Complement web application firewalls and API management

Written by: Gábor Marosvári, Product marketing lead, Balasys

Created: 2020-10-29

A Proxedo API Security use case

Today’s API attacks are increasingly complex, targeted, and easily bypass traditional security solutions. Even Web Application Firewalls (WAFs) and API management tools are unable to block these attacks as they are not optimized for deep inspection of API traffic. API security is not the main scope of these solutions, but a "checkbox feature" in many cases. Without targeted protection, you may be exposing your core systems data with a false sense of security. The following post highlights the key limitations of WAFs and API management tools and suggests a purpose-built complementary solution against API-specific threats.

Challenge No.1.

Limitations of WAFs

A web application firewall (WAF) filters, monitors, and blocks HTTP traffic to and from a web application. However, WAFs are unable to block targeted API attacks as they are not optimized for deep inspection of API traffic. WAF products are typically optimized for signature-based filtering of HTTP traffic. They are not suitable for controlling data flow embedded in API communication. They lack traffic validation, detailed logging and the ability to implement customized security policies. Enterprises using traditional WAFs should need a specific solution that explicitly addresses these limitations.

The Solution

API Security beyond WAF

Proxedo API Security (PAS) is a specific web application firewall exclusively for protecting API-endpoints. It's a highly flexible network security solution that helps your enterprise gain control over the application communication to prevent API breaches. Based on our Deep Packet Inspection (DPI) technology, you can validate, encrypt and analyze API traffic in detail and implement a signature-based protection. Thanks to our flexible architecture, you can enforce custom security policies without compromise. PAS focuses exclusively on security by offering a killer combination of enforcement and insight of API traffic, supplemented by generic WAF functions. Proxedo API Security perfectly complements traditional WAF solutions.


The following table summarizes the key differentiators of Proxedo API Security compared with traditional web application firewalls:

Web Application FirewallsProxedo API Security
Focus only on web application protectionFocus on web application and B2B application integration protection
Inspection only on HTTP protocolInspection on API layer
No DPI (Deep Packet Inspection)Advanced DPI
No API call validationAPI call validation
Limited logging capabilitiesCustomizeable traffic- & security logging
No flexible policy configurationFlexible policy configuration
Pattern matching based on URL database (black list)Policy and rule implementation based on the protected service ("white listing")

Challenge 2.

Limitations of API management tools

The main scope of API management tools is creating, deploying, and managing APIs. Security is not the main scope of these tools. API management tools typically focus on:

  • API lifecycle management
  • API client authentication, authorization and account management
  • API traffic orchestration, optimization and load balancing and
  • Descriptors and documentation

The Solution

API Security beyond WAF

Proxedo API Security is NOT a management tool, but a dedicated solution with clear focus on security. In contrast to API management vendors where security is just a checkbox feature, PAS focuses exclusively on API endpoint protection by offering a killer combination of validation, transformation, encryption and insight of API traffic. From security standpoint, Proxedo API Security adds great value to API management solutions, as well. As an extra layer, PAS supports:

  • API traffic validation
  • Customizable API traffic encryption
  • Customizable security policies
  • In-depth, data-level logging and insight
  • Connection to authentication systems

Learn more about Proxedo API Security here.