September 27, 2022
An API MESH
What is modern API Architecture
API Engineering – https://docs.google.com/document/d/1uUrvbYGYOfShMpjf9mvlg3C4F838aA-dJGZFvzf7rJ0/edit#heading=h.dlncwkhndmi0
APIs are a simple concept: they connect data to create new digital experiences. If we look at the IT modernization trends driving digital transformation, APIs play a critical role in all of them. Cloud projects use APIs. Software that interacts with IoT sensors uses APIs. Contextual mobile apps use APIs. And getting big data into systems to be ingested and analyzed is the task of the humble API. So they aren’t a fad; they are the key technology that makes new business models, product offerings, insights, and many other IT changes possible, and they are increasingly seen as a critical part of the successful digital transformation of any organization.
Regardless of how you use APIs, it’s critical to take a strategic, rather than tactical, view of how you plan, design, secure, and manage them. A strategic view will enable you to address the tactical needs of today while providing the flexibility clearly needed to modernize and thrive in the digital world
WAF Evaluation Checklist
- Common Threats
An API should have built-in protection for common threats, such as OWASP Top 10 and OWASP API Security Top 10.
- Virtual Patching
Many organizations struggle to keep up with updates and patching new vulnerabilities. A WAF should offer virtual patching, which blocks attempts to exploit known vulnerabilities.
- Regular Updates
New vulnerabilities are discovered every day. A WAF’s database of known attacks should be regularly updated to provide up-to-date protection.
- Account Takeover Protection
Account takeover attacks (such as brute force password guessing or credential stuffing) are increasingly common. A WAF should automatically detect and block these attempted attacks.
- Business Logic Attacks
Some attacks (such as cookie tampering and directory traversal) target the business logic of an application. A WAF should detect and block attempts to exploit these attack vectors.
- Identify traffic from datacenters, Tor, proxies
A WAF should be able to correctly identify and report requests coming from known data centers (in contrast to requests coming from residential IP addresses), Tor exit points, and proxy servers.
- Websites and Web Applications
A WAF should provide comprehensive protection for websites of any type. This includes single-page applications (SPA), websites, and web applications.
- Application Programming Interfaces (APIs)
APIs are a growing and vital component of an organization’s digital infrastructure. A WAF should support common API protocols, including XML-based (like SOAP), JSON-based (like REST), GraphQL, and gRPC.
Serverless applications are growing in popularity. A WAF should be able to protect AWS Lambda, Azure Functions, and GCP Cloud Functions.
- Full Environment Support
A WAF should be able to provide protection in any deployment environment. This includes public, private, hybrid, and multiple clouds, private data centers, Kubernetes clusters, and service-mesh.
- Cloud-Native Deployment
Organizations are increasingly moving their applications to the cloud. A WAF should be designed to operate in cloud environments and take advantage of the cloud deployment (e.g. to be deployed in Kubernetes as a sidecar proxy or Ingress controller).
- Multi-Tenancy Support
An organization may have multiple different sites (or multiple departments/subsidiaries) that it wants to protect against attacks. A WAF should offer multitenancy to enable multiple sites to be protected by a single solution with proper user permissions management capability.
Low Management overhead
- Low False Positives:
High false-positive rates commonly drive WAF users to deploy solutions in passive/monitoring mode. A WAF should offer a low false-positive rate to make production deployment usable
- Signature-less attack detection capabilities.
A signature-based WAF is typically more difficult to manage (add rules to avoid false positives) while keeping a high level of application protection. Your WAF should be able to block malicious requests without a need to manage signatures.
- Auto-adjustment of security rules.
Per customer and per applications. A WAF should automatically learn the application structure and create necessary security rules
- Managed SOC team.
WAF solutions with vendor Cloud-based monitoring & protection module should provide SOC capability to the customers as a part of subscription service.
- Multi-region/multi-cloud deployment.
Users should be able to deploy it to any Public Cloud like AWS, Azure, or GCP.
- Native integration with popular web server software.
A WAF should support a module-based integration in your existing NGINX load balancer.
- Scales with Clusters (horizontal scaling).
It should be easy to deploy an auto-scaling cluster of WAF nodes using provided Terraform automation code.
- API Protection for modern APIs
Built on the modern tech stack and using REST, SOAP, gRPC, GraphQL, WebSocket.
- API Abuse Protection
Not all attacks against an API are designed to exploit known vulnerabilities. A WAF should also be able to identify and block traffic that abuses an organization’s API.
- Protection without a provided API schema.
A WAF should be able to automatically protect API endpoints without a need for the user to provide API schema definitions.
- Understandable, Informative, Customizable Dashboards:
An organization’s security team needs to be able to easily determine the current status of its web security and respond to potential threats. A WAF should offer a web-based user-friendly dashboard to maximize the effectiveness of an organization’s security team.
- Deep-dive on “why” of blocking.
Give me a cap.
Compliance and Reporting
- Regulatory Compliance Support:
Most organizations are subject to a number of different regulations with associated security and reporting requirements. A WAF should offer support for common regulations (like PCI DSS or GDPR) and enable users to easily collect data and generate reports for auditors or regulatory authorities.
- Built-In Report Formats:
An organization’s security team may need to generate reports for executives, auditors, etc. A WAF should have integrated support for generating common reports.
- SOC2 compliance:
WAF vendors should meet SOC2 compliance requirements & have SOC2 certificates to meet customer standards and practices.
- Easy Configuration and Updates:
An organization needs to be able to easily configure its WAF to meet its unique business needs and install updates to take advantage of new features and functionality.
- Ability to access WAF documentation:
A WAF solution should provide a detailed documentation site about how to deploy and use the system.
- Should be within the budget.
Cyber Protection becomes a key part of IT infrastructure today & customers should be able to afford WAF protection relevant to their size & infra maturity level.
- Clear pricing model.
Many WAF vendors make pricing structure unclear & complicated, so customers are exposed to unexpected price increases with more traffic & usage. Ideally, WAF vendors should have a single trigger for price increases with a predictable & transparent pricing model, so customers can plan ahead with the growth of their operations.
- Public API.
A WAF should include a publicly-accessible API. This enables users to integrate it with a variety of different external solutions, such as log management with an ELK stack.
A WAF should incorporate support for webhooks – this enables the development of custom issue tracking and analytics platforms.
- SIEM Integrations:
A Security Information and Event Management (SIEM) solution is designed to provide security data aggregation and analytics. A WAF should have integrations for major SIEM platforms: Splunk, Sumo Logic, IBM QRadar.
- DevOps Tool Integrations:
Adoption of DevOps principles means that development teams need to be able to automate testing and deployment activities. A WAF should integrate into DevOps pipelines to enable rapid configuration updates. A WAF should have built-in integrations for major DevOps tools like PagerDuty and OpsGenie.
- Messenger Integrations:
Security teams need to rapidly respond to potential incidents. A WAF should include integration with common messaging platforms for instantaneous notifications: Slack & Microsoft Teams.
- Smart notifications:
WAF customers should be able to customize & set events notifications (also known as “Triggers”) including integrations with SIEM, DevOps & Messenger tools. Apart from notifications on events (like attacks), WAF Customers should be able to use “smart” blocking techniques & set quick action rules.
- Metrics exposed.
WAF nodes should provide helpful monitoring metrics in popular Prometheus format.
Active Checks / Vulnerability Scanner Capabilities
- Integrated Vulnerability Detection.
A WAF should automatically identify potential vulnerabilities within an organization’s applications. Detections should be based upon active/passive scanning, threat intelligence, and knowledge of public vulnerabilities.
A WAF should be capable of detecting and alerting on misconfigurations that impact the security or usability of an application or API.