Gartner has recognised Cloudflare as a Leader in the 2022 “Gartner® Magic Quadrant for Web Application and API Protection (WAAP)” report that evaluated 11 vendors for their ‘ability to execute’ and ‘completeness of vision’. This achievement highlights Cloudflare’s continued commitment and investment in this space as the company aims to provide better and more effective security solutions to its users and customers.
Keeping up with application security
With over 36 million HTTP requests per second being processed by the Cloudflare global network, the company gets unprecedented visibility into network patterns and attack vectors. This scale allows it to effectively differentiate clean traffic from malicious, resulting in about 1 in every 10 HTTP requests proxied by Cloudflare being mitigated at the edge by the WAAP portfolio.
Visibility is not enough, and as new use cases and patterns emerge, Cloudflare invests in research and new product development. For example, API traffic is increasing (55%+ of total traffic) and this trend isn’t expected to slow down. To help customers with these new workloads, Cloudflare’s API Gateway builds upon our WAF to provide better visibility and mitigations for well-structured API traffic for which the company has observed different attack profiles compared to standard web based applications.
Cloudflare’s continued investment in application security has helped it gain its position in this space.
Cloudflare WAAP
Cloudflare has built several features that fall under the Web Application and API Protection (WAAP) umbrella.
DDoS protection & mitigation
Cloudflare’s network, which spans more than 275 cities in over 100 countries is the backbone of its platform, and is a core component that allows mitigation of DDoS attacks of any size.
To help with this, the company’s network is intentionally anycasted and advertises the same IP addresses from all locations, allowing it to “split” incoming traffic into manageable chunks that each location can handle with ease, and this is especially important when mitigating large volumetric Distributed Denial of Service (DDoS) attacks.
The system is designed to require little to no configuration while also being “always-on” ensuring attacks are mitigated instantly. Add to that some very smart software such as the new location aware mitigation, and DDoS attacks become a solved problem.
For customers with very specific traffic patterns, full configurability of our DDoS Managed Rules is just a click away.
Web Application Firewall
Cloudflare’s WAF is a core component of its application security and ensures hackers and vulnerability scanners have a hard time trying to find potential vulnerabilities in web applications.
This is very important when zero-day vulnerabilities become publicly available as bad actors attempt to leverage new vectors within hours of them becoming public. Log4J, and even more recently the Confluence CVE, are just two examples where this behaviour was observed. That’s why the company’s WAF is also backed by a team of security experts who constantly monitor and develop/improve signatures to ensure it “buys” precious time for customers to harden and patch their backend systems when necessary. Additionally, and complementary to signatures, it’s WAF machine learning system classifies each request providing a much wider view in traffic patterns.
Cloudflare’s WAF comes packed with many advanced features such as leaked credential checks, advanced analytics and alerting and payload logging.
Bot Management
It is no secret that a large portion of web traffic is automated, and while not all automation is bad, some is unnecessary and may also be malicious.
The company’s Bot Management product works in parallel to its WAF and scores every request with the likelihood of it being generated by a bot, allowing organizations to easily filter unwanted traffic by deploying a WAF Custom Rule, all this backed by powerful analytics. Cloudflare make this easy by also maintaining a list of verified bots that can be used to further improve a security policy.
In the event of wanting to block automated traffic, Cloudflare’s managed challenge ensures that only bots receive a hard time without impacting the experience of real users.