WAAP for Open Banking Lab

Open Banking is a framework that allows third-party payment services access to financial data through standardized APIs; it offers incumbent banks the opportunity to partner with fintech and provide customers visibility and control over their financial data. Exposing APIs also provides the Banking-as-a-Service (BaaS) functionality, allowing banks to open up offerings in a regulated infrastructure on top of financial providers. Even though open banking offers a regulated standard for exposing these APIs, it does not provide any standards for meeting most of the security requirements for APIs.

WAAP (Web Application and API Protection) is the term coined by Gartner to highlight the changing landscape of Web Application firewall. It expands the WAF capabilities into four core features: WAF, DDoS protection, bot management and API Protection.

This lab demonstrates the application of WAAP for a demo open banking environment. Payment service users (PSU) will be initiating a banking transaction from the TPP (third party provider). This transaction is authenticated via an OAuth flow by the bank's Identity provider (IdP). Upon consent for the payment by the user, the request is then forwarded to the NGINX Micro Gateway acting as a resource server to validate the token and provide access to the bank's API.