Continuous, Secure API Design for the Microsoft ecosystem
In today’s world of companies exposing hundreds (if not thousands) of APIs in the systems they build and maintain, how do you make sure that all the APIs that you develop and run follow modern security best practices? If you are a Microsoft shop, 42Crunch has the platform that supports the introduction of security from the first day of API development: we have developed tools you can use across key development and runtime platforms to easily enforce secure API design right from your IDE and CI/CD pipeline.
Automate. Integrate. Collaborate.
42Crunch was built to seamlessly integrate security in the early stages of API development, so that you do not discover security issues right before getting into production! The 42Crunch tools work together to enable a DevSecOps process so you can stay agile without compromising quality or security.
VS Code – API Design and Development
Microsoft Visual Studio Code is an open-source developer environment (IDE) from Microsoft. It has quickly become the number one IDE for modern software development due to its comprehensive marketplace. With thousands of plugins for a variety of programming languages and technology – it can satisfy any R&D need.
42Crunch's popular OpenAPI (Swagger) editor extension provides first-class API creation and editing capabilities within the IDE using templates, contract navigation, intellisense and code snippets.
The security audit is easily accessible right within your IDE. Click the purple 42C button at the top right and get more than 300 different security best practices checks run against the API definition covering authentication, authorization, transport, and data validation. You immediately receive a detailed, actionable report with information on each issue, possible exploit scenarios and recommended remediation.
You immediately receive a detailed, actionable report with information on each issue, possible exploit scenarios and recommended remediation.
Azure DevOps – Testing and DevSecOps
While VS Code is a great tool for personal developer productivity, Azure Pipelines can take your processes to the next level. This is Microsoft’s implementation of Continuous Integration / Continuous Deployment (CI/CD) technology. The pipeline takes your complete code repository, runs the tests you add to it, and if successful pushes the changes to your runtime environment.
42Crunch REST API Static Security Testing extension comes in. Add it to the pipeline, specify the corporate security requirements (such the overall security score threshold or a set of more granular requirements) and enforce those requirements automatically across the 100's of APIs development within your enterprise.
The extension can automatically finds any REST API definitions in your code repositories, run the security audit checks for them, and gives detailed reports as a result. This means that no new API or API change can get deployed to your systems without automated security scrutiny.
Automated audit brings security governance to API development, ensuring you discover potential issues as early as possible in the API lifecycle.
Azure Kubernetes Service – Runtime Protection
Azure Kubernetes Services (AKS) is one of the environment of choices for APIs deployment. Customers can leverage the orchestration capabilities to automatically deploy and scale applications. But deploying applications in such an environment brings up new challenges, such as securing East-West traffic (across microservices).
With your API contract already checked and locked down in previous steps, you can use it as an allowList, making sure requests/response that do not conform to the API contract are automatically rejected. To do this, simply deploy our low-latency, low-footprint API firewall as a sidecar companion to your APIs.
The firewall reads the API contract and provides effective real-time protection for the API that the microservice exposes.
Want to learn more? Here are some resources to help you out!