In the previous chapter, we examined how to secure APIs using best practices for frameworks and languages. While this is important for improving API security, ensuring that your APIs are protected at runtime in production is equally important. This chapter will examine various methods to shield right (by shield right, I am referring to various protections for APIs that can be deployed at runtime, as opposed to design or development time) for API security.

First, we will examine basic practices to harden and secure the host platforms your APIs run on, whether Docker containers or operating systems. Then, we will examine the stalwart of runtime defense: the Web Application Firewall (WAF), and how this can be applied to protect APIs. API gateways and API managers form the core components of your arsenal in protecting APIs, and we will examine in detail the various protections these can bring to your APIs. The final tier of defending APIs...

For this chapter, you will need a development machine capable of doing the following:

• Running Docker locally
• Running VS Code with various marketplace extensions
• Accessing the internet (you will also need a GitHub account to retrieve the examples)

This chapter contains sample deployments for various runtime protections, such as the Kong API gateway and the 42Crunch API firewall. These configurations and associated instructions will be provided in the GitHub repository for the chapter.

The example code and various breaking changes to the instructions can be found in the Chapter 11 folder in the book’s GitHub repository at the following link: https://github.com/PacktPublishing/Defending-APIs/tree/main/Chapter11

An API server can only be as secure as the foundation upon which it is built. To ensure a strong foundation, several basic best practices should be observed to eliminate the most obvious weaknesses. This section provides summaries of the most important of these best practices for both container images and operating systems. The Further reading section provides more detailed references.

Container images

Modern cloud-native development practices have been fueled by the adoption of container technologies as the standard means of application distribution. A container allows an application to be packaged together with all its runtime dependencies and a configured minimalist operating system. This portable package can then be distributed to various runtime environments without concern about dependencies or configuration.

While the adoption of containers has greatly reduced friction between development and operations teams, it has created new vectors...

A WAF is a layer 7 device (in the OSI 7 layer model), meaning it operates at the highest layer, namely the application layer. This means that a WAF can interpret HTTP traffic, analyze the payload for threats, and block the traffic accordingly. Physically, a WAF operates like a reverse proxy, being located immediately in front of the terminating device (which it is protecting) and receiving all traffic destined for said terminating device. The WAF processes only incoming requests and does not process the response from the server. Figure 11.1 shows a simplified deployment diagram of a WAF with a rule set filtering API requests to a server.

Figure 11.1 – WAF topology

A WAF is configured with a rule set that defines the specific rules and policies to be applied. Such rule sets can be defined by the WAF vendor, the community (for example, OWASP defines a rule set for the ModSecurity WAF engine), or by the security team in the organization...

We now focus on the core shield right technology for APIs, namely API gateways and API management (APIM) solutions. To understand what an API gateway does, let us consider how APIs were deployed before gateways existed. Typically, an API would be instantiated on a server, assigned a resolvable name, and connected to the public internet. While this achieved the result of bringing the API online, it created a myriad of other problems for system administrators:

• Difficulty in scaling the service, either horizontally or vertically
• A very tightly coupled architecture – the internal architecture of the system was exposed directly to the client and could not be refactored without potentially breaking all clients
• The lack of a common approach to cross-cutting concerns (issues common to all APIs best addressed in a standard method) meant that each API had to implement its own logging, access control, rate limiting, and load balancing...

In this final brief section, we will look at how to monitor an API within a SIEM and Security Operation Center (SOC) using as an example the 42Crunch API firewall and the Microsoft Sentinel SIEM.

The 42Crunch firewall emits logs to a local filesystem that can be collected by a log forwarder and forwarded to Azure Log Analytics for ingestion into Microsoft Sentinel. This simplified architecture is shown in Figure 11.20.

Figure 11.20 – 42Crunch firewall log ingestion in Sentinel

Using the 42Crunch marketplace extension, Sentinel can process the API logs and alert against 12 active API rules, as shown in Figure 11.21.

Figure 11.21 – Sample Sentinel API firewall rules

When a rule is triggered, this is recorded on Sentinel as an incident and annotated with all the instance data, such as source IP address, destination path and port, response and request bodies, and return status code...

We have covered a number of different shield-right technologies in this chapter, and your ultimate selection will vary according to your budget, technical maturity, skill level, and risk threshold. As a recap, Table 11.1 shows the technologies’ pros and cons.

The rest of the chapter is locked

Previous Chapter

Chapter 1 of 19

Next Chapter

You have been reading a chapter from

Defending APIs

Published in: Feb 2024 Publisher: Packt ISBN-13: 9781804617120

© 2024 Packt Publishing Limited All Rights Reserved

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

Aug 2023 11 hours 16 minutes

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

Oct 2023 13 hours 4 minutes

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

Aug 2023 16 hours 32 minutes

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

Nov 2023 9 hours 56 minutes

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

Sep 2023 10 hours 32 minutes

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

Oct 2023 15 hours 0 minutes

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

Oct 2023 18 hours 44 minutes

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

Oct 2023 7 hours 20 minutes

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

Oct 2023 10 hours 36 minutes

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

Dec 2023 8 hours 36 minutes