploits such as malicious bot attacks and zero-day attacks. Refer to this blog post for more background on the evolution and capabilities of WAFs.

How Does a WAF Work?

A WAF protects web applications by monitoring, filtering, and blocking potentially malicious HTTP/S traffic traveling to the web application, and prevents unauthorized data from leaving it. This is achieved by following policies to distinguish malicious traffic from safe traffic. The WAF operates as an intermediary, like a reverse proxy server, protecting web app servers from potentially malicious clients.

WAFs are available as software products, physical appliances, or delivered as a service. They include customizable policies to meet the needs of the protected web application or set of applications. Some WAFs require users to update the policies on a regular basis to address new vulnerabilities, although some also use machine learning to enable automatic updates.

Reverse proxies, sitting between clients like web browsers and backend servers like application servers, can be used for caching responses from backend servers. This helps improve application performance by speeding up response times for commonly used resources and reducing the load on the backend server.

Cached responses also enable faster processing compared to dynamically generated responses from a backend server. Reverse proxy caching may improve scalability and resource utilization during high traffic periods or to serve static content.

Why WAF Isn’t Enough

Web application firewalls have long been a ubiquitous security solution for applications. They are generally effective at protecting against threats like cross-site scripting (XSS), buffer overflow, and SQL injection attacks. However, they may be limited against more sophisticated threats.

WAFs require known malicious signatures that they can detect and block. These signatures include patterns that indicate attacks, making it possible for the WAF to identify them. However, newer and real-time attacks often don’t have known signatures, making them invisible to WAFs.

Bot attacks and API protection are especially challenging for WAFs to handle. Bots can often mimic human behavior and tend to be distributed, allowing them to bypass safeguards such as IP-based traffic policies.

APIs typically rely on different architecture and logic than standard web applications, making them vulnerable to flaws such as Broken Object Level Authorization (BOLA), where users can access sensitive resources by manipulating input information (i.e., in forms or cookies). The main issue with WAFs is that they rely on a negative security approach, meaning they must be able to anticipate all aspects of suspicious traffic, making them blind to new threats.

What Is Web Application and API Protection (WAAP)?

Web application and API protection (WAAP) is an extension of cloud-based WAF services that helps protect internet-facing applications and APIs. This concept is relevant for modern cloud-native architectures that traditional firewalls cannot protect.

With WAAP, web applications run on web servers that are exposed to the public internet, allowing users to interact with the application interface through their browsers. The APIs provide the backend protocols or services to support the frontend experience. They are responsible for functions like data storage, analytics, and integration with various external services.

Cloud computing is the key enabler for this approach, allowing developers to write code in popular languages like HTML, CSS SQL, JavaScript, and JSON to build web applications. The proliferation of microservices and new functionalities is always accompanied by the emergence of new threats, which WAAP helps address.

Web Application and API Protection Key Capabilities

A WAAP solution must be able to protect web applications against a range of attacks without requiring too much oversight. Some important features include:

• Automation and intelligence: Independently learning how to adapt to changes in applications and identify new threats.
• Microservices and API protection: Extending protection capabilities to microservices and APIs, which are increasingly targeted by attackers, rather than focusing solely on web applications.
• Next-generation web application firewall (NGWAF): Covering a broader range of threats than standard signature-based WAFs, helping identify and block zero-day attacks.
• Runtime application self-protection (RASP): Securing applications at a personalized level by monitoring their inputs, outputs, and identifying behavioral anomalies.
• Bot protection: Preventing malicious bots from executing automated attacks against applications, including capabilities against reconnaissance, credential stuffing, or scraping.
• Distributed denial-of-service (DDoS) protection: Blocking attempts to overwhelm the web server’s resources and maintain application and API availability.
• Rate limiting: Preventing users from consuming excessive web resources, allowing legitimate users to access the application while only blocking malicious users.

What Is Application Detection and Response (ADR)?

Application detection and response (ADR) is a concept in application security that focuses on identifying and addressing threats at the application layer. It generally includes monitoring the application and its context in real time to identify potentially malicious activity.

ADR tools work inside the application environment, providing more visibility than monitoring just the network layer or perimeter. They use various instrumentation to provide live visibility across an organization’s software stack, enabling constant scanning of application components for behavioral anomalies.

When an ADR solution detects a potential threat, it immediately alerts the security team with contextual information, helping mitigate the issue. The main objective of ADR is to find and block attacks against applications before they can cause too much damage.

How Application Detection and Response Works

ADR combines application insights with real-time monitoring and automation to enable an application-focused defense strategy.

Application monitoring

Application monitoring requires continuously tracking an application’s behavior to identify anomalies or suspicious patterns. ADR embeds lightweight sensors at the application’s endpoints or relies on open source telemetry, receiving feeds of data flows, user activity, and code execution.

This fine-grained type of monitoring helps detect unusual application behavior, including excessive resource usage or unexpected crashes, which may signal a security threat. By collecting information on the runtime context, ADR helps find vulnerabilities and attack patterns that a traditional monitoring system might miss.

Profiling of open-source libraries

Applications often rely on open-source libraries, which can introduce their own set of risks. ADR helps ensure dependencies are safe by establishing a profile of each library’s normal behavior. This baseline is then used to identify deviations, such as unusual function calls or unauthorized changes. These patterns can indicate application compromise, such as in a supply chain attack.

