WAF vs. WAAP vs. API Security

15.04.2025

Danny Merkel, Senior Cyber Security Architect, Consulteer InCyber

The Emergence of Web Application Firewalls

With the rise of the internet and the increasing number of web applications in the 1990s, new ways of exploiting and manipulating these applications - and their users - emerged as well. As more people gained access to the internet, the original idealistic vision of the web as a force for good became less realistic. Website operators needed to protect themselves and their users, which led to the introduction of Web Application Firewalls (WAFs) at the end of the millennium.

Protecting web apps with WAFs became essential, especially as new vulnerabilities emerged - like the well-known SQL injection vulnerability made public by Jeff Forristal, who demonstrated it in a Microsoft SQL Server on a Windows NT system.

Early WAF products focused on countering specific threats like SQL injection and cross-site scripting (XSS). Over time, the number of attack vectors grew, and with the help of the OWASP Top 10 - a ranking of the ten most critical web application security risks - awareness in the IT industry increased.

In 2002, the open-source and cross-platform WAF ModSecurity was released, along with the OWASP ModSecurity Core Rule Set. This gave the topic a stronger foothold in the open-source community. The OWASP Core Ruleset is still a fundamental component of many open-source and commercial WAF/WAAP solutions today. Trustwave, the last commercial owner of ModSecurity, officially handed over development and support to the open-source community, under OWASP, as of July 1, 2024.

ModSecurity follows a “Negative Security Model,” meaning it blocks predefined traffic patterns. This contrasts with the “Positive Security Model,” which only allows explicitly defined patterns.

The Rise of APIs

APIs (Application Programming Interfaces) have existed since the 1960s, when mainframe systems required interfaces for data exchange.

By the 1970s and 1980s, developers needed to call software libraries not only locally, but also on remote systems. This laid the foundation for the modern web APIs we know today - based on standards like gRPC, SOAP, REST, and GraphQL. Their importance has grown significantly in recent years, with more APIs being exposed to the public internet.

Especially with the rise of microservice architectures, where applications are split into independent components, the number of APIs is increasing rapidly.

AI - The Missing “P”

There’s a lot of talk about AI (Artificial Intelligence) but not nearly enough about the growing number of API endpoints and the attack vectors they create. Our partner Wallarm, in its annual API ThreatStats Report, revealed that in 2024, the number of AI-related CVEs increased to 439, a 1025% jump from 2023. A stunning 98.9% of these were API-related.

From WAF to WAAP

A Web Application Firewall still plays a key role in protecting web apps against various vulnerabilities and zero-day threats.

However, companies are often not intrinsically motivated to implement a WAF. Operating a WAF requires resources and expertise. It is usually external pressure that drives adoption - such as requirements from cyber insurance providers or regulatory obligations in certain industries.

As mentioned, the application landscape has evolved due to microservices and AI. We’re seeing a surge in APIs and newer protocols like gRPC and GraphQL. Additionally, web apps and APIs are facing growing numbers of Distributed Denial of Service (DDoS) attacks, often executed via botnets.

A logical evolution of WAF is WAAP - Web Application and API Protection - a relatively new and advanced security technology. It includes protection against DDoS attacks (e.g., through rate-limiting and bot management) and emphasizes API security.

During our evaluation of partners for our WAAP-based Managed Security Service, these enhanced API protection features were a key factor. However, we noticed that just because a product is labeled WAAP doesn't mean it truly offers API protection. Some vendors seem to be riding the marketing trend without offering real substance - old wine in new bottles.

We recommend trying the open-source test tool “GoTestWAF” or directly asking your provider: What exactly does API protection mean in this product? Or let us do it for you - we’re happy to provide a free assessment using API Attack Surface Management (AASM).

Next Level: API Security vs. API Protection

Let’s recap:

A Web Application Firewall (WAF) protects traditional web applications but doesn’t adequately safeguard APIs.
A WAAP (Web Application and API Protection) is the next evolution of WAF - at least in theory. However, you should carefully check if the product truly delivers on its name. The API protection part is intended to specifically defend APIs.

But as a company, do you actually know all your APIs? What are you doing to secure them? Developers are often fast to publish new APIs or endpoints, and even more often, old endpoints are forgotten and left exposed.

This is where “API Security” comes into play. API Security goes beyond protection and focuses on: Identify, Respond, and Detect.

API Identify provides visibility into your full API portfolio and helps you:

Understand and reduce your API attack surface.
Detect and fix risky APIs using real-time traffic analysis and OpenAPI specs.
Identify sensitive data and exposed API endpoints.

Respond includes:

Attack and incident analysis
Virtual patching
Automatic alerting

Detect includes:

Vulnerability scanning
Open API testing
CI/CD pipeline-integrated testing tools

Conclusion

Attack vectors are growing rapidly. Companies should evaluate the true protection offered by their WAF/WAAP products. Beyond that, every company should understand what applications and APIs they expose - and how well these are protected.

Where does your organization stand? Want to know how secure your setup is and what services and APIs you expose?