This GigaOm Research Reprint Expires: Mar 21, 2023

GigaOm Radar for Application and API Protectionv1.01

1. Summary

Application development and deployment architecture have been changing to accommodate new platforms, processes, and application needs. Increasingly, applications are collections of application programming interfaces (APIs), both public and private, connected in the core “application” with the user interface.

This combination creates an application that’s more difficult to protect than those traditionally protected by web application firewalls (WAF). Modern applications require all the functionality of WAF plus all of the protection offered by API security and API management products. These types of protection, when merged, make up a comprehensive application and API protection (AAP) solution category.

Application architectures have also changed—applications can be spread across multiple clouds, running in Kubernetes, hosted in the datacenter, or co-hosted with a vendor. AAP products must protect all important portions of the overall application and protect them wherever they are deployed.

For an analysis of the key features and functionality to consider when looking at AAP products, see our Key Criteria report for Evaluating Application and API Security Solutions.

As the application architecture has become more complex, the sophistication and volume of attacks have increased independently. This causes a litany of issues for IT staff. The volume of attack data, number of attack vectors, and dispersion of attack activity all make protecting applications harder. AAP products need to either outright block known and identifiable attacks or offer advanced filtering of data that’s escalated to IT staff to keep the volume of alerts at a manageable level.

There are many attack vectors, some of them requiring unique protection capabilities. The AAP space requires that application layer distributed denial of service (DDoS) be protected against, while well-known attacks are detected and/or blocked at the same time—though these two types of protection generally utilize different detection and remediation techniques.

Integration with security information and event management (SEIM) solutions allows this critical piece of application security to be included in post-mortem and even secondary detection generated and managed on the SEIM.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.

2. Market Categories and Deployment Types

To better understand the market and vendor positioning (Table 1), we assess how well solutions for Application and API Protection are positioned to serve specific market segments.

  • Small-to-medium enterprise: In this category we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Also assessed are departmental use cases in large enterprises, where ease of use and deployment are more important than extensive management functionality, data mobility, and feature set.
  • Large enterprise: Here offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category will have a strong focus on flexibility, performance, and features to improve integration with the organization’s broader security framework, and Data Leak Protection (DLP). Scalability is another big differentiator, as is the ability to protect the same service in different environments.
  • Service provider (cloud, managed service provider, and network service provider): Offerings tuned to service providers will likely be targeted at reselling, as service providers thrive in that environment. The solution’s ability to protect multiple customers and multiple applications per customer will require increased attention to scalability. For self-serve scenarios, the service provider will want ease of use to be paramount, for their customer’s sake.
  • Public sector: Governments have their own sets of requirements that often echo those of the private sector, but are unique in several ways. Pricing flexibility, multi-year contracts, ability to prove that protection is “good enough,” and massive logging capabilities are all more important in public sector work. Ability to interoperate with older software, while not limited to the public sector, is more common in this environment.

Table 1. Vendor Positioning

Market Segment

Small to Medium Enterprise Large Enterprise Cloud Service Provider Managed Service Provider Network Service Provider Public Sector
Akamai
Barracuda
Citrix
Cloudflare
F5
Fastly
Fortinet
Imperva
Radware
Wallarm
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

For this report, instead of focusing on where the solution can be deployed, we focus on how and where the solution can protect applications (Table 2). While we discuss deployment of the AAP product itself when it matters—often in the case of container-native applications—we are more concerned with what the solution can protect. In our estimation, where the tool is deployed is an implementation detail, while where it can protect applications will impact an organization’s choices for application deployment many times over.

  • Public cloud (including hybrid and multicloud): Applications deployed to one or more public clouds can be protected by this solution.
  • Private cloud: Applications running in whole or in part on private cloud stacks like OpenStack can be protected by this solution.
  • Physical and virtual servers (traditional): Applications running in whole or in part on physical or virtual servers, in the datacenter, or co-hosted, can be protected by this solution.
  • Containers: Applications running inside a container management solution such as Kubernetes or service mesh like Istio can be protected by this solution. In this scenario, we are explicitly looking for solutions that have a container component to deploy inside the container management tool and take advantage of the visibility this architecture provides.

