Wallarm Kong WAF. Better Protection for Micro-services and API.

Thousands of companies from startups to Fortune 500 enterprises use Kong as their API gateway. With a blazingly fast performance, it comes with a perfect feature set for everyone who manages microservices, APIs or serverless stack.

Today, we’re thrilled to be a launching partner of Kong Hub. Kong Hub is a marketplace of plugins and modules created by the open-source community and commercial partners that was launched and announced today at the very first Kong Summit. Wallarm comes as one of the trusted partners in the Security domain alongside other modules that provide Authentication, Traffic Control, Analytics and Monitoring, Logging and other functionality.

Wallarm web application firewall (NG-WAF) module seamlessly integrates with Kong API Gateway. Easy to deploy, it provides full visibility on malicious traffic (what API methods are abused and how) and real-time protection of APIs against OWASP Top 10, account takeover, bots and application abuse. If required, it also provides active scanner checks with a DAST module to identify actual vulnerabilities (such as XXE or SQL injections) in APIs.

Just a reminder, that any security solution for APIs and microservices should address:

Support for XML / JSON and nested formats. As dumb as it sounds, most products process HTTP request as it’s just a string, without understanding the structure of it and parsing through the nested formats. When there is a JSON or XML request that contains a Base64 encoded field, they are not able to parse JSON/XML and decode the data in that field. A malicious payload within this parameter stays invisible for the WAF and reaches the application. Not fun.
No performance degradation. Latency and any overhead introduced by additional request analysis that can affect customer experience or conversion rates (ouch!). Wallarm Kong WAF module was initially developed for NGINX/NGINX Plus and written in pure C. It conducts a single-run operation to apply all the parsers and attack detection mechanisms in a matter of a few milliseconds.
Readiness for CI/CD. Using APIs and Microservices is inevitably accompanied with frequent code updates. Be sure that security module will not introduce false-positives or require exhausting manual rule tuning every time developers push new code to production (read: every day).

Useful links: