Every API has distinct capabilities. As a developer, we want to know what an API can do and what its limitations are. These characteristics can be outlined in an API definition file, known as a specification. An API specification is the skeleton of an API, providing a logical outline of an APIs behaviour, and how the API can be consumed, often generating documentation providing developers with a guide to correctly interact with the API.
Your API Specification can prove to be a gem in risk scoring your APIs to gain insight into the Critical, High, Medium and Low risks. This can be the detection of root privileges enabled to certain users/processes, modified templates/images, privilege escalation capabilities, etc. These findings are related to the CIA Triad: Confidentiality, Integrity, Availability, helping you in the prevention of confidentiality and integrity breach, as well as having deeper visibility.
Following the walk-through will require a couple of set-up scripts, If you wish to see the actual product capabilities, skip to the Intro section.
Pre-requisites
1x AWS instance_type": "c5.2xlarge (or similar computing power)
Set up
To evaluate the specification, we first need to initialise an environment to perform these series of tests. Our environment needs Docker, KinD, Terraform, and the Kubernetes CLI (kubectl). We will use KinD and Docker to install our Kubernetes cluster. Then we will use Terraform and the Kubernetes CLI to provision the Panoptica controller and microservices (Sock Shop) application into the cluster. Then we will use Locust to generate synthetic traffic.
(You can also try to re-create this capability in your own environment, on your own microservices/APIs by deploying the Panoptica controller and singing up to Panoptica)
Intro
In this walk-through demo, we will look at how Panoptica (a developer security tool), can grant
deeper visibility and security controls of your API, by evaluating your API specification and risk scoring it to determine the security posture of your APIs.
Consider an example web application, a sock-shop.
This web application has activity in the form of customers accessing its site, browsing through the catalog of socks, and placing orders. (API activity). Panoptica displays run-time workloads, including their risk score, related security threats, events that may have caused these threats, and many more details that help reduce the Mean Time To Response (MTTR).
1: In the Panoptica UI, from the Panoptica homepage select RUNTIME. Here we see all our workloads with vulnerability and risk scores.
2: Click on the Connections tab, you can now view the connections between pods.
3: From the menu, select APIs. Under Internal APIs you can view the workloads. This is where we will be analysing our API security posture.
The APIs security results are listed. ‘httpbin’ has been found to have a high-risk security vulnerability, and two medium risk findings in cluster shmcfarl-aio-1.
High Risk
- Workload can run as root (1x occurrence)
Medium Risk
- Workload template has been modified (1x occurrence)
- Workload can escalate its privileges (1x occurrence) These are common, yet highly sensitive risks in the form of misconfigurations, that otherwise would have gone unnoticed, or perhaps detected after damage has been done. Risks can also present themselves in the form of CVE detected vulnerabilities.
Scoring the API Specification
Panoptica analyses APIs used by workloads in your environments and assigns a risk score to them. This includes both internal, and external APIs. Internal API traffic between workloads (microservices communication). You can also upload API specs to Panoptica (OAS format). The spec will be analysed to generate a risk score, the analysis is performed whenever a spec is uploaded or modified. Panoptica also performs a trace analysis on actual API traffic(internal, and external), to identify security issues, and uses this in calculating the risk scores.
Uploading the API Specification
In this scenario, we will upload the API specification of the API we wish to have Panoptica analyse for security posture/risk scoring.
1: From the Panoptica Dashboard select APIs from the menu. Here you will see all the workload APIs running in the Kubernetes cluster. Double-click on the front-end workload and you will be taken to the API inventory page. Here we will see details once we upload the API Spec.
2: Download the API spec files from Github. Go to (https://github.com/rami000/devtoAPISpec) and download the repo to your local desktop.
3: Extract the file. In the api-spec directory there are 4 JSON files. We will upload the frontend.json file to the Panoptica UI
4: Go back into the Panoptica UI. Make sure you are in APIs > Internal APIs > front-end. From this page select the SPECS tab. Click on Upload a spec and upload the frontend.json file and click Finish – this may take a while.
5: Dive deeper into what the spec analysis found for API Structure. Click on Definitions > _embedded to find more info about this risk. Click through other risks to see what else Panoptica found.
6: Click on the Risk Findings > Security Posture tabs. Select api-specification to learn more about the Security Posture of the API.
7: Click through the 7 Critical Risks Findings to get more details. This detail shows 7 API paths have missing or misconfigured Authentication and Authorization controls. The first identified path is a GET to /addresses/{param1}. Click on other occurrences to see what other paths can be accessed without any adequate security controls. Click through other risks to see what else Panoptica found.
Congratulations on completing this tutorial! You were able to upload the API Spec to get analysed and risk scored by Panoptica API Security.
In this walk-through tutorial, we learned how API specs are useful in risk scoring your APIs, and how Panoptica can be used to achieve a security posture overview of your APIs.
First we evaluated the API specification by manually uploading the spec file. Once Panoptica had the API specification, it was able to find Security Risks on the configured APIs. These risks were categorised into Critical, High, Medium, and Low under the APIs security posture. Each finding provided a description, remediation, and how many occurrences were found.
As a next step, you can use the traces to generate a specification during run-time and enforce (automated) security on-the-fly for your APIs, and K8 workloads.
This feature is available in the open-source tool APIClarity, as part of the OpenClarity initiative.
APIClarity is a modular tool that addresses several aspects of API Security, focusing specifically on OpenAPI based APIs.
APIClarity approaches API Security in 2 different ways:
- Captures all API traffic in a given environment and performs a set of security analyses to discover all potential security problems with detected APIs
- Actively tests API endpoints to detect security issues in the implementation of such APIs.
The commercial SaaS version of this product offers many more advanced features covering deeper APIsec features, K8sec, Serverless functions, Software-Supply Chain, and other visibility/security controls.
Getting started
The most advanced cloud-native security, now free for everyone! Sign up and get started with Panoptica right away.
• No credit card required
• Get started in no time
• Up to 15 nodes, 1 cluster
Sign up here to get Started Panoptica!!!
Top comments (0)