For example, PyYaml, a library for deserializing data, is not supposed to perform code execution at the host level. ADR can detect when a library deviates from its normal behavior and generates an alert regardless of whether the library has a known vulnerability associated with it. ADR also helps stop attackers from injecting malicious code into the application.

Anomaly detection

ADR uses behavioral analysis and machine learning capabilities to identify anomalies. By analyzing runtime data, ADR can recognize application behavior that doesn’t fit into normal patterns. For example, if a library intended for logging events suddenly attempts to execute code remotely.

The ADR solution flags these anomalies for further investigation to verify whether they represent real threats. This helps security teams identify potential threats quickly without being swamped with false positives.

Threat analysis and alerting

After identifying potential threats, ADR analyzes them deeply to evaluate their severity and likely impact. The ADR tool goes on to correlate anomalies with known vulnerabilities and attack signatures, adding contextual information that helps understand the scope of the attack.

The tool then converts these results into actionable alerts, prioritizing threats so that the SOC can respond to the most serious threats first. This helps reduce the time needed for investigating and remediating threats to applications.

Automated response

ADR can also implement some automated responses. For example, It can block malicious actors by isolating and blocking code functions that it suspects are malicious, without affecting the rest of the application. This removes the need to wait for the SOC to intervene manually, reducing the response time.

Suppose an application function is attempting to perform a malicious action. The ADR solution could immediately reject it without quarantining or closing infrastructure such as containers or VMs. The application will continue to operate normally while the exploit is nipped in the bud.

ADR vs. Existing Cybersecurity Solutions

Here’s a look at how ADR helps address the gap in traditional security strategies, which often lack adequate application-level threat detection.

Web application firewall (WAF)

Many organizations rely on WAFs as their primary defense against application-level threats, but this approach has several limitations:

• Network-level focus: WAFs operate at the network level, analyzing inbound traffic patterns to detect potential threats. While this is useful against known (publicized) attack signatures, it does not provide sufficient visibility into what happens inside the application.
• False positives: WAF’s often lack application-specific context, causing them to generate false positives. These can overwhelm security teams and cause alert fatigue.
• Vulnerability to bypass techniques: It is relatively easy for attackers to bypass WAFs with techniques such as encoding variations, payload padding, protocol-level evasion, or exploits of application vulnerabilities that cannot be seen at the network level.
• Ineffective SOC integration: Sometimes, even with a WAF installed, organizations may struggle to ensure the correct configuration, and the WAF may not deliver adequate application-level data to the security operations center (SOC).

Endpoint detection and response (EDR)

EDR solutions both monitor and actively protect individual endpoints in an organization, including computers and mobile devices. While necessary for endpoint security, EDR has the following limitations for securing applications:

• Focus on endpoint activities: EDR typically monitors system-level events and processes rather than application-specific behavior, making it less effective at identifying some application-layer threats..
• Limited internal visibility: EDR may lack insight into the internal workings of an application, making it blind to any threat that doesn’t come from outside.
• Reactive nature: EDR might only detect come security threats after attackers have executed them on an endpoint, making it ineffective against zero-day threats.

WAF vs. WAAP vs. ADR: How to Choose

The choice of AppSec solution should take into consideration the company’s application architecture, the overall threat landscape, and its security maturity level.

Use WAF when:

• A basic level of web application security is all that’s required. For example, WAFs are effective for protecting traditional, monolithic web apps relying on standard HTTP/S protocols.
• The main security threats are known vulnerabilities (i.e., SQL injection, cross-site scripting, standard bot attacks.
• The priority is to minimize costs and complexity, especially if the environment isn’t too reliant on APIs.

Use WAAP when:

• Working within a cloud-native or API-heavy environment.
• Extending WAF capabilities to protect assets operating over disparate environments, such as APIs, microservices, or mobile backends.
• Looking to incorporate more advanced features such as bot mitigation, and rate limiting, or DDoS protection.
• Implementing DevOps or using containerized workloads, or working in a multi-cloud architecture, where a traditional WAF won’t offer sufficient coverage.

Use ADR when:

• Using both WAF and WAAP, enabling deeper visibility and protection at the application layer.
• The priority is proactive detection and response, with a focus on the internal workings of the application itself, rather than on the network or perimeter.
• Focusing on new or sophisticated attacks such as insider threats, zero-day exploits, or APTs that will bypass the external defenses.
• The organization has critical applications or custom-developed software, or if it operates in a high-risk sector like finance or healthcare.

Combining WAF, WAAP, and ADR

Although each solution addresses a different aspect of application security, they are most effective when used together. For example, WAF and WAAP services can help protect the perimeter while ADR technologies help secure applications from the inside. ADR is especially useful to provide an added layer of security, with capabilities such as runtime monitoring, behavioral analysis, and automated response complementing the bot-mitigating or DDoS-preventing capabilities of WAF and WAAP.

Conclusion

Web application firewalls, web application and API protection, and application detection and response are important technologies for protecting web-based applications against cyber threats. Application attack techniques have become more complicated and are rendering traditional security tools useless, meaning that organizations must incorporate these measures into their security strategy to keep their applications safe.