Gartner named Cloudflare a Leader in its 2022 “Gartner® Magic Quadrant for Web Application and API Protection (WAAP)” report, which assessed 11 vendors on their “ability to execute” and “completeness of vision.” This accomplishment demonstrates Cloudflare’s ongoing commitment to and investment in this space, as the company strives to provide better and more effective security solutions to its users and customers.
The Cloudflare global network processes over 36 million HTTP requests per second, providing the company with unprecedented visibility into network patterns and attack vectors. This scale enables it to effectively distinguish clean traffic from malicious traffic, resulting in approximately one out of every ten HTTP requests proxied by Cloudflare being mitigated at the edge by the WAAP portfolio.
Visibility alone is insufficient, so Cloudflare invests in research and new product development as new use cases and patterns emerge. API traffic, for example, is increasing (55%+ of total traffic), and this trend is not expected to slow. Cloudflare’s API Gateway extends our WAF to provide better visibility and mitigations for well-structured API traffic, for which the company has observed different attack profiles than standard web-based applications.
Cloudflare’s ongoing investment in application security has aided its position in this market.
Cloudflare has developed a number of Web Application and API Protection (WAAP) features.
Cloudflare’s network, which spans more than 275 cities in over 100 countries, is the platform’s backbone and a critical component for mitigating DDoS attacks of any size.
To aid in this, the company’s network is intentionally anycasted and advertises the same IP addresses from all locations, allowing it to “split” incoming traffic into manageable chunks that each location can handle easily, which is especially important when dealing with large volumetric Distributed Denial of Service (DDoS) attacks.
The system is designed to be “always-on” and require little to no configuration, ensuring that attacks are mitigated instantly. DDoS attacks become a solved problem when combined with some very smart software, such as the new location aware mitigation.
Full configurability of our DDoS Managed Rules is just a click away for customers with very specific traffic patterns.
Cloudflare’s WAF is a critical component of its application security, making it difficult for hackers and vulnerability scanners to find potential vulnerabilities in web applications.
This is critical when zero-day vulnerabilities become public, as bad actors attempt to exploit new vectors within hours of their disclosure. Log4J, and more recently, the Confluence CVE, are just two examples of this behavior. As a result, the company’s WAF is also supported by a team of security experts who constantly monitor and develop/improve signatures to ensure it “buys” customers valuable time to harden and patch their backend systems as needed. In addition to signatures, its WAF machine learning system classifies each request, providing a much broader view of traffic patterns.
Cloudflare’s WAF includes a slew of advanced features such as credential leak detection, advanced analytics and alerting, and payload logging.
It is no secret that a large portion of web traffic is automated. While not all automation is harmful, some is unnecessary and may even be malicious.
The company’s Bot Management product works in tandem with its WAF and scores each request based on its likelihood of being generated by a bot, allowing organizations to easily filter unwanted traffic by deploying a WAF Custom Rule, all while being backed by powerful analytics. Cloudflare makes this simple by keeping a list of verified bots that can be used to improve a security policy.
If you want to block automated traffic, Cloudflare’s managed challenge ensures that only bots are hampered without interfering with the experience of real users.
API traffic is, by definition, more structured than standard web pages consumed by browsers. At the same time, because APIs are closer abstractions to back end databases and services, they attract more attention from malicious actors and frequently go unnoticed even by internal security teams (shadow APIs).
API Gateway, which can be layered on top of Cloudflare’s WAF, assists organizations in discovering API endpoints served by their infrastructure as well as detecting potential anomalies in traffic flows that may indicate compromise, both volumetric and sequentially.
Because of the nature of APIs, API Gateway can easily provide a positive security model in contrast to the company’s WAF: only allow known good traffic and block everything else. Customers can easily achieve this by leveraging schema protection and mutual TLS authentication (mTLS).
Attacks that directly exploit the browser environment may go unnoticed for some time because they do not necessitate the compromise of the back end application. For example, if a third-party JavaScript library used by a web application exhibits malicious behavior, application administrators and users may be unaware that credit card information is being leaked to a third-party endpoint controlled by an attacker. One of many client-side security attacks, this is a common vector for Magecart.
Page Shield addresses client-side security by actively monitoring third-party libraries and alerting application owners when a third-party asset exhibits malicious activity. To ensure coverage, it employs both public standards such as content security policies (CSP) and custom classifiers.
Page Shield, like Cloudflare’s other WAAP products, is fully integrated on the Cloudflare platform and can be activated with a single click.
The WAAP portfolio is housed in Cloudflare’s new Security Center. A centralized location for security professionals to gain a comprehensive view of Cloudflare-protected network and infrastructure assets.
The Security Center will be the starting point for forensics and analysis in the future, allowing businesses to leverage Cloudflare threat intelligence when investigating incidents.
The WAAP portfolio from the company is delivered from a single horizontal platform, allowing businesses to leverage all security features without additional deployments. Furthermore, Cloudflare manages scaling, maintenance, and updates, allowing enterprises to focus on delivering business value through their application.
This extends beyond WAAP because, while Cloudflare began by developing products and services for web applications, its network position allows it to protect anything connected to the Internet, including teams, offices, and internal facing applications. Everything is based on the same platform. WAAP customers can begin leveraging Cloudflare’s secure access service edge (SASE) with just a few clicks now that the company’s Zero Trust portfolio is an integral part of its business.
To protect staff and internal networks, application services teams can use the same platform that internal IT services teams use to consolidate the company’s security posture, both from a management and budget standpoint.
