Search

Web Application and API Security

Protect web applications and APIs across any cloud-native architecture, including public or private cloud.
Read the Solution Brief
Web Application and API Security Front
Web Application and API Security Back

Web applications present the highest security risk to businesses, and legacy web application firewalls (WAFs) can no longer secure modern cloud-native applications or APIs.

Read our web application and API security benchmark analysis.

Download the whitepaper
1

Modern architectures require modern solutions

Web applications run on a variety of compute platforms – spanning hosts, containers, Kubernetes and serverless architectures – requiring purpose-built, cloud-native security solutions for comprehensive detection and protection of web applications and APIs for any cloud-native architecture.
2

Security gaps are opportunities for adversaries

Security teams need to ensure that their web applications and APIs have comprehensive protection against the OWASP Top 10, API security, file upload protection, bot protection, DoS protection and more to meet their applications’ scale.
3

Point solutions add complexity and reduce efficiency

Cloud-native environments are rich with point solutions. Adding another one for web application and API protection will be a pain to manage, requiring a holistic approach to cloud security.

Secure your web applications and APIs

Prisma® Cloud is the industry’s first cloud-native application protection platform (CNAPP) to provide an integrated approach to web application and API security. Supporting the OWASP Top 10 and API protection, along with capabilities like vulnerability management, compliance and runtime defense. The WAAS module automatically detects and protects microservices-based web applications and APIs in cloud and on-premises environments.
  • Automatic visibility and comprehensive protection
  • Inline and out-of-band deployment
  • Full lifecycle protection at scale
  • OWASP Top 10 protection
    OWASP Top 10 protection
  • API security
    API security
  • API Risk Profiling
    API Risk Profiling
  • Bot risk management
    Bot risk management
  • DoS protection
    DoS protection
  • Continuous visibility
    Continuous visibility
  • Virtual patching
    Virtual patching
  • Access control
    Access control
THE PRISMA CLOUD SOLUTION

Our approach to web application and API security

OWASP Top 10 protection

Deploying web application and API protection can be difficult in mixed environments. Prisma Cloud simplifies deployments with agent-based and agentless deployment options for all cloud-native applications, delivering full, customizable support for the OWASP Top 10.

  • Secure web applications from top security risks:

    Cover SQL injection, cross-site scripting, code injection and more.

  • Identify applications and APIs in any compute format:

    Automatically discover web-facing services and API risks to determine protection.

  • Enforce application security on microservices locally:

    Automatically enforce WAAS at the service level to keep up with auto-scaling, ephemeral environments.

  • Leverage full, customizable protection:

    Select which enforcement mechanism – alert, prevent or ban – to apply for each security scenario.

  • Deploy agents as a part of your DevOps workflow:

    Use code-based deployment mechanisms to enable automatic deployment of protection with every code push.

  • Take a unified approach to cloud-native security:

    Use a single, unified cloud security solution for superior protection compared to point products.

Learn more
OWASP Top 10 protection

API Security

The key to comprehensive protection is accuracy, precision and depth. With WAAS, you can enable customizable protection spanning the OWASP Top 10, API protection, risk profiling, file uploads, geolocation-based controls and more.

  • Auto-discover web applications and APIs:

    Automatically detect web-facing and API services to protect, even in ephemeral environments.

  • API risk profiling:

    Identify API risk factors, sources of risk, vulnerabilities and changes to prioritize remediation or protection.

  • Secure APIs against Layer 7 attacks:

    Simplify enforcement of positive API definitions based on OpenAPI, Swagger file or manual customization.

  • Configure fully for each API endpoint:

    Customize the level of alerting and blocking for the unique use cases of your applications.

Read the e-book
Application and API Protection

Bot risk management

The internet is full of bots, but not all bots are malicious. Gain visibility into bot activity to allow known-good bots, such as search engine crawlers, to go through while other malicious bots are blocked.

  • Allow and monitor known bots:

    Allow good bots such as search engine crawlers and news bots to crawl your applications, but monitor and block abusive behavior.