Table 2. Vendor Protection Coverage

Deployment Model

Public Cloud Private Cloud Hybrid Cloud Physical Appliance Virtual Appliance Container Image
Akamai
Barracuda
Citrix
Cloudflare
F5
Fastly
Fortinet
Imperva
Radware
Wallarm
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

3. Key Criteria Comparison

Building on the findings from the GigaOm report, “Key Criteria for Evaluating Application and API Protection,” Table 3 summarizes how each vendor included in this research performs in the areas that we consider differentiating and critical in this sector. Table 4 follows this summary with insight into each product’s evaluation metrics—the top-line characteristics that define the impact each will have on the organization. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.

Table 2. Key Criteria Comparison

Key Criteria

Rules Bundles AI Enhancement API Discovery Data Leak Protection Credential Stuffing Protection Bot Management Metadata Evaluation
Akamai 3 3 2 3 2 3 3
Barracuda 3 2 2 3 3 2 3
Citrix 3 2 2 3 2 3 2
Cloudflare 3 2 3 3 2 3 3
F5 2 2 3 1 2 3 3
Fastly 3 3 3 1 3 2 3
Fortinet 3 2 2 2 2 2 2
Imperva 3 3 3 2 3 3 3
Radware 3 3 3 3 2 3 2
Wallarm 3 2 3 1 2 2 3
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

The Key Criteria that garnered some of the lowest scores across vendors was Data Leak Protection (DLP). We feel it only fair to mention that there are other ways to achieve DLP in the enterprise, and while it is widely implemented in the AAP market, these products are not the only way to achieve DLP.

Table 3. Evaluation Metrics Comparison

Evaluation Metrics

Flexibility Scalability Breadth of Coverage TCO/ROI
Akamai 2 3 3 1
Barracuda 2 3 3 2
Citrix 3 3 3 3
Cloudflare 2 3 3 3
F5 3 2 3 3
Fastly 2 2 3 3
Fortinet 2 2 3 3
Imperva 2 3 3 3
Radware 3 3 3 2
Wallarm 3 3 3 3
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.

4. GigaOm Radar

This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and feature sets.

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—Maturity versus Innovation, and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for Application and API Protection

As you can see in the Radar chart in Figure 1, this space is currently in flux. Some vendors, like Fastly, have folded in recent acquisitions and are in the process of expanding the resulting merged products. Others, like F5, are far earlier in that same process and will be moving like an innovator as they take advantage of the products and developers recently acquired. Yet others, like Imperva, are innovating after a period of consolidation and maturity development.

We expect Radware and F5 to see the highest rate of change; F5 while moving its vision to encapsulate several recent (or mid-term) acquisitions under Volterra, and Radware because of its vision of what is coming to the space combined with plans for short to mid-term feature development. While the rate of change is not always a positive factor in product development, we expect it will be one in both of these cases, as F5 focuses its product offering and brings a unified view of AAP to its lineup, and Radware improves on an already good product, moving things toward its vision of the future.

Akamai, Cloudflare, and Fastly offer protection from their networks and sell AAP functions on top of their CDN or ADN offering.

Barracuda, meanwhile, has consolidated and stabilized its offerings recently.

Citrix balances innovation and maintenance, adding some new functionality but nothing beyond what its competitors are adding. Fortinet offers a full set of options for where to deploy its solution but is not currently creating value beyond the market average. Fortinet’s current focus on innovation is AI/ML, but this feels more like catch-up compared to competitors’ movements.

Wallarm has positioned itself as “closer to developer tools” and continues to move in that direction. While not innovating a lot right now, it is a different solution from most in this review, and some of its base functionality might be considered innovative for this market.

