Protect APIs and Web Applications in Runtime

After you have visibility, you can start prioritizing preventive measures to reduce your exposure in high risk APIs and web applications. Prisma Cloud gives you out-of-the-box API and workload protection, complete with customizable support for the Open Web Application Security Project ( OWASP) Top 10 list to help you promote best practices, methodologies, and tools for developing secure and reliable applications.

WAAS inline protection offers the highest level of security and provides real-time prevention of attacks, access control and virtual patching. You can begin with Virtual Patching as a security strategy to temporarily mitigate vulnerabilities or security flaws in software without actually modifying the underlying source code.

Instead of fixing the vulnerability at its root cause (which might require a time-consuming and complex software update or code change), virtual patching involves deploying a WAAS rule to inspect traffic for exploitations attempts and block them from reaching the protected applications. Virtual patching is an interim security measure that acts as a protective layer in front of the vulnerable system or application and by no means should be considered a long term solution that eliminates the need to patch the vulnerable code.

Because WAAS inline protection serves as a proxy between the application and its users, it should be rolled out in a phased approach where you can closely monitor the availability of the protected application. It is advisable to initially deploy WAAS in non-production environments and then progressively extend its implementation to production environments. Refer to the recommended deployment phases outlined in the documentation for guidance.

To enable inline real time protection, create inline WAAS rules for containers, hosts or app embedded deployments.

WAAS protection cover a wide variety of malicious activity:

• Web attacks
• Bot activity
• Denial of Service (DoS)
• Unauthorized access
• API abuse
• Sensitive data exposure
• Exploitation of known vulnerabilities and customer specific threats

Quick Start Examples

Example 1: I would like to protect my container-based web application against OWASP Top-10 Risks

1.1 Create a WAAS rule for containers.

1. Identify the images on which the application is running e.g. `nginx:latest`
2. Create a new WAAS container rule
   1. In Prisma Cloud select `Runtime Security`

1. 1. Select Defend -> WAAS -> Container -> Inline
   2. Select the `Add rule`.
      1. Enter rule name
      2. In the `Scope` field click on input box to select collections

Of the containers on which the web-application runs are part of a collection, select it. If not, create a new collection with the images to be protected and select them.

1. Expand the newly created rule and “Add app” on the top right corner of the “App list”

A dialog for the newly created app will appear with the “App definition” tab open

1. Select“Add endpoint” in the top right corner of the “Protected endpoints table”
   1. Leave default values for all fields and
   2. If the protected application is using TLS please see more details here
   3. click on “Create”

1. Select the “App firewall” tab, set the effect of all detections to “Prevent”

1. “Save” your changes.

1.2 Verify that WAAS is deployed.

1. Select Radars -> Container and select the images protected by WAAS

The image should have a green firewall icon

1. Select the image and select the “WAAS” tab on the left side menu to open “WAAS connectivity monitor” showing traffic stats to the protected image

If possible, send a few requests to the protected application and click “Refresh” in the connectivity monitor, traffic statistics should update within seconds

1. For troubleshooting instructions see details here.

1.3 Check for events.

1. Select Monitor > Events and select WAAS for containers.
2. In the filter, type “Rule” and select the name of the rule created in step 1.1 above

1. Timeline graph would show events plotted over time

1. Use the “Group by” button on the top right corner of the table to aggregate events by different data dimensions

1. Select a line to explore aggregated events

Example 2: I would like to ensure traffic received by my container-based APIs adheres to their API specification

2.1 Create a WAAS rule for containers.

1. Identify the images on which the application is running e.g. `nginx:latest`
2. Create a new WAAS container rule
   1. In Prisma Cloud select `Runtime Security`

1. 1. Select Defend -> WAAS -> Container -> Inline
   2. Select `Add rule`.
      1. Enter rule name
      2. In the `Scope` field click on input box to select collections
      3. Of the containers on which the web-application runs are part of a collection, select it. If not, create a new collection with the images to be protected and select them.

1. Expand the newly created rule and click on “Add app” on the top right corner of the “App list”

A dialog for the newly created app will appear with the “App definition” tab open

1. Select“Add endpoint” in the top right corner of the “Protected endpoints table”
   1. Leave default values for all fields and
   2. If the protected application is using TLS please see more details here
   3. Create the endpoint

1. Select the “Import” button to upload OpenAPI specification version 2 (Swagger) or version 3

1. Select the “API protection” tab (next to the App Definition) to review loaded paths and methods

1. Select the desired effect for each of the following:
   1. Parameter violation  — Action to be taken when a request sent to one of the specified paths in the API resource list does not comply with the body parameter in the provided definitions.
   2. Unspecified path(s)/method(s)  — Action to be taken in one of the following cases:
      1. Request sent to a resource path that is not specified in the API resources list.
      2. Request sent using an unsupported HTTP method for a resource path in the API list.
   3. Unspecified query params  — Action to be taken when a request sent to one of the specified paths in the API resource list does not comply with the query parameters in the provided definitions.

1. Select the “App firewall” tab, set the effect of all detections to “Prevent”

1. Save your changes.

2.2 Verify that WAAS is deployed.

1. Select Radars -> Container and select the images protected by WAAS
2. The image should have a green firewall icon

1. Select the image and select the “WAAS” tab on the left side menu to open “WAAS connectivity monitor” showing traffic stats to the protected image

If possible, sent a few requests to the protected application and click on “Refresh” button in the connectivity monitor, traffic statistics should update within seconds

1. For troubleshooting instructions see details here

2.3 Check for events.

1. Select Monitor > Events and select WAAS for containers.
2. In the filter, type “Rule” and select the name of the rule created in step 2.1 above

1. To view events related to API specification violation add the following filer: “Attack type: API Protection”
2. Timeline graph would show events plotted over time

1. Use the “Group by” button on the top right corner of the table to aggregate events by different data dimensions

1. Select a line to explore aggregated events

1. Select a line to explore aggregated events