* [Blog](https://www.paloaltonetworks.com/blog) * [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/) * [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/) * Web Application Security ... # Web Application Security for Cloud Native APIs with Prisma Cloud [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fweb-application-security-for-cloud-native-apis-with-prisma-cloud%2F) [](https://twitter.com/share?text=Web+Application+Security+for+Cloud+Native+APIs+with+Prisma+Cloud&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fweb-application-security-for-cloud-native-apis-with-prisma-cloud%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fweb-application-security-for-cloud-native-apis-with-prisma-cloud%2F&title=Web+Application+Security+for+Cloud+Native+APIs+with+Prisma+Cloud&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/web-application-security-for-cloud-native-apis-with-prisma-cloud/&ts=markdown) \[\](mailto:?subject=Web Application Security for Cloud Native APIs with Prisma Cloud) Link copied By [Ory Segal](https://www.paloaltonetworks.com/blog/author/ory-segal/?ts=markdown "Posts by Ory Segal") Aug 26, 2021 9 minutes [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown) [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown) [Web Security](https://www.paloaltonetworks.com/blog/category/web-security/?ts=markdown) Prisma Cloud delivers web application security combining visibility, protection and governance for APIs. This blog highlights best practices and requirements. ## Microservices and APIs Overview Two of the key tenets of cloud native applications are loosely coupled microservices and application programming interfaces (APIs). These two principles are tied together and allow programmers to develop complex applications rapidly and with ease. APIs are the way for microservices to talk to each other using a standardized message format. Oftentimes, APIs will use REST over HTTP(s) to send and receive data such as JSON or XML content, and in other times, more complex message formats and protocols may be used (e.g. GraphQL or gRPC). In more mature organizations, developers will create an API specification file, usually in OpenAPI format. The OpenAPI Specification (OAS) defines a standard, language-agnostic interface to RESTful APIs which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection. When properly defined, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. In layman terms, the OpenAPI specification file defines the different API endpoints, what each API expects in terms of incoming message format, and what response should be expected by the consumer. When defined accurately, the specification can later be used for API message validation by intermediary security devices such as API gateways or web application firewalls (WAFs). In essence, modern cloud native applications use dozens or even hundreds of loosely coupled microservices, all talking to each other using APIs - and this is why many consider API messages to be the new network layer. In many modern applications, a single client's web request (i.e., north-south traffic) that hits your Kubernetes cluster, can spawn dozens or even hundreds of API calls between internal microservices (i.e., east-west traffic). This is why it is not enough to secure the front-end web interface of your cloud-native application - you must also apply rigorous application layer protections on your cloud-native APIs. ### API Risks The [OWASP API Security Top 10 Project](https://owasp.org/www-project-api-security/) lists the following top risks to APIs: 1. Broken Object Level Authorization 2. Broken User Authentication 3. Excessive Data Exposure 4. Lack of Resources \& Rate Limiting 5. Broken Function Level Authorization 6. Mass Assignment 7. Security Misconfiguration 8. Injection Flaws 9. Improper Assets Management 10. Insufficient Logging \& Monitoring While each of these risks are critical and should always be considered when developing and deploying APIs, I'd like to focus in this blog post on the last two: improper asset management and insufficient logging and monitoring. ### Control and Governance Over APIs In a perfect world, each API would be registered and monitored, and for each API an accurate OpenAPI specification file would be created. In addition, obsolete microservices and APIs would be decommissioned. However, the fast pace in which organizations develop APIs these days, and the dynamic nature of modern applications, oftentimes leads to slip-ups. As more and more cloud-native applications are developed and deployed, the amount of microservices and in turn, the number of exposed APIs grows. Pretty quickly, it becomes extremely difficult to keep track of the inventory. Without governance and visibility into the microservices and their respective APIs, it becomes impossible to secure an application, after all - you cannot secure what you don't know exists. ## Securing Cloud Native APIs with Prisma Cloud Web Application and API Security The Prisma Cloud [Web Application and API Security (WAAS) module](https://www.paloaltonetworks.com/prisma/cloud/web-application-API-security?ts=markdown) contains