Independent lab crowns new WAAP product among its leaders
An API security specialist's newly launched WAAP product outranked more established WAF competitors during independent benchmark testing.
A newly available WAAP product led the ranks of products that SecureIQLab compared in a recent set of benchmark tests.
Traceable by Harness, which merged with its sister DevSecOps company Harness in February, released its web application and API protection offering April 24. The Traceable Cloud WAAP product adds a web application firewall (WAF), bot mitigation and DDoS protection to Traceable's existing API security tools.
One early adopter of Traceable Cloud WAAP said it stood out from competitors in API security and WAAP because of its approach to AI-driven behavioral analysis of data from API calls, user sessions and network traffic flows.
"This behavioral model is only effective if you can understand the data over a fairly long period and understand what normal looks like," said Kris Jackson, senior vice president and director of cybersecurity engineering and operations at BOK Financial, a financial services firm in Tulsa, Okla.
Kris Jackson
"I'm able to follow a session through what could be an hour or two of behavior and understand the journey through that entire [process]," Jackson said. "The other API security vendors in this space do time windowing of about five minutes, so if an event takes more than five minutes to materialize into something suspicious, they don't have that context window."
Traceable tops WAAP tests
This approach also won when Traceable Cloud WAAP was among 11 vendors tested this year by SecureIQLab. This was the fourth annual test by the independent lab, which subjected applications and APIs protected by the products to more than 1,360 types of attacks. The attacks were based on industry frameworks such as the OWASP Top 10, Mitre ATT&CK and Lockheed Martin Cyber Kill Chain.
Traceable Cloud WAAP was compared with similar products from Akamai, AWS, Barracuda, Check Point, Cloudflare, Fortinet, Imperva, Microsoft, Prophaze and Ubika. SecureIQLab rated the WAAP tools by security efficacy and operational ease of use, and gave each an overall security score. Complete Security Scores averaged 74.51% this year, down 11% from 2024, but Traceable scored highest at 99.3%. This was partly due to its strength in API security, but it was also the only vendor tested that scored a perfect 100% for the effectiveness of its WAF against the OWASP Top 10 Web Application Security Risks.
Traceable Cloud WAAP also scored a perfect 100%, along with Akamai, for advanced threat coverage tests that assessed products against bot and Layer 7 DDoS attacks and rated the resiliency and vulnerability of the WAAP tools themselves. In operational efficiency, it scored slightly lower than Fortinet, which topped the list at 96.2%. Traceable tied with Imperva in this category, which assessed factors such as ease of use, auditing and logging capabilities, with a score of 95.7%. Imperva and Akamai also edged out Traceable with 100% scores in false positive avoidance, while Traceable scored 99.86%.
David Ellis, vice president of research and corporate relations at SecureIQLab, said in an interview with Informa TechTarget that vendors were invited to participate, but did not pay SecureIQLab to perform the tests. Traceable was among the vendors that donated products to complete the tests; SecureIQLab purchased others. SecureIQLab attempted but did not complete testing on products from F5, Fastly, Google and Radware.
"We work with the Anti-Malware Testing Standards Organization [to] publicly develop a [testing] methodology," Ellis said. "We have a documented process in keeping with the AMTSO standard, because we want to make sure that we're transparent ... [and] we're not going to treat one vendor better than another. We fund the testing so that we are not beholden to one vendor over another."
Further Harness integration ahead
Sudhir Patamsetti, senior director of product management at Traceable, said the vendor's API security testing features are integrated with Harness CI/CD tools. The goal is to extend the integration to automate the feedback loop between developers and production apps.
"For example, [if] there's a vulnerability identified during testing, but the developers don't have enough time to fix it, the feedback loop comes to the WAAP module, and we can create virtual patching rules on the fly to protect these application APIs against exploits during runtime," he said. "So there will be a flow of information between the earliest stages of the SDLC and the runtime phase."
Traceable might not necessarily have the name recognition of larger cybersecurity platform vendors such as Akamai, Cloudflare, F5, Imperva and Palo Alto Networks, as large enterprises increasingly seek comprehensive IT and cybersecurity vendors, said Christopher Rodriguez, an analyst at IDC. But for midmarket companies that focus on cloud-native web applications and DevSecOps workflows, Traceable's API security and support for shift-left testing will also stand out.
"API security is the hardest part [of WAAP]," Rodriguez said. "A lot of companies have talked about shift left, but it happens a lot more with security testing companies rather than active runtime protection [vendors]."
Traceable's WAAP will lend itself more to collaboration among security, developer and ops teams centered around CI/CD pipelines, Rodriguez said.
"If developers can just get the policies, protections and configurations from the security organization, they can go faster to market like that, rather than having to say, 'OK, we're just about ready to go put this in production, but we need to wait for the security team to configure the firewall and set it up,'" he said.
Beth Pariseau, a senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.
