Web Application API Discovery & Protection with FortiWeb
DOI:
https://doi.org/10.63282/3050-9416.IJAIBDCMS-V7I1P144Keywords:
Web Application Security, API Discovery, API Protection, FortiWeb, Web Application Firewall (WAF), API Security Management, Automated API Discovery, REST API Security, SOAP API Security, OWASP API Security Top 10, Threat Detection and Prevention, Bot Mitigation, Application Layer Security, Zero-Day Attack Protection, Machine Learning-Based Security, Traffic Inspection and Filtering, Secure DevOps (DevSecOps), Cloud Application Security, Hybrid Deployment Security, Vulnerability MitigationAbstract
Modern-day web applications rely heavily on APIs, creating an expanded attack surface that demands some specialized security measures. In this paper, we examine FortiWeb, which is a web application firewall (WAF) from Fortinet that addresses API discovery and protection in enterprise environments. The architecture of FortiWeb combines traditional WAF defenses with machine learning-driven API discovery and schema-based protection to safeguard APIs against both known and unknown threats [8], [10], [11]. The key capabilities include the automatic detection of undocumented API endpoints, enforcement of Open API/JSON/XML schema definitions, and runtime policy controls, which together form a positive security model [11], [14]. This solution provides real-time visibility into API traffic and threats, thus allowing security teams to identify the shadow APIs and enforce granular policies without excessive manual configuration [9],[24]. We will also discuss the API attack surface in modern web applications. FortiWeb’s architectural approach to API security, the mechanisms for API discovery and protection, and the operational considerations. The use case scenarios illustrate FortiWeb in action, and we will outline limitations and practical constraints. This study highlights the integration of FortiWeb’s API discovery and protection capabilities that can significantly enhance the security of web application APIs while aligning with DevSecOps practices.
References
1. OWASP Foundation, OWASP API Security Top 10 – 2023, OWASP, 2023.
2. Gartner, Market Guide for Web Application and API Protection (WAAP), Gartner Research, latest edition.
3. Salt Security, The State of API Security Report, Salt Security Labs.
4. Akamai, API Security: Threats, Risks, and Mitigations, Akamai Technologies.
5. Verizon, Data Breach Investigations Report (DBIR), Verizon Enterprise.
6. HIPAA Journal, Healthcare Data Breaches and API-Related Exposures, HIPAA Journal.
7. ENISA, Threat Landscape for Web Applications and APIs, European Union Agency for Cybersecurity.
8. Fortinet, FortiWeb Web Application Firewall – Product Datasheet, Fortinet Inc.
9. Fortinet, FortiWeb Administration Guide, Fortinet Documentation Library.
10. Fortinet, Machine Learning–Based Protection in FortiWeb, Fortinet Whitepaper.
11. Fortinet, API Security with FortiWeb, Fortinet Technical Whitepaper.
12. NIST, SP 800-53: Security and Privacy Controls for Information Systems and Organizations, National Institute of Standards and Technology.
13. NIST, SP 800-94: Guide to Intrusion Detection and Prevention Systems (IDPS), National Institute of Standards and Technology.
14. OpenAPI Initiative, OpenAPI Specification Version 3.0, Linux Foundation.
15. W3C, XML Security Considerations, World Wide Web Consortium.
16. GraphQL Foundation, GraphQL Security Best Practices, GraphQL Working Group.
17. Gartner, Understanding and Managing Shadow APIs, Gartner Research Note.
18. OWASP Foundation, Automated Threats to Web Applications, OWASP.
19. IETF, RFC 7519: JSON Web Token (JWT), Internet Engineering Task Force.
20. IETF, RFC 9126: OAuth 2.0 Security Best Current Practice, Internet Engineering Task Force.
21. OWASP Foundation, Broken Object Level Authorization (BOLA), OWASP API Security Project.
22. Imperva, Bad Bot Report, Imperva Research Labs.
23. Cloudflare, API Abuse and Rate Limiting Best Practices, Cloudflare Security Blog.
24. NIST, SP 800-61: Computer Security Incident Handling Guide, National Institute of Standards and Technology.
25. Google, DevSecOps Best Practices for API Security, Google Cloud Security Whitepaper.