a wide range of capabilities to help customers secure cloud-native applications, microservices and more specifically APIs. In the following section, we will highlight some of the capabilities, specifically geared for [API security](https://www.paloaltonetworks.com/cyberpedia/what-is-api-security?ts=markdown). ### Automated Detection of Unprotected Web Apps and APIs Periodically, the WAAS module will analyze your applications both statically and dynamically to discover containers or hosts that expose a web application or an API that have yet to be protected by WAAS. Once an unprotected web application or an API will be discovered, they will be flagged in the Radar view, so customers can quickly create a WAAS protection policy for them, with ease. In addition to the Radar view, a more structured report of all unprotected web applications, including container image names, ports and number of executed containers is also available in the Console. ![Unprotected Web APIs Detected in a Kubernetes Cluster](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/08/WAAS-image-1.png) Unprotected Web APIs Detected in a Kubernetes Cluster ### Defining and Protecting APIs Using OpenAPI Specification Files WAAS offers two methods for defining APIs to be protected - the first is by manually defining the API endpoints, and their respective HTTP methods and parameters: ![Manual API Definition](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/08/unnamed-2.png) Manual API Definition Using this method, customers can manually define each and every API endpoint using the endpoint's HTTP request path, the allowed HTTP methods, as well as message parameters. For each parameter, users can define its location, the value type, format and expected ranges. Once all of this information is defined, WAAS will provide positive security through validation of API message format. However, manually defining API endpoints can become a very tedious process. This is why WAAS also provides the ability to load an OpenAPI specification file, which will automatically be parsed and used to populate all API definitions automatically. ![Importing an OpenAPI Specification File](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/08/Screen-Shot-2021-08-25-at-1.27.30-PM.png) Importing an OpenAPI Specification File As mentioned earlier, and regardless of the method you use to onboard and define application APIs, WAAS will then use this definition to provide the following positive security enforcement of API messages: * Only allow API calls to endpoints that were defined in the configuration * Only allow specified HTTP methods * Only allow specified API message parameters * Enforce parameter value format, data types and ranges * Enforce the existence of "required" parameters Any attempt to call an undefined API will result in WAAS taking the pre-defined action (i.e., Alert and log, Block or Ban). ### Automated API Discovery and API Profiling Since modern cloud-native applications tend to be dynamic and change often, you may end up with APIs that are either obsolete, or simply not documented anywhere. Visibility and governance over APIs are critical steps on the way to applying robust security. This is why WAAS provides an automated API discovery capability, which uses automated machine learning analysis. When API discovery is enabled, deployed Defender agents will inspect API traffic routed to the protected application. Defenders learn the endpoints in your API by analyzing incoming requests and generating a tree of API paths. Periodically, Defenders send the Console a diff of what it has learned since its last update. The console merges the update with what it already knows about the API. The API discovery subsystem attempts to ignore all HTTP traffic that doesn't resemble an API call and applies an intelligent criteria for identifying which requests to inspect. Once APIs are discovered and profiled, WAAS provides users with an API discovery report, as well as the ability to export the data as an OpenAPI specification, which can then be used to define APIs for protection. ![Automated API Discovery](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/08/unnamed-4.png) Automated API Discovery ### Application Layer Protections One of the key capabilities of WAAS is its highly accurate web application firewall (WAF), which provides application layer protections against attacks such as: SQL Injection, Cross-Site Scripting, OS Command Injection, Local File Inclusion, and many other attack categories. These protections can be enabled both for standard web applications, as well as for API endpoints. It should be noted that when the application firewall is enabled, it will protect against application layer attacks on any HTTP-enabled URL that is defined in the policy, including API endpoints. This means that APIs do not have to be explicitly defined through the API protection configuration in order to be protected against such attacks, as long as application firewall policy covers their URLs. The process of defining API endpoints is