Skip to Primary Menu Skip to Utility Menu Skip to Main Content Skip to Footer
Noname Security Logo
/
/
Noname vs WAFs and API Gateways

Noname vs WAFs and API Gateways

Harold Bell
Share this article

Both API gateways and WAFs are important components of the API delivery stack but neither are designed to provide the security controls and observability required to adequately protect APIs. The Noname API Security Platform helps to fill in the security gaps left by API gateways and WAFs. Our solution helps to accurately inventory all APIs, including internal and shadow APIs, and proactively secure your environment from API vulnerabilities, misconfigurations, and design flaws.

Industry solutions that fall in this category include: Mulesoft, Apigee, Kong, Prophaze, Cloudfare, Imperva, F5

API Security Requirement

WAFs/API Gateways Noname Security
Full Observability
✔️
Accurate Inventory
✔️
Security Posture Management Analysis
✔️
API Specific Runtime Security Controls
✔️
API Security Testing
✔️

Full Observability

Both API gateways and WAFs can only observe API traffic that is routed through them. Gartner predicts that 50% of enterprise APIs will be “unmanaged” by 2025 which means that observability will be limited at best. While some unmanaged APIs are deployed intentionally, others may be unknown “shadow” or “zombie” APIs that could be putting the organization at risk. Even if all APIs are routed through gateways and WAFs, most enterprise organizations will only have fragmented views of their API estate that could span across multiple teams or business units.

Accurate Inventory

Simply knowing the number of APIs within the organization is not very useful for security and IT teams. An accurate inventory needs to include contextual API data that includes data types handled, authentication controls, configurations, traffic mappings, routing details, exposure to the internet, and all other relevant meta-data. Neither API gateways nor WAFs can provide an aggregated and current inventory of the full API estate.

Security Posture Management Analysis

Without full context-aware visibility the API estate the combination API gateways and WAFs simply cannot provide detailed analysis of the API posture. Posture management analysis helps IT teams to efficiently identify and resolve misconfigurations that could result in security risk or compliance violations. Misconfigurations, for example could include inadequate authentication, unnecessary exposure (to the internet), lack of rate limiting or encryption just to name a few.

API Specific Runtime Security Controls

The combination of gateways and WAFs provides basic API security controls, gateways can enforce rate limiting and authentication controls, WAFs apply signature-based attack detection and appropriate user-based session behavior. These controls are very much needed, however are not enough to adequately protect the business from API specific attacks and abuse. For example, broken object level authorization (BOLA) attacks look like “ordinary” API traffic to gateways and WAFs enabling them to pass through these controls undetected. Gateways and WAFs lack contextual awareness between API requests and responses. This gap can leave vulnerable not only to BOLA exploits, but other attacks and business logic abuse that simply cannot be easily identified using standard gateway and WAF controls.

API Security Testing

Traditional infrastructure like WAFs and gateways don’t provide the necessary capabilities for you to test your APIs – neither pre or post production. Without testing capabilities, your code quality suffers and your APIs in production become vulnerable to being exploited. API security testing  is non-negotiable when it comes to executing a comprehensive API security strategy.

Non-purpose Built Tools

Beyond WAFs and gateways, there are a number of solutions that claim to provide adequate API security, such as identity and access management (IAM) solutions (i.e PingIdentity’s API security tool). However, just like WAFs and gateways, these tools lack the comprehensive coverage needed to secure an organization’s APIs.

Harold Bell

Harold Bell is the Director of Content Marketing at Noname Security. He has over a decade of experience in the IT industry with leading organizations such as Cisco, Nutanix, and Rubrik, and has been featured as an executive ghostwriter in Forbes Technology Council and Hacker News.

All Harold Bell posts
Get Started Now (Tab to skip section.)

Get Started Now

Experience the speed, scale, and security that only Noname can provide. You’ll never look at APIs the same way again.