Revised API Inventory topic for new explorers #32859
Conversation
- expanded API Endpoints section, including new AWS Gateway data source - added sections for Services, and API Findings
Preview links (active after the
|
Anilm3
left a comment
Anilm3
left a comment
There was a problem hiding this comment.
At first glance, perhaps it would make sense to add add another page called Integrations in API Security Inventory -> Integrations to explain how to set up the AWS API Gateway integration, which in this instance will only point you to:
- First setting up this integration: https://docs.datadoghq.com/integrations/amazon-web-services/
- Then this integration https://docs.datadoghq.com/integrations/amazon-api-gateway/
In the very near future we'll also add the source code integration documentation there, cc: @margheritadonnici
content/en/security/application_security/api-inventory/_index.md
Outdated
Show resolved
Hide resolved
| API security relies on visibility. The biggest failure mode in most programs isn't missed vulnerabilities, it's missed APIs. | ||
|
|
||
| [API Security Inventory][7] monitors your API traffic to provide visibility into the security posture of your APIs, including: | ||
| [API Security Inventory][7] monitors your API traffic to provide visibility into the security posture of your APIs. |
There was a problem hiding this comment.
This needs to be rewritten as we now monitor more than traffic, e.g. AWS API Gateway configuration, framework configuration and soon we'll also inspect sources.
content/en/security/application_security/api-inventory/_index.md
Outdated
Show resolved
Hide resolved
| - **Authentication Method**: Type of authentication used, such as Basic Auth and API key. | ||
| - **Public Exposure**: Whether the API is processing traffic from the internet. | ||
| - **Sensitive data flows**: Sensitive data handled by the API and flows between APIs. | ||
| - **Attack Exposure**: If the endpoint is targeted by attacks (powered by [App and API Protection][2]). |
There was a problem hiding this comment.
Powered by App and API Protection isn't fully correct as it's all the same product, also the link points to workload protection.
content/en/security/application_security/api-inventory/_index.md
Outdated
Show resolved
Hide resolved
| |Golang | v1.59.0 | Requests only | | ||
| |Node.js | v3.51.0, v4.30.0 or v5.6.0 | Requests and responses | | ||
|
|
||
| **Note**: On .NET Core and .NET Fx tracers, you need to set the environment variable `DD_API_SECURITY_ENABLED=true` for API Security features to work properly. |
There was a problem hiding this comment.
We need to add proxies here as well, @Julio-Guerra do we have any docs already we could leverage?
| - See which endpoints are associated to your business's logic, and find business logic suggestions based on your endpoint's traffic history. | ||
|
|
||
| <!-- {{< img src="security/application_security/api/api_endpoints_revamp.png" alt="API Security Inventory main page">}} --> | ||
| ### Configuration |
There was a problem hiding this comment.
This has to be expanded to either link to the integrations (as discussed on a previous comment) and / or include that information here.
| ## How it works | ||
|
|
||
| API Inventory leverages the Datadog tracing library with AAP enabled to gather security metadata about API traffic, including the API schema, types of sensitive data processed, and the authentication scheme. API information is evaluated per endpoint, every 30 seconds, which should ensure minimal performance impact. | ||
| API Endpoints leverages the Datadog tracing library with App and API Protection enabled to gather security metadata about API traffic, including the API schema, types of sensitive data processed, and the authentication scheme. API information is evaluated per endpoint, every 30 seconds, which should ensure minimal performance impact. |
There was a problem hiding this comment.
May need to be rephrased given what was mentioned before (other sources of information are available now as well)
|
|
||
| #### AWS API Gateway | ||
|
|
||
| The **AWS API Gateway** data source provides a per-endpoint risk view that confirms exposure, traces the source, and remediates at the service or API Gateway level. |
There was a problem hiding this comment.
The API Gateway source works slightly in a similar manner to the API Definition in that a customer has to define their configuration within AWS. This configuration is then consumed by one of our services, so it is technically a definition. As of now there is little correlation with traffic, although we're working on it.
|
|
||
| ## API Findings | ||
|
|
||
| <div class="alert alert-info">API Findings is In Preview. Contact <a href="https://www.datadoghq.com/support/">Datadog Support</a> for more information.</div> |
There was a problem hiding this comment.
We discussed removing the "preview" altogether since it's been available for over a year. cc: @ArthurFoucher
content/en/security/application_security/api-inventory/_index.md
Outdated
Show resolved
Hide resolved
|
|
||
| The **AWS API Gateway** data source provides a per-endpoint risk view that confirms exposure, traces the source, and remediates at the service or API Gateway level. | ||
|
|
||
| If there are active vulnerabilities, attacks, or sensitive data detected, do the following: |
There was a problem hiding this comment.
| If there are active vulnerabilities, attacks, or sensitive data detected, do the following: |
There are currently no vulnerabilities, attacks, nor sensitive data detected on API Gateway Endpoints, I think we can only mention we provide visibility into exposed endpoints.
We might add more security context later though.
| - **Attacks:** Check the associated signals or traces to confirm exploit attempts, then block or tighten WAF rules at the API Gateway. | ||
| - **Sensitive data:** Investigate the request payloads or services handling that data to ensure encryption, masking, and least-privilege access are enforced. | ||
|
|
||
| #### API Definition |
There was a problem hiding this comment.
An API Endpoints with datasource "API Definition" means the endpoint is documented in a specification uploaded to Datadog. The specification is part of the IDP API entity.
If we were able to correlate this API Endpoint with traffic from APM, then the API Endpoint has both "Spans" and "API Definition" datasources.
content/en/security/application_security/api-inventory/_index.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Anil Mahtani <[email protected]> Co-authored-by: Nicolas Vivet <[email protected]>
Merge instructions
Merge readiness: