The DevOps Guide to WAF API Gateways

yayabobi - Nov 4 - - Dev Community

The rise of custom and cloud-native applications sets off alarm bells for many DevOps teams and their organizations. Although innovation in application development works wonders to reduce costs, shorten time to market, and increase resiliency, it also puts the applications and the APIs powering them at risk.

Shockingly, 98% of web applications are vulnerable to attacks that can result in malware, redirection to malicious websites, and more. Organizations increasingly rely on a powerful combination to keep up with emerging, common, and high-risk threats: WAF and API gateways.

What is a WAF?

A web application firewall (WAF) is a security firewall designed to monitor, filter, and block HTTP traffic from a website or web application. It is the initial protection barrier for web applications by filtering out harmful traffic and preventing common attacks such as SQL injection, cross-site scripting (XSS), and other web application vulnerabilities.

What are WAF API gateways?

An API gateway is a server that acts as an API front-end to:

  • Receive API requests.

  • Enforce security and rate limiting, managing API traffic.

  • Handle other functions like load balancing.

In simple terms, an API gateway is the middleman who smooths the request processing between clients and backend services.

How does WAF and API Gateways Work Together

Combining WAF and API gateway offers an extensive security and traffic management layer for web applications and APIs. WAF filters and blocks malicious traffic toward the web application, while API gateway handles API requests and responses securely and optimally.

Why Should You Integrate WAF and API Gateway for Protection

Enhanced Security Posture

Combining a WAF with an API gateway provides a layered security approach. The WAF protects against web application threats like SQL injections, cross-site scripting, and most of the OWASP's Top 10 API Security risks. In contrast, the API gateway controls advanced specific API protections, including the user's authentication and permissions.

Streamlined Traffic Management

With a WAF integrated into the API gateway, all incoming traffic can be filtered and inspected before it reaches the backend systems. This partnership secures the system and reduces the load on backend resources by blocking malicious traffic upfront.

Cost Efficiency

Running a WAF and API gateway combination requires much less software and hardware resources than running them separately.

Simplified Security Management

It simplifies security settings management by consolidating control into a single interface, making it easier to update, monitor, and enforce security policies consistently as per web application security best practices.

Reduced Latency and Improved Performance

When a WAF works with an API gateway, it can check and secure all the incoming traffic in one step. This feature speeds up the request processing since the traffic doesn't have to go through multiple security checks.

Some WAF solutions provide a built-in API security solution. For example, open-appsec uses an ML-based engine to prevent OWASP Top 10 and zero-day threats against web apps and APIs without signature updates.

Integrating WAF and API Gateway

How to Integrate WAF API Gateways into Your DevOps Pipeline

Integrating a WAF and API gateway into your DevOps pipeline enhances security and streamlines compliance without compromising development speed. Here is how you can do it:

  1. ### WAF in Front of API Gateway

Positioning a WAF right before your API gateway is like having a security guard at the door, checking everyone before they can enter. It ensures every incoming request is sanitized before it reaches the servers.

  • Initial Setup: Place the WAF as close to the Internet as possible or on the Internet connection entry point.

  • Configuration: Configure the WAF rules to identify and prevent common threats, such as SQL injections, XSS, and others listed in OWASP's Top 10 risks.

  • Traffic Flow: The WAF should be set up only to allow traffic that has passed the necessary integrity checks to the API gateway.

  • Continuous Adjustment: Regularly update the WAF rules based on emerging threats and the evolving security landscape, as highlighted by the results of any dynamic risk assessments you undertake.

  1. ### API Gateway with Integrated WAF Functionality

Some modern API gateways come with built-in WAF capabilities. This setup simplifies the architecture and reduces the workload on your security teams.

  • Initial Setup: Deploy the API gateway across your network, ensuring it is accessible to all relevant microservices.

  • Configuration: Utilize the integrated WAF features to set up security policies directly within the API gateway's management console.

  • Traffic Flow: Ensure the API gateway effectively manages traffic flows that comply with the WAF's security standards.

  • Continuous Adjustment: Keep the integrated security features up-to-date with new releases and patches to ensure optimal protection.

  1. ### Hybrid Approach

The hybrid approach combines standalone and integrated WAF configurations. It allows detailed customization while keeping application management straightforward.

  • Initial Setup: Configure the standalone WAF to tackle general security threats and deploy the API gateway to handle API-centric threats and traffic management.

  • Configuration: Ensure the standalone WAF and the API gateway's built-in security features are aligned and complemented.

  • Traffic Flow: The configuration should ensure that the standalone WAF first filters traffic managed by the API gateway.

  • Continuous Adjustment: Adjust the configurations of both components to tailor the security measures to your organization's specific needs and respond to evolving threats.

As you can see, each approach offers distinct advantages, and the best choice depends on your specific security requirements. The below graphic includes a comparison of WAF in front and integrated WAF, which will give you an idea about their features:

WAF in Front Vs Integrated WAF Function

5 Best Practices for DevOps with WAF and API Gateway

  1. ### Shift-Left Security

Shift-left security encourages developers to implement security activities early in the development life cycle. This approach ensures that security requirements are addressed from the beginning and reduces the risk of vulnerabilities later in the process.

Actionable Tips:

  • Start by including application security checklists and threat modeling activities in the early design efforts.

  • Integrate static and dynamic code analysis tools like SonarCloud into your CI/CD pipeline to automate security checks.

  • Raise awareness of secure development among your developers to enhance security even more within the development team.

