{"id":7851,"date":"2019-12-16T19:29:32","date_gmt":"2019-12-16T19:29:32","guid":{"rendered":"https:\/\/staging-site.42crunch.com\/?p=7851"},"modified":"2022-11-23T13:45:16","modified_gmt":"2022-11-23T13:45:16","slug":"webinar-questions-positive-security-apis","status":"publish","type":"post","link":"https:\/\/staging2022.42crunch.com\/webinar-questions-positive-security-apis\/","title":{"rendered":"Questions Answered: Positive Security for APIs Webinar"},"content":{"rendered":"
<\/p>\n
<\/p>\n
We do not scan the code, but the OpenAPI file against a list of requirements.\u00a0The result is an audit report that gives you a score representing how well security is defined in your API. You can test the functionality using our free version.<\/a><\/p>\n <\/p>\n Any of our services (Audit, Scan, Protection) can be added to a CI\/CD pipeline. The platform is accessible via a REST API and we have already integrated with Azure DevOps, Github Actions, Gitlab, Bamboo and Jenkins. Others can easily be supported in a matter of days.<\/p>\n \u00a0<\/strong><\/p>\n SwaggerHub is indeed a candidate to include a 42Crunch plugin. Please contact us directly if you\u2019re interested.<\/p>\n <\/p>\n In terms of Github integration, you can right now run the Audit if you have connected to your Github project using VS Code. See our extension details here: https:\/\/marketplace.visualstudio.com\/items?itemName=42Crunch.vscode-openapi<\/a>. We have Intellij on the roadmap next.<\/p>\n <\/p>\n Each of the services returns a report in JSON format, which you can parse and consume as any UI would. As such, you can indeed block on the overall score being too low, on the number of high profile issues or the score in a particular category and in general on any information contained in that JSON report. Screenshot below shows the Audit running in an Azure DevOps pipeline and blocking deployment.<\/p>\n <\/p>\n We actually need an OAS file to work, as we need to know the API contract. This said, our platform can help with discovery of shadow APIs: with our firewall in place for known APIs in non-blocking mode, you can listen to traffic and capture\/report requests which would have been blocked. This will help you discover shadow APIs deployed in your environment.<\/p>\n <\/p>\n There are many options to generate an OAS file: you can indeed create them from traffic with specialized tools (Stoplight is one of them), you can generate them by annotating your code using Swagger annotations<\/a> or frameworks like SpringFox<\/a>. Most likely, your development team already uses OAS\u00a0 for documentation purposes.<\/p>\n <\/p>\n We can do both.<\/p>\n <\/p>\n Yes, we do parse the request and the response, but only when needed. Low latency has always been a core concern of our platform. Below is a graph of a recent performance test, where you can see the engine scaling linearly under load. This is a single instance of our firewall, running on a Kubernetes cluster. At 2700 TPS, memory usage was 300 Megs and CPU usage was 1500 millicores. The added latency was less than 1ms at 30 users and grew to 3ms at 160 users. There was no think time in the injectors, therefore the high load with limited number of users.<\/p>\n <\/p>\n <\/p>\n Failing is the only way here really. We block based on the OpenAPI contents but only give very limited feedback as to why we have blocked that request. Somebody fishing for information would not get any valuable information by probing the API and injecting wrong parameters.<\/p>\n <\/p>\n If you\u2019re referring to adding custom policies to the OAS file (beyond allowlist protection), yes we can do that. You will be able to annotate your API and\/or operations with desired protection level and we will engage the corresponding policies at runtime, for example Bot Mitigation, OAuth protection, or JWT validation.<\/p>\n \u00a0<\/strong><\/p>\n Not at this point. The service resides on our SaaS platform. The platform underlying our SaaS can be installed on-prem though. Please contact us<\/a> if you need further details.<\/p>\n <\/p>\n We only support OAS, but Mulesoft has introduced many tools for RAML to OpenAPI conversion<\/a> and now supports OAS natively. We recently used automated conversion for a customer from RAML to OAS as part of a CI\/CD pipeline.<\/p>\n <\/p>\n AI is used to detect behavioral changes, for example token misuse or data scrapping through APIs. Our model is based on precise data description and blocking requests\/responses based on that description. Both approaches are complementary as they address very different use cases.<\/p>\n \u00a0<\/strong><\/p>\n You can deploy our API Firewall as sidecar proxy to build a zero trust architecture. We will then protect both North-South and East-West traffic.<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n Try our security audit<\/a> for free. If you want to see the whole platform in action, request a demo now<\/a>!<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":" You had questions, and we’ve got answers! Thank you for all the questions submitted on the Positive Security for APIs: What it is and why you need it!\u00a0We couldn’t get to all of them so we wanted to follow-up with a full list of all the Q&A – and the slide deck as well! [xyz-ihs […]<\/p>\n","protected":false},"author":13,"featured_media":11333,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"A Positive Security Model for APIs - Webinar Q&A","_seopress_titles_desc":"Questions & Answers from our Webinar: A Positive Security Model for APIs and Why You Need it!","_seopress_robots_index":"","site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"disabled","ast-hfb-above-header-display":"disabled","ast-hfb-below-header-display":"disabled","ast-hfb-mobile-header-display":"disabled","site-post-title":"disabled","ast-breadcrumbs-content":"disabled","ast-featured-img":"disabled","footer-sml-layout":"disabled","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[14,16],"class_list":["post-7851","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-api-security","tag-api-security-training"],"_links":{"self":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/7851"}],"collection":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/comments?post=7851"}],"version-history":[{"count":0,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/7851\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media\/11333"}],"wp:attachment":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media?parent=7851"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/categories?post=7851"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/tags?post=7851"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Is it possible to include the scan in stoplight, and how do I include the scan in my CI\/CD?<\/strong><\/h5>\n
No plugin for stoplight yet, maybe swaggerHub is a candidate too?<\/strong><\/h5>\n
I have my git repo link to my stoplight, how can I connect both with 42crunch?<\/strong><\/h5>\n
Can I block my CI\/CD if the scan note is bad?<\/strong><\/h5>\n
Since 42crunch works by enforcing the API contract, how does it work in the absence of OAS, i.e. undocumented or “shadow” APIs?<\/strong><\/h5>\n
When unknown APIs are found, does the application automatically generate an OAS?<\/strong><\/h5>\n
When you detect an incident, do you block that transaction, or you just report the incident for its correction?<\/strong><\/h5>\n
Do you parse through entire Request and Response body to detect vulnerabilities? If so, how much latency this validation would cause on a transaction?<\/strong><\/h5>\n
As an allowlist protection against \u201cmass injection\u201d what would be an appropriate response – fail API or process only white listed attributes? if API fails would it help attacker in setting up a sort of reconnaissance or DOS attack by trying injecting various parameters?<\/strong><\/h5>\n
Even with a \u2018perfect\u2019 (100%) API implementation, is it possible to apply an active set of rules to an API or group of, in real time or near-real time?<\/strong><\/h5>\n
Is it possible to use your contract audit scanner on-prem\/offline?<\/strong><\/h5>\n
You\u2019ve talked about swagger specs, but do you support RAML as well?<\/strong><\/h5>\n
You\u2019ve talked about positive and negative security, but what about an AI driven security model?<\/strong><\/h5>\n
How do you protect APIs deployed in Kubernetes?<\/strong><\/h5>\n