Web application and API protection, or WAAP, is a category of the API security market identified within Datos Insights’ API Security: Market Landscape report published in March 2023. The market in 2023 will reach an impressive US$628 million and is set to more than double by 2027. But why is the market growing so much? Here are two main reasons:
- WAAPs are encroaching on distributed denial of service (DDoS) defense, web application firewall (WAF), and bot defense solution markets: Organizations would rather acquire an integrated solution that addresses all their web application and API security needs than acquire singular solutions.
- WAFs provide little to no API protection: WAFs, even next-gen WAFs, do a poor job of protecting APIs. They offer little reason to keep a WAF if protecting APIs is a requirement.
The WAAP market has 30 vendors vying for the market share, offering varying core, extended, and advanced product capabilities to edge one another out in an application and API security arms race. At a minimum, WAAPs must provide:
- Application security
- API security
- Bot management
- DDoS defense
Once these basics are covered, organizations need to evaluate how WAAP solutions address extended capabilities, including:
- Access control
- API gateway integration
- ATO prevention
- Content delivery network (CDN) integration
- CI/CD automation
- DNS security
- Runtime application security protection (RASP)
Not all vendors provide core and extended capabilities the same, and the points of evaluation can be daunting. Datos Insights spent four months studying the WAAP marketplace so you won’t have to. We also deeply investigated four market leaders with over 18,000 customers collectively. The result is the Web Application & API Protection (WAAP) Market Landscape & Product Deep Dive report. The products we looked at came from Check Point, F5, Imperva, and Radware. The analysis showed that any of the four WAAP providers would be a sound choice overall. This report is part two of a four-part series on API security. Check out part one and stay tuned to my blog for news about parts three and four. Contact me here to ask any API-related questions or share your WAAP experiences.