"Gartner predicts that in 2022, application programming interface (API) attacks will become the most-frequent attack vector, causing data breaches for enterprise web applications.”

When it comes to API security, relying solely on your Web Application Firewall gives you a false sense of security. Traditional WAFs are optimized for signature-based filtering of HTTP traffic. As a result, these WAFs cannot block targeted API attacks as they are not optimized to fully understand the logic of the API traffic. They are not suitable for controlling content flow embedded in API communication.
They lack:

• Validation of API call contents,
• In-depth traffic logging, monitoring, and analytics
• Encryption controls
• Fraud detection
• The enforcement of customized security policies
• Support of micro-segmentation regarding internal API calls
• API specific "Deep Packet Inspection" analysis
• Understanding of the API call (REST/SOAP) and the ability to compare it to the API schema to detect anomalies

If your company is equipped with an extensive API ecosystem and traditional WAFs, you need a purpose-built API security layer that explicitly addresses the above limitations of WAFs.