  • Control unknown bots:

    Alert or block requests originating from bots with unknown intent, including headless browsers, command-line tools and good bot impersonators.

  • Define custom bots:

    Create bot definitions for bots your team decides are known-good or malicious.

  • Configurable for each application:

    Set application- or individual-service-level configurations for bot protection rules.

Learn more
Bot risk management

Continuous visibility

Gaining visibility into protected and unprotected web applications and APIs is the first step to comprehensive protection. That’s why Prisma Cloud automatically identifies the protection status of web apps in our centralized Radar with a simple, straightforward UI to quickly enable customizable protection.

  • Find and protect your entire web app and API surface:

    Use WAAS to detect unprotected web applications and flag them for protection.

  • Reduce noise by identifying only public-facing APIs:

    Automatically detects web app and API behavior and does not flag services without an API.

  • Leverage advanced analytics for investigations:

    Use analytics to observe WAAS audits in aggregate from different points of view, filter them and dive into individual events for incident investigations.

  • View all security events in a single console:

    Identify vulnerabilities, compliance violations, runtime events and WAAS events in one dashboard.

Learn more
Image of Continuous visibility

Virtual patching

When vulnerabilities are discovered, exploit kits are often released before a patch is available. Protect against unpatched vulnerabilities at the service level.

  • Reduce risk until official patches are released:

    Use virtual patching to create a safeguard against exploits until the underlying service can be patched.

  • Add custom WAAS rules for signatures from your team:

    Take advantage of custom rules, a guided, auto-complete way to secure against exploits when your research teams identify vulnerabilities.

  • Protect against zero-day exploits:

    Automatically receive updated WAAS rules from Prisma Cloud Labs and choose whether to apply them.

Learn more
Virtual patching

Access Control

Protecting your application from unwanted access is a top priority for application security teams. WAAS allows for control over how applications and end users communicate with the protected web application.

  • Control inbound access to the application:

    Network controls allow administrators to deny inbound access to the application as well as allowed IPs.

  • Block request based on headers:

    WAAS lets you block or allow requests that contain specific strings in HTTP headers.

  • Protect against malicious files:

    Protect your applications against malware dropping by restricting uploads to just the files that match any allowed content types.

Learn more
Access Control
Prisma Cloud
Prisma Cloud
Prisma® Cloud is the industry’s most complete Cloud-Native Application Protection Platform (CNAPP), with the industry’s broadest security and compliance coverage—for infrastructure, workloads and applications, across the entire cloud-native technology stack—throughout the development lifecycle and across multicloud and hybrid environments.
Learn more

Cloud Workload Protection modules

HOST SECURITY

Secure virtual machines (VMs) on any public or private cloud.

Learn more

CONTAINER SECURITY

Secure Kubernetes and other container platforms on any public or private cloud.

Learn more

SERVERLESS SECURITY

Secure serverless functions across the full application lifecycle.

Learn more

WEB APPLICATION & API SECURITY

Protect against Layer 7 and OWASP Top 10 threats in any public or private cloud.

Learn more
Resources

Valuable WAAS documents

See all resources
TechDocs

WAAS TechDocs

Learn more
White paper

Raising the Bar for Web Application and API Security Solutions

Download
E-book

5 Best Practices for Securing Modern Web Applications and APIs

Read the Ebook
Video

Web Application and API Security Overview (2 mins.)

Watch now
White paper

API Security in the Cloud Native Era

Download the White paper
Blog post

Secure Cloud Native APIs and Microservices

Read the blog
Blog post

Virtual Patching for Dynamic Application Security Policies

Read the blog

Customer Stories

Hear how Pokemon, Sabre and ElevenPaths take advantage of Prisma Cloud's full lifecycle security and full stack protection.

Cloud security basics

Learn about DevSecOp trends and get practical tips from developers, industry leaders and security professionals.

The latest from our blog

Start with a piece that focuses on container security with Kubernetes cluster awareness, then dive into the rest.

Get the latest news, invites to events, and threat alerts

Popular Resources

Legal Notices

Popular Links

Report a Vulnerability