Overall, there are no terrible choices in this Radar report. Any of these products will do the job, with features and costs being the determinant of which best fits a given organization. As often happens in emerging markets, the merged market of AAP encompasses a wide swath of prices for an organization to choose from, along with feature and reliability questions that inform product choices.

Most of these vendors list ease of use concerns as one of the things they will improve going forward, but most are not terribly difficult to use; there are just some portions of each solution that could be improved upon.

Inside the GigaOm Radar

The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.

The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.

The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.

Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.

5. Vendor Insights

Akamai App and API Protector

App and API Protector comprises many parts that Akamai has merged into a single solution. These include web application firewall, bot mitigation, API security, and DDoS protection. As a CDN, Akamai inspects traffic before it gets to a customer’s network, let alone an application. No matter where the application rests, this involves terminating the SSL, inspecting the requests, then (typically) re-encrypting with an SSL connection to the application. Many solutions in this market offer this functionality, but Akamai offers SSL termination and SaaS protection as the only option because of the nature of a CDN. If a SaaS solution is most appealing, Akamai will likely be on the shortlist of viable vendors.

Akamai has a rock-solid CDN underlying its App and API Protector, and they are integrated to the point of single-pane management. Ease of use became a key element of merging the features into a single product. This ease of use is countered by a high cost (particularly if you are not currently an Akamai customer), and some will find the architecture limitations (always terminating off-network, and no container solution) off-putting.

Taken as an aggregate, the CDN plus application protection offers a broad level of protection to applications running on or behind the Akamai network. There is no direct support for container management and mesh environments, however. There is increasing demand for container-native security among customers, so the apps can be protected from connections that actually make it through to the container. Akamai does not provide this level of security, and while Akamai could do so (as others have by creating a container-native tool to link into their other solutions), there is no indication that it is considering this move at the moment.

Between an expansive base of rules and multi-dimensional protection that includes data from across the Akamai network in decisions, Akamai claims a 5x reduction in false positives while increasing the level of protection. Much of this reduction comes from AI implementations monitoring the network, and it’s good news for customers, to be sure.

For any other environment besides a container management heavy one, Akamai’s deployment model is “good enough.” Tackling things like DDoS before they ever hit the customer’s network is great. Tackling things like password compromise attempts off-network is a bit more problematic. But overall, Akamai’s solution is solid, if double the certs (one certificate to terminate for them, one to terminate from them to the app) is acceptable. Existing Akamai customers will find the solution more affordable than new customers, who will likely suffer sticker shock. Indeed, smaller organizations will find its pricing prohibitive. This is not unique to Akamai, and about half of the market has pricing that, even though reasonable for the value provided, will rule out the solution for most SME customers.

Strengths: The breadth of protection, combined with newer AI enhancements and metadata evaluation are top-of-list. The ability to combine metadata and results across Akamai products also strengthens AI results.

Challenges: Cost will be the biggest challenge, particularly for new customers and small businesses. Lack of integrated support for container management and mesh deployments is also an issue.

Barracuda Cloud Application Protection

Cloud Application Protection is a framework for Barracuda’s core WAF product that adds active threat intelligence, identity and access control, and protection for client-side APIs, bots, and DDoS. The device can be deployed to the environment of users’ choice then configured to protect applications wherever they reside. With SSL termination and origination, the applications being protected can be as distributed as an organization requires, but there will be less latency if both the WAF and the bulk of the applications it serves are on the same private network (avoiding re-encrypting connections).

Barracuda uses ease of use as a key differentiator. Several vendors make this claim, but Barracuda uses the same tool in every form factor, so the learning curve is a one-time proposition while still allowing customers to choose which form factor best suits the application. We were impressed by the breadth of protection offered. It’s one of the few vendors to support all of the OWasp API Top Ten in addition to the OWasp Top Ten, as well as the product’s integrations, which are comprehensive and zeroed in on scanners, authentication, and SEIM.

