CirrusAPI Security requirement?
Hi F5 Community,
We are new and not familiar to API Security and we would like to ask what information is needed for our client?
Is this correct?
Swagger File and OAuth Server are the only two items needed?
What is an OAuth Server?
Apology on this since as said we are really novice on this.
Thanks.
There is no easy answer so you will need to do some not small reading about this as depending on your environment there will be different needs.
What I will say that there is also the issue of "Shadow API" and API endpoints for example that you may not ask for Authorization Header after the initial authentication or even with authentication there is a need for Authorization as not all authenticated users must have the same access.
I suggest to consider F5 XC distributed cloud as it does more for the API security than just importing swagger file as it has WAF, detects Shadow API and gives you suggestions on other detected issues and some things (Acccess token in HTTP request seen in clear text etc.) even the F5 WAF can't do that XC can. If you need an Oauth server then you can use F5 APM after the F5 XC as Oauth Server or F5 APM can be Resource server/Oauth Client and to integrate for example with Azure AD that will be your Oauth server. You need to do some reading on that as well.
Usefull links and you can ask the F5 sales/solutions engineers for some demos:
F5 XC API security:
https://www.f5.com/solutions/api-security
F5 Oauth with APM:
https://support.f5.com/csp/article/K42333110
https://support.f5.com/csp/article/K53313351
https://support.f5.com/csp/article/K12744365?utm_source=f5support&utm_medium=RSS
https://support.f5.com/csp/article/K24144540?utm_source=f5support&utm_medium=RSS
https://support.f5.com/csp/article/K00571304
I concur. That question is far too large to answer. I'd say that, for api security, you need L2-7 DoS defense (how much, at what layer, varies, based on the application), multi-layer WAAP and complete endpoint mapping, as a start.
