API Security and WAAP (Web Application and API Protection)

Why is API Security Necessary?

Most applications developed today naturally include APIs. In South Korea, the MyData service, which legally mandated the use of APIs starting in January 2022, has also been implemented. (For more details, please refer to the previously published "WEBFRONT-K API Security".) 

As such, APIs are rapidly becoming commonplace, recognized for their reliability, security, and convenience in technology. So, how much are APIs actually used that we should be concerned about them? According to Akamai, more than 80% of the traffic recently measured on their CDN is related to APIs. 

Based on this data alone, using APIs is no longer special; rather, traffic that does not use APIs should be considered unusual. As these cases and data show, the use of APIs is becoming the norm in the web environment. 

1. API Security for Safe MyData Services

Thanks to the active participation of relevant organizations (Financial Services Commission, Financial Supervisory Service, Financial Security Institute) and MyData operators, a quarter has passed since the MyData service was launched without any major service outage issues exposed in the media. (Implementation date: January 5, 2022)  

As of now, a quarter later, there are 56 companies operating MyData services (as of April 11, 2022), and the number of companies registering as new operators every month is steadily increasing. Thus, the market using MyData services is establishing itself stably and growing. 

The next task for IT services that have secured stable availability is to secure confidentiality and integrity. In other words, it is the stage where security must be strengthened while maintaining service levels. In particular, since MyData services handle personal information, the importance of security is emphasized more than in other IT services. 

In fact, in a meeting for the development of MyData hosted by the Chairman of the Financial Services Commission on March 3, 2022, topics related to strengthening security were mentioned in the chairman's opening remarks and major suggestions from attendees. 

To strengthen security, institutional security and technical security are necessary. 

● Institutional Security: A security concept that legally restricts negative behaviors of service providers or users, or mandates the application of specific technologies or policies for security. In the case of MyData services, this includes security measures specified in the "Financial Sector MyData Technical Guidelines."
● Technical Security: A concept of establishing a preemptive security system, such as introducing information protection equipment, to prevent security accidents. 

So, what are the technical security measures for strengthening the security of MyData services? Considering the technical characteristics of MyData services, the most emphasized part would be security for APIs. MyData operators are actually implementing security measures related to APIs, such as mutual TLS specified in the "Financial Sector MyData Technical Guidelines," and are showing interest in security equipment for API security. 

Of course, since it is a time to prioritize issues such as service quality degradation due to excessive security measures, it may be difficult to readily introduce security equipment.  

However, considering the atmosphere regarding API security in the global market and the increase in CVE vulnerabilities related to APIs, more technologies related to API security will likely be institutionally required in the near future. 

2. Future Web Environment Where API Usage Becomes Generalized

NFT, Blockchain, Cryptocurrency. These keywords are technical terms that could be seen and heard everywhere from news, the internet, and even related books since last year. Although explaining each technology one by one may not fit the nature of this white paper, one thing I want to mention is the technical characteristic these technologies share. 

The commonality of the above technologies is 'Decentralization'. Decentralization, simply put, is a concept where data is not stored and managed in a central server, but rather owned by the servers of institutions and companies that have rights to each data, or by individual clients. 

In other words, it recognizes ownership of each piece of data rather than a monopoly of data by specific institutions and companies. In fact, this concept was the essence contained in the web since its birth. Tim Berners-Lee, the founder of the World Wide Web, said, "The dream behind the Web is of a common information space in which we communicate by sharing information." 

Ultimately, the web space envisioned by Tim Berners-Lee is being realized based on decentralized technology, and we are preparing for a new web environment called Web 3.0. Although we cannot define Web 3.0 or say exactly what form and function it will approach us with, it will gradually permeate our lives just as Web 2.0 did. 

Then, let's examine how decentralization relates to APIs. In the environment before decentralization, the method was to search on a portal site if data was needed and retrieve data from the server connected to that portal. 

Globally, such an environment is already being rapidly created, and threats in this environment are being identified and countermeasures prepared. A representative example is the "2019 OWASP API Security Top 10" vulnerabilities introduced in "WEBFRONT-K API Security." 

In particular, vulnerabilities corresponding to numbers 1, 2, and 3—Broken Object Level Authorization, Broken User Authentication, and Excessive Data Exposure—are vulnerabilities that can mainly occur in communication between client and server, or between client and client. These vulnerabilities were written considering a web environment where the use of APIs has become generalized. 

The Emergence of WAAP (Web Application and API Protection) - The Evolution of WAF

Recently, various information protection products related to API security have appeared. Also, many companies are showing interest in and adopting these API security products. From the perspective of strengthening API security, the market atmosphere is positive. 

However, one questionable aspect is that most API security products gaining popularity and attention in the domestic market are equipment classified as API Management Systems by global IT market standards. Of course, identifying, visualizing, and managing assets is important in security, but that is merely security at the monitoring level. 

Since monitoring mostly detects and handles anomalies occurring internally, it is a different concept from blocking threats attempted from clients or outside, such as the vulnerabilities defined by OWASP, or creating policies to strengthen security. 

Then, with what equipment can we respond to threats against APIs originating from the outside?

In the figure, there is a concept that separate equipment manages API issues occurring internally and externally by distinguishing between Outer API Gateway and Inner API Gateway. 

However, in the following year, 2019, Gartner introduced WAAP (Web Application and API Protection), equipped with four core functions: Web Application Protection, DDoS Protection, Bot Management, and API Protection, as an evolved model of the Web Application Firewall (WAF). 

And in 2021, they released a report titled 'Magic Quadrant for Web Application and API Protection 2021', replacing the market analysis report for Web Application Firewalls. In that year, a market analysis report for WAF did not exist, and it appears it will be replaced by WAAP reports in the future. 

Ultimately, WAAP is defined as security equipment that bundles the concepts of Anti-DDoS, Bot Mitigation, WAF, and Outer API Gateway from into one. Although DDoS response is possible at the network layer and application layer, the DDoS response referred to in WAAP mainly refers to response at the application level.  

In fact, since most WAFs are already capable of application-level DDoS response and malicious Bot response, WAAP is practically a concept where API security functions are added to a WAF. 

Why API security functions were added to the WAF can be easily understood by looking at the technical characteristics of APIs. First, APIs basically exist within the category of the web operating environment. 

Most APIs operate based on the HTTP protocol, and data transmission formats also use JSON or XML, which are used in web applications. In short, the basis of API security is to perform web application security that considers APIs. 

Looking at these technical characteristics alone, it is appropriate to implement API security in a WAF. And most global WAF companies have already released equipment and solutions named WAAP, forming the WAAP market as representative equipment for API security. 

However, awareness of WAAP is still low in the domestic market, and there is no clear guide on what equipment should be introduced for API security, making it difficult for many information security managers to accurately judge what functions are needed and what equipment to introduce. 

But one thing is certain: the global market is already introducing WAAP as equipment for API security, and its main functions are the 4 core technologies defined by Gartner and response capabilities for the OWASP API Security Top 10 vulnerabilities. 

API security is considered an essential element for building safe MyData services and preparing for the upcoming Web 3.0 era. Therefore, PIOLINK analyzes global trends to be of at least a little help to many who are worried about API security, and researches to develop better API security technologies using information collected through various routes. 

For those who want to receive additional information related to API security, we recommend consulting with 

API security is considered an essential element for building safe MyData services and preparing for the upcoming Web 3.0 era. Therefore, PIOLINK analyzes global trends to be of at least a little help to many who are worried about API security, and researches to develop better API security technologies using information collected through various routes.