Credential stuffing also stands out for Barracuda. While it offers many protections within the product, the credential stuffing protections watch for both large username/password compromises and brute force attacks. To this protection, Barracuda has added an ML layer that can detect attempts to avoid rate-limiting triggers, with more detection capability coming. With that said, Credential stuffing and Bot Detection are the only two areas we looked at that include AI/ML in processing at the time of this analysis. This status lags behind most competitors in AI usage, but it is early in the AI functionality implementation cycle, and we expect more to come from Barracuda.

Barracuda is more opaque about its rules engine than most vendors in the space, which will put off some customers who are used to understanding exactly what is happening with their applications. API discovery allows for importing OpenAPI definitions but not for supporting those imports with traffic analysis to expose shadow APIs. This puts the product behind most others in the space for API detection/discovery.

Strengths: The “deploy anywhere, protect everywhere” nature of the Barracuda solution, while not unique, does offer the most options for prospective customers. The credential stuffing solution is also comprehensive. Overall, user account protection is likely the product’s biggest strength.

Challenges: The rules engine is a bit of “secret sauce” that Barracuda refers to as “internally developed.” This might be okay, but it will make customers cautious. The product is also behind the competition in both API discovery and AI enhancement.

Citrix Web Application and API Protection

Web Application and API Protection is an add-on to Citrix’s ADC product that implements WAF and API protection but is also available as a service. Central to its functionality is the ADC, WAF functionality, and the standard collection of beyond-WAF tools we discuss throughout this report. Citrix can be deployed anywhere you might put the bulk—or even one—of your applications. While a couple of other vendors match its deployment flexibility, the container implementation allows for container management internal security enhancements, and Citrix’s “Intent based configuration” is aimed at making it easy to get these instances running and offering your applications’ protection.

One area that Citrix excels in is the product’s single pass architecture, but there was no specific spot in our research proposal to discuss it. Citrix believes that this architecture provides better performance, and customers benefit from reduced ADC/WAF/AAP resource needs.

On the other hand, Citrix identifies APIs that are not documented and configured in the system and compiles a list. Most competitors that offer this functionality actually build the OpenAPI definition for adding to the system, and simply ask operators if they should add them. Most security organizations will not sit on undocumented APIs if they have a way to secure them. By not generating a schema for them from run-time calls, developers or security will have to re-create them in Swagger or another OpenAPI tool, or even a tool like SOAPUI for XML based APIs. That’s time better spent elsewhere, and if traffic to an API was seen, much could be inferred about that API from the nature of the calls. At a minimum, generating definitions for SOAP or REST in a public format (like Open API), then handing them off for developer verification would reduce the time to protect these APIs.

Metadata available for rules is a little more limited than what most competitors include. This promotes use of any metadata in a packet, but the packet is just a subset of metadata that might be made available. Most vendors offer metadata like geolocation, standardized time, and similar data. Some competitors go even farther than that, pulling in metadata from complementary products and services (their own or others with integrations) to include in user-defined rules. Citrix has those integrations with its core ADC product, so plenty of information could be made available to AAP rules.

Citrix is an old-school, value-based sales company. That means it is difficult to get pricing without deep involvement of their sales staff. Enough research online will turn up resellers who have MSRP prices posted, allowing an organization to decide whether Citrix belongs on their shortlist, but that is a lot of work just to find out if the vendor is worth talking to. While the model that Citrix works off of is not uncommon in established tech companies, the industry trend is definitely away from masked price lists.

Strengths: Citrix implements “deploy anywhere and manage everywhere,” which is not unique, but we consider a top-of-market feature. The product also excels at intent-based configuration and has instituted a solid single-pass architecture.

Challenges: Pricing and price transparency are an early hurdle for Citrix. Identifying but not generating import definitions for shadow APIs will be an issue, and metadata is less expansive than most competitors.

Cloudflare Application Protection Products

Cloudflare Application Protection Products consist of a WAF and separate subsystems for additional functionality from API protection to DDoS. The solutions are implemented on Cloudflare’s edge network, and because routing is the way protection is added, it is one of the faster solutions to get up and running. Any vendor with a CDN style network should be able to bring solutions up quickly, but Cloudflare is one of the few that actually calls out that ability.

Cloudflare has an impressive DDoS protection implementation. It’s integrated with all other layers’ DDoS protection and spread across the edge network, so AI and human operators can watch and react to new DDoS threats. There is no separate charge for DDoS as it comes bundled with the WAF.

Page Shield is a differentiator in that it is offered at all. The tool offers JavaScript protection for web pages. This functionality can watch for or block changes to pages that include JavaScript dependency changes. The solution can also scan for malicious dependencies in deployed JavaScript. While other markets include products that perform this functionality, having it in the WAF is logical and appears easy to implement.

Cloudflare offers a solid rules engine as well. The breadth of rules and rules engine implementation are both bonuses. The scenarios for developing and deploying rules that we envisioned are covered by the Cloudflare product and their SOC team.

AI/ML functionality is still growing at Cloudflare. This is true to a greater or lesser extent at every vendor because AI is still relatively new and even newer to network traffic evaluation. Yet Cloudflare is a bit behind the competition, with plans to catch up in the short-term future. An argument could be made that the breadth of Cloudflare’s rules could be a counter against as well as the cause of this issue.

Finally, the absence of an instance that can run inside container managers and handle the specific containerization needs holds the product’s architecture grade back a bit. If an organization is not invested in container management, or wishes to handle security for all applications the same way regardless of deployment platform, this should not be an issue.

Strengths: The wholly integrated DDoS mentioned above is not unique but is a plus, and its rules engine is a complete solution.

Challenges: AI implementation lags behind the market. Like a couple of other vendors, Cloudflare has not yet implemented an integrated container management/mesh solution.

F5 Distributed Cloud Web Application and API Protection

F5’s core solution set to AAP is F5 Distributed Cloud Web Application and API Protection. The company’s recent acquisition of Volterra (one year before this writing), placed F5 in an “embarrassment of riches” position. It had the core F5 ADC, which included a WAF, and it had purchased Shape not long before and picked up other security-related companies along the way. So settling on Volterra as the core F5 solution and using the others in supporting roles was a wise choice in our opinion, but there will be some rough spots.

Volterra was unique in that it came to the market as an application protection solution rather than as a CDN or ADN, and has proven a good fit as F5 has enhanced its platform. The term “cloud native” is frequently used in F5 literature, but the solution shines in its ability to protect apps anywhere you want to deploy them, including running inside your Kubernetes cluster to help manage K8s security.

The refined F5 offering provides a host of complementary solutions. For example, F5’s AI-enhanced bot protection can leverage the advanced AI capabilities from the Shape acquisition to extend heightened protection to sites that need it. As things settle out, these connections will become more standardized; as of today, some of them are, others are not.

F5 Distributed Cloud Web Application and API Protection is a solid competitor in this space, with API detection reporting above and beyond most competitors, including the ability to draw visual interaction diagrams while also generating the API definition for import, which is among the best in this analysis. Other stand-out functionality includes zero day protection and bot management—which, if F5 Distributed Cloud Bot Defense add-on functionality is included, is one of the best in the market. The inclusion of metadata is another stand out.

The area that we’d like to see improved is DLP. The available prevention is more incidental than intentional. If the WAF is configured with Regex rules to spot sensitive data, it will detect that data. The same is true for volumetric protections and the like. In essence, it is a manual solution in that the rules would have to be developed. This should not be an issue if a different DLP solution is in place, or AAP is not purchased for DLP functionality.

The big challenge for F5 over the next year or two will be to take full advantage of the market-leading tools it has acquired recently. The company appears headed in the right direction, but the history of large organizations consuming and integrating smaller, more agile competitors is not great. F5 appears set to deliver on the value of this acquisition, and we hope it does, but that’s the biggest thing for customers to watch in the next 12 months or so.

