Application security consolidation remains nuanced

As web application and API protection converge into cloud-based WAAP, Enterprise Strategy Group research shows enterprise interest, but security concerns remain.

One of the clear themes across cybersecurity is consolidation. For many organizations, the sprawl of point tools has reached a tipping point of diminishing returns. By adopting platforms, organizations hope to achieve improved efficiency, lower costs and, hopefully, better security outcomes. Some examples of this trend include Secure Access Service Edge and security service edge in network security, extended detection and response in security analytics and operations, and cloud-native application protection platforms in cloud security.

Another seeming area of convergence is web application and API protection, or WAAP. WAAP is the consolidation of web application firewalls, bot management, DDoS mitigation and API protection in a single product typically delivered via the cloud. TechTarget's Enterprise Strategy Group research, "Trends in Modern Application Protection" (July 2022) showed significant interest in WAAP, with 24% of organizations in active deployment and 51% planning to deploy in the next 12-24 months. But despite this high level of interest, 58% of organizations use or anticipate continuing to use standalone tools for at least some of their applications. While some organizations said their interest in WAAP is due to the investments in the tools they use today (43%) or the fact that it will take time to replace their existing tools (38%), other factors are also at play.

Dedicated point tools vs. WAAP options

Nearly half of organizations (45%) said they will continue to select best-in-class tools, while some specified they feel WAAP cannot adequately protect against bot or API-focused attacks. This is a common objection, with few organizations willing to sacrifice efficacy and security capabilities for convenience.

The reality is that while WAAP tools can provide coverage for bot and API attacks, their capabilities might be more limited than dedicated tools. For example, some WAAP tools require API specification files to be manually uploaded. This might not be an issue for organizations with smaller API footprints, but more advanced organizations likely need tools that can discover API endpoints on their own or integrate with API gateways to do so. Some WAAP products are moving in this direction, but it is an important factor to consider.

Beyond security considerations, many organizations pointed to their distributed, diverse application footprint as a reason they will continue to use standalone tools.

Beyond security considerations, many organizations pointed to their distributed, diverse application footprint as a reason they will continue to use standalone tools. Specifically, 43% said they would use different tools depending on application location, while 42% indicated different groups prefer to use different tools. The second point stands out in particular, because while other aspects of the security stack have been affected by changes in organizational responsibility, application security in particular has become incredibly distributed. Especially in larger organizations, the fact that lines of business often drive application development can make it much harder to fully standardize on a single web application security platform. The breadth of products and services available across dedicated security providers, such as Imperva and ThreatX; networking providers, such as F5 and Radware; cloud delivery networks, such as Akamai, Cloudflare and Fastly; and cloud service providers, such as AWS, Microsoft and Google, also play into this, with different options being more appealing to different personas and groups.

With all these facts in mind, it becomes clear that WAAP is less about the complete consolidation of the application security stack and more about better integrating layered protections to address the fact that many attacks today are multivector, use bots and target APIs. Over time, organizations might begin to standardize on a provider. But in the short term, security teams should think about where an integrated, cloud-centric approach would make the most sense, and the type of vendor best suited to support that particular application.

John Grady is a principal analyst at TechTarget's Enterprise Strategy Group who covers network security. Grady has more than 15 years of IT vendor and analyst experience.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.

Dig Deeper on Application and platform security