API Security Strategy - Discover and map APIs, block unwanted connection and prevent data leakage
This is the 2nd part of a 3 part series articles. For Part 1 - Governance and Automation - Distributd Apps for Hybrid Cloud Architecture, please refer to the link.
API Overview
API are fundamental to the digital economy, servicing as a bridge to modernize legacy apps, and cornerstone of modern digital experiences. APIs are also subject to the same attack that target web apps, namely exploits, and abuse that lead to data breaches and fraud and introduce unintended risk from third party integration and ecosystem.
In this Part 2 of the article, I am going to demonstrate how you can discover and map APIs, block unwanted connection and prevent data leakage. These capabilities will uplift your overall organization API Strategy.
Key Truth about State of API
API is on the rise, and it will continue to gain momentum. This statement is being supported by multiple reputable published API reports. API is one of the core components of modern application. The role that it plays exemplified with the rise of microservices, cloud, distributed application and modern application framework. As a result, developers are heavily reliant on API for integration with 3rd party or internal application.
The important of API creates multitude of challenges for organization.
#1 - API visibility and API governance are one of those challenges. Due to the exponential growth of API usage, it is sort of out of control. As a result, organization lost visibility on what and where or who own those API. Are those API properly secured? Are those API compliance to security policy? How often those API being used and are there situation where those APIs are miss-used. Those are the common question each organization should ask.
#2 - Securing API is not a trivial task. Individual API endpoint could be the security weakest link. Are permission properly defined so that it prevent one user from accessing another user’s data. Data can be exfiltrated via those un-authenticated API. Developers potentially unintentionally expose sensitive datasets that may be leaked accidentally. As the result of the complexities of securing API, organization typically face the challenges on talent or expertise to manage, operate and secure those API
#3 - Organization face challenges of API documentation. Due to the pace of API growth, it overshadows the need of a good and complete documentation practices. Developer often deploys public API, bypassing internally mandated security processes and procedures. Often than not, APIs are pushed to production without proper updated documentation.
Below is the API Architecture setup for Arcadia Financial application. This application was deployed via a CI/CD pipeline demonstrated in Part 1. Please refer to previous article for the deployment of this modern application. Services are exposed via respective API Gateway deploy on each site. Integration between each microservices are via those API gateway. API gateway traffic are being monitored, analyzsed and protected by F5 WAAP and API Discovery capabiliites. This API Discovery and anomaly detection capabilities using advance machine learning to characterize how consumer of API consumed and what normal and abnormal traffic pattern to thier API and the latency experience.
There are 2 groups of API traffic. North-South API and East-West API. North-South API being those API traffic from public to the application. This type of API can be an authenticated or an un-authenticated API.
East-West APIs are API traffic flow between sites. These typically an Internal or Private API. For example, money-transfer service calling backend service API.
Here is the details demo video
In order for API discovery to be meaningful, it need dataset from API traffic. These dataset/api traffic will be fed into F5 advance machine learning for ML modelling to identify API traffic pattern, characteristic, nature of those API and so on.
Hence, for this showcase, I continuously generate synthetic API traffic across this application for a period of time. I also intentionally exploited an un-authenticated public API and exfiltrate those data from Internet. Lets see how F5 API discovery helps in identifying those attack or data breach.
Here are some of those key actionable insight as a result of F5 API Discovery and learning.
- Discovery of Shadow API (unknown/undocumented API)
- Identified Authenticated and/or Unauthenticated API
- Compliancy of API specification compare to real life API traffic.
- Distributed of API usage - which API being frequenly accessed.
- Ability to secure, apply access control list and rate limite respective "vulnerable" or "malicious miss-used" API
Key takeaway
#1 - API governance is the practice of applying common rules and guardrails relating to API standards security policies to you API. It helps you to apply consistent security control to your API endpoint. F5 helps in identifying your API whether it is a known, or unknown, private, public or 3rd party or Internal only api.
#2 - F5 provides enhance visibility and analytic to your API ecosystem and health. It give you actionable insight on how your API works, which most used, nature of those API, whether authenticate or un-authenticated and so on.
#3 - F5 helps in securing your API by applying rate limiting rules where required, protect your API from common vulnerability and exploit as well as seamless applying ACL or granular protection rules to those API.
Summary of all 3 parts
Part 1 - Governance and Automation - Distributed Apps for Hybrid Cloud Architecture
Great article indeed !
- James_HendergarEmployee
Fantastic article, Foo Bang!
APIs are like snowflakes. Each one must be protected in the right way. I especially like the way the shadow API is called out in the example above.
- Foo-Bang_ChanEmployee
Thanks. Yes. The fundamental principle is "you can't protect what you can't see". F5 XC API discovery help to uncover what you can't see (shadow API).