Strengths: An application delivery network (ADN) is like a CDN but better for AAP purposes. Having a good solution at the core and value-add services like those from the Shape acquisition is a bonus.

Challenges: F5 faces a challenge as it continues to fold in the Volterra acquisition. Long-term, DLP will have to have an actual implementation to be competitive in this space.

Fastly Next Gen WAF

The Fastly Next Gen WAF consists of API protection, DDoS, bot mitigation, and SSL acceleration. The WAF is deployed on Fastly’s network, with agents deployed alongside applications. Agents perform a layer of protection by stopping malicious connections and sending anonymized data out to the Fastly network for advanced detection and trending.

Fastly operates its own network and is more of an ADN in execution than a CDN. The addition of Signal Sciences puts its product lineup firmly into the AAP market space and gives Fastly a solid solution to build upon.

The marriage of a SaaS solution with local agents and optional local “modules” (think accelerator) allows the product to offer flexibility in deployment that most competitors can’t match. From the depths of a service mesh to the physical server in the datacenter, the product has a way to monitor what is happening.

The greatest strength of Fastly is deep integration into container management/service mesh products that enterprises use. From Docker to Istio, support for the logistics of how you plan to deploy is available. If your organization is using or moving to containers, and deeper protection and reporting than most vendors offer is required, Fastly should be considered.

On the other hand, the non-investment in APIs stands out as a counterpoint. Fastly believes that the stream inspection done by all AAP products is sufficient in their case to protect APIs without maintaining separate API information. This could be right, but we find the claim unlikely. Other vendors surely would have followed the same “less is more” path, were this 100% true. Moreover, when a new API suddenly appears in the network, API inventory systems can alert security to determine why it appeared, whether it is malicious, and what levels of protection it requires. Fastly’s “good enough” approach leaves room for an API that would normally require log-in, for example, to be copied without requiring valid credentials. However, if some other system or process identifies shadow APIs, it should not be a concern for a given organization.

Fastly does not really do DLP, but when we asked about that, the answer was not responsive to that issue.

Strengths: Deployment options are largely unmatched, as are container management and mesh support.

Challenges: API protection and DLP are both challenges in the Fastly product compared to competitors.

Fortinet FortiWeb

FortiWeb is Fortinet’s solution to Application and API Protection. Sitting, like most products in the space, between applications and the rest of the world, it aims to filter out malicious requests and allow legitimate ones. Fortiweb offers solutions in every environment that an organization might desire, allowing placement of the FortiWeb solution close to the bulk of applications it will protect.

The place where we feel Fortinet is ahead of competitors is in the AI/ML space. While other vendors use a decent set of early algorithms to power their AI detection tools, Fortinet uses a two-tier algorithmic architecture to identify anomalies and then filter out threats. And Fortinet says it plans more innovation in this space over the coming months.

We were not impressed with the product’s rules support—it currently relies heavily on Fortinet’s FortiGuard Labs threat intelligence service—but the AI portion of this detection may render our view of rules support irrelevant. It is not a question of whether the product has a ton of rules bundles and if users can turn them on and off, but rather “Can the product reliably stop attacks while letting suspicious but legitimate traffic through? If Fortinet’s AI investment means the product can do just that, the requirement will be met. As of this writing, the rules solution is as comprehensive as everyone else, just not as adaptable. Similarly, while the use of metadata in AI algorithms is clearly stated and understood, it appears that users cannot access metadata to create rules that protect the one odd duck application that needs special protections.

For the most part, FortiWeb came across as a solid solution based on a shared technology platform that can make the most of AI/ML in service to protecting applications. The ability to integrate it into the other Fortinet product lines is a nice bonus, offering (like other broad solution vendors do) the ability to run things like DDoS protection at multiple network layers and share information between solutions.

Strengths: AI/ML is Fortinet’s biggest strength. Breadth of deployment solutions is also complete.

Challenges: The current state of rules takes control away from customers. Metadata for rules is limited to AI usage in many cases.

Imperva Application and API Protection

Imperva Application and API Protection is the solution set Imperva offers in this space. It consists of multiple products across two product lines. Key products include Web Application Firewall, Runtime Protection, Advanced Bot Protection, API Security, Client-Side Protection, Serverless Protection, and Attack Analytics. Like most solutions, it sits as a proxy between the application and the world. Imperva’s deployment model is solid, with the ability to protect applications wherever they reside and to deploy anywhere but in a container.

The quiet but extensive use of AI everywhere in a layered environment to pare down false positives and negatives is impressive. Imperva claims that this automation allows users to turn on blocking from the moment of installation and have it working. That is more than any other vendor claims and makes an impressive data point. But we do recommend that customers validate that claim with a PoC or similar proof point.

We find DLP to be a weak point in the product, where the system will classify API responses, then let the user figure out how to write rules—but apparently only rate-limiting rules—to deal with the problem. To counter this issue, Imperva is the only vendor that included infrastructure protection in DLP: things like database and web server configuration files that absolutely need protection. If an organization is using some other tool for traditional DLP, or is purchasing AAP for different reasons, this weakness should not matter, and the infrastructure protection might be a plus. In fact, we would like to see infrastructure configuration file leak protection become standard across this market.

Strengths: The use of AI for bot detection, API protection, and zero day protection are among the best we’ve seen in the market. Protecting infrastructure configuration files is one of the most real-world differentiators found in our analysis.

Challenges: Imperva’s lack of a mesh-specific solution and its DLP limitations are both areas in which the product offering could be improved moving forward.

Radware Web Application and API Protection Solution

Radware offers its recently rebranded Web Application and API Protection (WAAP) Solution with Integrated WAF in the AAP space. Additionally, it offers a set of cloud services including bot management, API protection, DDoS protection, threat intelligence feeds, and ERT managed services as add-ons to the above.

This solution’s protection versus common standards such as OWasp Top Ten, OWasp API Top Ten, and OWasp Automated Threats to Web Applications surpasses any other vendor in this review. Likewise, Radware is the only vendor in this review to include Cloud Infrastructure Entitlement Management (CIEM) in its product. This is one area where we believe Radware is ahead of the competition. While most vendors leave CIEM implementation to a separate market, we see it inevitable that the AAP market or the WAF market will eventually include CIEM in protecting the overall application infrastructure.

Likewise, Radware covers API ingestion/import effectively, with both OpenAPI import and API discovery based upon traffic. This is not unique in the market, but the next step is beyond what most competitors can do: Radware creates OpenAPI definitions for discovered (“shadow”) APIs. This allows for support of all APIs, imported and discovered. It is not strictly alone in taking this step, but this feature is the definition of “best of breed” for API discovery at this time.

Radware has worked on bot management in a multi-layered system that protects systems from several directions. Using rules plus AI, plus situational metadata, Radware is ahead of the general market in this space.

Radware’s solution, consisting of separate products for Cloud, Container, and datacenter, puts it behind what other vendors are implementing or already have implemented. A deep integration is harder when there are multiple parallel products involved. The idea that the three Radware variants are priced differently (one priced per box, one by number of requests per month, and the last by throughput) shows how quickly these things diverge when not treated the same way. Billing is not the only difference, and understanding the differences between deployment models is important for customers considering Radware. The solution should otherwise appear on any shortlist, so it is worth understanding those differences with respect to the platform an organization will deploy to.

Strengths: Excellent support for OWasp standards, API import that includes all of an organization’s APIs, and advanced bot management capabilities that rely on rules, plus AI, plus situational metadata.

Challenges: Having different solutions for the same problem based upon deployment adds complexity and is Radware’s one significant challenge.

Wallarm Security Platform

Wallarm Security Platform is built as a single product that offers the key functionality of other AAP products but has divergent functionality that will appeal to some customers.

First and foremost, Wallarm took the next logical step and built in automated API testing. This is inevitable for the market because all of the bits required to perform exhaustive testing will be present when API import and validation are complete. This is one of several areas where we see this market rubbing against and possibly subsuming DevSecOps tools. Wallarm is there first, though.

Next, Wallarm is the only vendor in our analysis that includes domain and subdomain asset inventory as part of its marketing. We believe that any of the solutions in this analysis could perform this task by collecting and aggregating connection data, but Wallarm is the one that has it completed and expresses it as a selling point.

The breadth of support for API interface standards is ahead of the market also, with documented support for REST, SOAP, gRPC, graphQL, and WebSocket-based APIs.

DLP, on the other hand, is not up to the level of most vendors in the space; it is a passive inspection of responses that is used only if malicious requests are found. But many data leaks have been caused by valid and authorized requests that merely grew too large or requested data that they normally would not have, but have, been granted access to. Those might not register as “malicious.”

Similarly, Wallarm’s Bot management implementation falls short of most competitors. While its bot implementation protects against DDoS, it is not as expansive as other implementations, leaving room for systems to be attacked by bots that are not part of a DDoS network.

Strengths: Breadth of API support, both API testing and API import. Additionally, API interface standards support is the broadest in this analysis. Auto-generated rules to protect shadow APIs is also a strength, but new enough technology that it should be tested before use.

Challenges: DLP is not up to market standards. Wallarm’s current bot management is not as advanced as most of the industry. Improvements are on its release schedule at the time of writing.

6. Analyst’s Take

This market is still evolving, and we expect it will grow closer to—and even impinge upon—the DevSecOps market. Both toolsets scan applications and both keep and define security information about apps and APIs. It seems natural that the two will merge eventually. But there is functionality in DevSecOps that is not even a consideration for AAP yet, so it will be interesting to see how the two learn to coexist.

The other market we see this one pushing against is Cloud Infrastructure Entitlement Management. That market protects applications by helping to avoid configuration vulnerabilities in the underlying software infrastructure. If AAP is to secure all applications, that would be a logical direction for one or more of these vendors to differentiate in.

We expect an ever-increasing reliance on AI and ML for AAP and all security-oriented markets in the near term. There are too few security professionals and an ever-growing portfolio of applications that must be protected on an ever-growing number of platforms. AI and ML that improve responsiveness and reduce staff levels required to secure applications properly will be welcomed.

Put another way, the future involves more AI and less human intervention, so any of the products in this analysis moving forward rapidly in the AI space are good candidates for shortlisting.

There are no real “New Entrants” in this space, making it intriguing to think about what might happen if a new player jumped in and disrupted it. A couple of them did a few years back, and the market is due for another new player. It is possible one of the DevSecOps vendors could move in, which would place Wallarm in the position most able to fend off any innovation that customers loved — because its differentiators tend toward serving that market.

In conclusion, there aren’t any truly bad products in this analysis. Some are a bit stronger here or there, but nothing that we would recommend users stay away from. This strength is due partially to the fact that none of these players are new entrants and partially to the fact that the newest ones are only new in the field because they acquired a company that wasn’t. So customers are advised to choose based upon best fit, knowing that any of these products could solve their AAP problems well.

7. About Don MacVittie

Don MacVittie

Don MacVittie has more than 25 years of technology industry experience, working in nearly every IT position in a wide variety of organizations – from tax software developer to insurance industry strategic architect and IT manager at a utility. Don has been an analyst for the last decade, is named on two networking patents, and has co-authored ANSI and ISO standards in geographic information systems. His love is learning about technology, and he will happily discuss technology with anyone.

8. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

9. Copyright

© Knowingly, Inc. 2022 "GigaOm Radar for Application and API Protection" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.