Best Practices for Testing Akamai App & API Protector
Overview
The Akamai App & API Protector solution is a modern cloud-based web application firewall (WAF) that combines API protection and security, bot protections, application-layer distributed denial-of-service (DDoS) protection and mitigation, and malware protection all in one convenient solution.
This API security solution, which helps prevent API attacks at API endpoints, runs on Akamai Connected Cloud, the world’s most distributed cloud platform, which offers unparalleled visibility, intelligence, and performance at scale.
Central to App & API Protector is the Adaptive Security Engine, our state-of-the-art web application and API protection (WAAP) technology, which provides enterprise organizations with holistic web application security by combining advanced automation, machine learning (ML), real-time security intelligence, and threat research insights.
Advanced automation — Adaptive Security Engine continually adjusts to its environment and web traffic so it can issue and implement new and modified security rulesets where appropriate.
Machine learning — Innovative ML analyses provide enhanced anomaly scoring, increased accuracy, and fewer false positives.
Real-time security intelligence — Akamai’s extensive global network produces one of the largest cloud security intelligence databases in the world.
Threat research insights — Akamai invests in 400 in-house security experts to hunt and inspect attacks around the clock.
These capabilities lend App & API Protector’s Adaptive Security Engine a higher degree of accuracy and operational efficiency than other security options.
By nature, App & API Protector and its built-in technology require a proper testing methodology. Keep reading to learn about the best practices that everyone from security professionals to DevOps experts can follow to more effectively test App & API Protector.
Best practices for testing App & API Protector
The following methodology can be applied during a proof of concept (PoC) or trial when customers seek to evaluate Akamai’s WAF capabilities.
Testing methodology: 8 customer benefits
Akamai recommends customers test App & API Protector in front of production assets rather than pre-production or lab assets. This testing approach is safe because our solution can be easily configured to function only in listening mode; simply set the WAF and Bot Visibility and Mitigation (BVM) actions to “Alert” and “Monitor,” respectively.
In doing so, customers get a more accurate understanding of how App & API Protector will perform in a real environment. That way, they can better identify and address any requirements or issues before setting security actions, or any other action for managing bot traffic, to “Deny.” This is the only way to get a comprehensive security assessment.
Moreover, following this methodology lets customers:
Discover how low the real world’s false positive rate is and observe how App & API Protector manages false positives. Adaptive Security Engine evaluates production traffic and offers recommendations for modifying security rules that are then automatically implemented once accepted by the customer.
See the false negative rate for unknown threats and realize the benefits of limiting zero-day attack risks. For example, App & API Protector’s Adaptive Security Engine automatically found two critical vulnerabilities in the Spring Core Framework: Spring4Shell and Spring4Cloud.
Evaluate the capabilities of Client Reputation — a service that provides a reputation score for each IP address based on the potential risk it poses to each application. This is based on Akamai’s unique, direct threat intelligence capabilities built on the large volume of daily worldwide web traffic handled by Akamai Connected Cloud. Customers can use Client Reputation to filter malicious traffic and better protect their applications against web and DDoS attackers, scanners, and scrapers.
Identify the capabilities of BVM, a feature that allows customers to detect bot traffic from partners, competitors, attackers, and fraudsters who are attempting account takeovers using automated bots tools. Although some bots are positive, like Google search crawlers, others may not be. Customers can see which bots are hitting their site and then block or allow them with App & API Protector’s built-in bot protections and authentication security tools.
Experience the speed of Akamai’s WAF security updates, which can be found in the App & API Protector release notes. For example, when a critical remote code execution vulnerability (CVE-2021-44228) was publicly disclosed in Log4j, Akamai provided updated security rules in just a few hours.
Observe the runtime performance benefits of using the Akamai Connected Cloud, including improved latency, resilience, compression, optimal path, caching, and more.
Include only the most relevant attack vectors in security tests. Cloud-based WAFs aren’t generally the best solution for protecting against cross-site request forgery attacks. Therefore, cloud-based WAFs and similar approaches should be excluded from tests to avoid biased comparisons and focus assessment on relevant scenarios that are consistent with a cloud WAF choice.
Request assistance from Akamai’s security experts to discover App & API Protector’s advanced capabilities, understand the technical context, and review security tests. The service level offered depends on the selected PoC format.
Note that most elements described above can only be assessed with production traffic. For example, lab testing cannot meaningfully evaluate bot traffic, threat intelligence, or even performance features like caching.