strictly used for providing the highest level of security through API message validation. ### API Access Control and DoS Protections In addition to API message validation, automated discovery and application layer protection, WAAS provides the ability to enforce access controls over APIs. Access to API endpoints can be enforced by using IP addresses, IP CIDR blocks and network lists which can be programmatically updated when needed. In addition, Geo-based access controls can also be set, as well as enforcement of HTTP headers such as API key, and so forth. Application layer DoS protection, can also be used in order to deny clients from flooding or abusing API endpoints. Users can set the burst rate limit, which is intended to prevent spikes in traffic coming from a client, or the longer-period (average) rate. Additional criteria for rate accounting can be used such as specific file extensions, HTTP response codes and HTTP methods. ![App-Layer DoS Protection](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/08/unnamed-5.png) App-Layer DoS Protection ### Virtual Patching and Custom Rules As explained in [this](https://www.paloaltonetworks.com/blog/prisma-cloud/virtual-patching-dynamic-application-security/?ts=markdown) previous blog post, virtual patching is the process of creating one or more detection rules that prevent malicious exploitation attempts against a vulnerability before an official patch is available. Prisma Cloud can deploy these virtual patching rules within minutes after a vulnerability is discovered, and users can keep them in place until the official patch is applied. When critical vulnerabilities for relevant cloud-native application technologies are publicly reported, the Prisma Cloud Labs team may release updated WAAS rules and automatically push them to all customers, who would then be able to choose whether to apply them. But because each application is unique, customers may want to create their own rules to meet the specific requirements of their own application. In such cases, new custom rules are easily created through the editor in the Defend \> Custom Configurations screen. ## Summary With the rapid adoption of cloud-native application development, we see a proliferation of APIs, some might be publicly exposed - through north-south traffic, but many can get invoked as a result of incoming traffic to your application's front-end interface (east-west traffic between microservices). Given their direct access to sensitive back-end systems and microservices, APIs are quickly becoming the prime target for abuse by malicious users. This is why regardless of their direct exposure, all API endpoints in your applications should be closely monitored, and rigorous application layer protections should be applied. In addition to the protections provided by the WAAS, web application security module, which are mentioned in this blog post, Prisma Cloud customers also benefit from many other key capabilities provided by Prisma Cloud Compute - i.e., security posture of cloud native APIs throughout the stack with a comprehensive holistic view of vulnerabilities, runtime issues and application layer exploitation attempts. To learn more about WAAS, please visit: [/prisma/cloud/web-application-API-security](https://www.paloaltonetworks.com/prisma/cloud/web-application-API-security?ts=markdown) *** ** * ** *** ## Related Blogs ### [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown) [#### Agent Vs Agentless: Determining the Right Deployment Option for Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/blog/cloud-security/agent-vs-agentless-cwp/) ### [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown) [#### Forrester Names Prisma Cloud a Leader in Cloud Workload Security](https://www.paloaltonetworks.com/blog/cloud-security/forrester-wave-cloud-workload-security-leader-2024/) ### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown) [#### Zero Trust for Applications: Securing Content within Transactions](https://www.paloaltonetworks.com/blog/cloud-security/zero-trust-for-applications-securing-content-within-transactions/) ### [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown) [#### Zero Trust for Applications Best Practices: Securing Cloud Workloads](https://www.paloaltonetworks.com/blog/cloud-security/zero-trust-cloud-workloads/) ### [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Security Posture Management](https://www.paloaltonetworks.com/blog/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown) [#### Addressing the Need for Integrated Cloud Native Security with CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/the-future-of-cloud-native-security-is-cloud-native-application-protection-platforms-2/) ### [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Web Security](https://www.paloaltonetworks.com/blog/category/web-security/?ts=markdown) [#### Web Application and API Security: Windows and Service Mesh Support](https://www.paloaltonetworks.com/blog/cloud-security/service-mesh-support/) ### Subscribe to Cloud Security Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language