  1. ### Automating WAF and API Gateway Configuration

Automating WAF and API gateway configurations ensures consistent and repeatable deployment of security policies and rules. Furthermore, it reduces the speed of deployment and ensures that security configurations are applied uniformly across all environments.

Actionable Tips:

  • Define WAF and API Gateway configurations using Infrastructure as Code (IaC) tools like Terraform or AWS CloudFormation.

  • Use CI/CD pipelines to automate the deployment of these configurations.

  • Regularly review and update automation scripts.

  • Implement event-driven security automation with tools like AWS Lambda and CloudWatch logs to adjust WAF configurations dynamically and address potential threats.

Here is an example of how AWS Lambda can dynamically adjust WAF settings based on specific threat detections in CloudWatch logs:

import boto3

def lambda_handler(event, context):

    waf = boto3.client('wafv2')

    # Assume we're looking for a specific type of threat or traffic pattern in logs

    threat_info = event['detail']

    if threat_info['threatType'] == 'SQLInjection':

        # Update the WAF rule to block this type of threat

        response = waf.update_web_acl(

            Name='example-acl',

            Scope='REGIONAL',

            Id='acl-id',

            DefaultAction={'Block': {}},

            Rules=[{

                'Name': 'BlockSQLInjection',

                'Priority': 1,

                'Action': {'Block': {}},

                'Statement': {

                    'SqliMatchStatement': {

                        'FieldToMatch': {'AllQueryArguments': {}},

                        'TextTransformation': [{'Type': 'URL_DECODE', 'Priority': 0}]

                    }

                }

            }]

        )

        print("WAF rule updated to block SQL Injection")

  1. ### Continuous Monitoring

Continuous and real time monitoring helps DevOps teams stay ahead by identifying and mitigating issues before they cause significant harm.

Actionable Tips:

  • Implement logging and monitoring tools like AWS CloudWatch, ELK Stack, or Splunk to collect and analyze security-related data.

  • Set up alerts and notifications for unusual activities.

  • Regularly review logs and monitoring data to identify patterns and potential vulnerabilities.

  1. ### Use Infrastructure as Code (IaC)

IaC facilitates consistent and repeatable infrastructure deployments through machine-readable configuration files. It reduces configuration drift and allows for version control and auditability of infrastructure changes.

Actionable Tips

  • Manage and deploy configurations for WAF and API gateways using Ansible to ensure consistent and error-free deployment across environments.

  • Store IaC scripts in version control systems like Git to track changes and ensure reversibility.

  • Use CI/CD pipelines to automate the deployment of infrastructure changes, ensuring all environments are consistent and up-to-date.

The below GitHub Actions workflow shows how to automatically install dependencies and run an Ansible playbook to deploy infrastructure whenever code is pushed to the main branch.

name: Deploy Infrastructure

on:

  push:

    branches:

      - main

jobs:

  deploy:

    runs-on: ubuntu-latest

    steps:

    - name: Checkout repository

      uses: actions/checkout@v2

    - name: Set up Python

      uses: actions/setup-python@v2

      with:

        python-version: '3.x'

    - name: Install Ansible

      run: |

        python -m pip install --upgrade pip

        pip install ansible boto boto3

    - name: Run Ansible Playbook

      run: ansible-playbook deploy_infrastructure.yml

      env:

AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}

AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

  1. ### Cross-Team Collaboration

Collaboration between development, operations, and security teams is essential for bridging skill gaps and aligning objectives. This collaboration ensures that security considerations are integrated into every stage of the development and deployment processes.

Actionable Tips:

  • Regular Meetings: Set up regular meetings to discuss changes, security issues, and experiences gained in business.

  • Collaboration Tools: Use tools like Slack or Microsoft Teams to maintain open lines of communication.

  • Early Involvement: Include security team members in every project so that security issues are always under consideration.

  • Automation: You can integrate email or Slack notifications into CI/CI pipelines to inform developers about security issues in their PRs.

// GitHub Actions Workflow to Send Slack Notifications:

name: Security Scan

on: pull_request

jobs:

  security-scan:

    runs-on: ubuntu-latest

    steps:

    - name: Checkout code

      uses: actions/checkout@v2

    - name: Run security scan

      uses: github/super-linter@v4

      env:

        VALIDATE_ALL_CODEBASE: false

        VALIDATE_JS: true

        VALIDATE_PYTHON: true

    - name: Send Slack Notification

      if: failure()

      uses: Ilshidur/action-slack@v2

      with:

        status: ${{ job.status }}

        text: "Security issues detected in PR #${{ github.event.pull_request.number }}. Please review the findings: ${{ github.event.pull_request.html_url }}"

        fields: repo,commit,author,action,eventName,ref,workflow,job,took

      env:

        SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

  1. ### Implement Rate Limiting and Throttling

Rate limiting and throttling allow you to restrict the number of requests a user or service can make to an API within a certain time frame. It helps protect servers from denial-of-service (DoS) attacks and ensures fair usage among clients.

Actionable Tips:

  • Define rate limiting and throttling policies in the API gateway to control the request rate per user or IP address.

  • Monitor and adjust thresholds based on observed traffic patterns and application requirements.

  • Implement backoff and retry mechanisms to handle rate limit errors gracefully.

Following these best practices will allow DevOps teams to include WAF and API gateway into their processes and provide equal levels of both security and productivity.

open-appsec is an open-source project that builds on machine learning to provide pre-emptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It simplifies maintenance as there is no threat signature upkeep and exception handling, like common in many WAF solutions.

To learn more about how open-appsec works, see this White Paperand the in-depth Video Tutorial. You can also experiment with deployment in the free Playground.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .