DEV Community: Harish Nataraj

Auto OpenAPI Generation — The Network Doesn’t Lie!

Harish Nataraj — Tue, 14 Jun 2022 16:44:59 +0000

API Visibility Is Key

Visibility of APIs is a fundamental necessity for governance, security, and productivity. Yet most organizations are unable to answer the following critical questions:

What APIs do I have?
Are OpenAPI schemas for the APIs documented and maintained?
Which APIs process sensitive data?
Which users access which APIs, under what roles (or scopes)?
Which APIs are external vs. internal?

Annotation Based OpenAPI Generation Is Not Scalable

Disparate Set of Open Source Tools

There are a plethora of (language/framework specific) open source tools that generate OpenAPI specifications at build time, by scanning source code.

They use code level annotations added by developers, to language/framework specific resources, methods, and controllers, to generate schema for APIs.

Java Annotations for Swagger-Core

Examples include Swagger-Core, SpringFox, NSwag / Swashbuckle, Swagger-express / HAPI-Swagger, Django-REST-Swagger / Flask-RESTplus, etc.

These Tools Don’t Scale Well

Polyglot Microservices

Modern development environments are polyglot in nature, where you find several small teams, using a variety of technology stacks, and disparate programming languages.

These tools don’t scale well in these environments due to the following reasons:

Achieving Consistency Across Teams is Challenging

It is hard to achieve consistency (of API documentation) across so many small teams, disparate programming languages, and variety of language frameworks.
Developers need to correctly annotate the code in appropriate places, lest the documentation will be incomplete and inaccurate.
Developers need to maintain the annotations as they continuously refactor code, lest the documentation will be incomplete and inaccurate.
Annotations are static in nature. When APIs return dynamic objects, the auto documented specification will be incorrect, or incomplete.
There is no guarantee that what is auto documented, is the actual wire behavior exhibited by the API.

The Network Doesn’t Lie

APIs transact by exchanging JSON data over the network. This makes the network, the ultimate source of truth for API behavior, and schema.

Harnessing the network to auto discover & auto document APIs, in a consistent and scalable manner, has been challenging until recently.

eBPF Based Automatic OpenAPI Generation

Achieve Consistency & Scale, while Preserving Privacy

eBPF is revolutionary technology, that enables auto documentation of APIs in a consistent, scalable, and language/framework agnostic manner.

Frictionless & Privacy-Preserving API observability

Levo provides a free service that automatically generates OpenAPI documentation for all your APIs, by passively observing your runtime API traffic via eBPF.

The installation involves a single Helm Chart for Kubernetes, or a single Docker command for other environments. The installation does not require code changes, configuration changes, or SDK additions to your applications.

Ensuring the privacy of your customer data is paramount. You can read more about privacy-preserving features here.

Auto Generate OpenAPI with Sensitive Data Annotations

All APIs active in the runtime environments are auto discovered, and OpenAPI specifications are auto generated for them.

Auto Discovered API Catalog

OpenAPI specifications are annotated with sensitive data types (PII, PSI, PHI, etc).

Auto Generated OpenAPI Specifications

The API documentation is always fresh, and is based on the single source of truth, which is the actual API behavior observed on the network.

Continuously Validate Existing OpenAPI Documentation

Teams building API documentation with an API-First approach, can also benefit.

Cross validate existing OpenAPI documentation with auto generated documentation for accuracy and completeness.

Interested in trying Auto OpenAPI Generation?

OpenAPI Auto Generation — Forever Free

Levo is a purpose-built, developer-first API security solution that fully automates API Observability, API Documentation & API Testing in CI/CD pipelines.

Signup for a forever free account, and start auto documenting all your APIs within minutes.

Have questions? Contact us at info@levo.ai.

API Contract Testing - Forever Free

Harish Nataraj — Sat, 28 May 2022 21:05:30 +0000

Calling all API Architects and Developers.

Your customers, partners, and internal consumers get immense value by integrating with your APIs.

How do you ensure these integrations are not disrupted due to breaking changes that are inadvertently deployed to production?

How do you ensure that your API implementation is always in sync with its contract?

Levo’s API Contract Testing empowers you to build and maintain resilient APIs, by detecting breaking changes before they hit production!

Below is a brief video tour of Levo’s Forever Free API Contract Testing features.

Thanks for watching! Signup for a forever free account, and start building secure and resilient APIs in minutes.

Supercharge API RBAC with eBPF

Harish Nataraj — Thu, 26 May 2022 01:37:46 +0000

IAM is complex in Microservices

Modern applications are comprised of APIs and complex Identity & Access Management (IAM) constraints.

IAM involves Role Based Access Control (RBAC) policies, that try to answer the following questions:

What is the identity of the user making the request?
What are their role (or scope) entitlements?
Does the role give them access to the API operation they are attempting?
Does the role given them access to specific JSON objects being requested?

Suboptimal IAM configuration leads to authorization exploits

Given the complexity of API, roles, and associated RBAC policies, it is very easy to misconfigure authorization, resulting in dangerous exploits that leak customer data.

Horizontal Authorization Exploit

Vertical Authorization Exploit

Preventing IAM abuse requires API observability

Preventing authentication & authorization exploits requires the continuous monitoring of your users, their role entitlements and the specific APIs/JSON objects they are trying to access.

At a minimum you need to be able to answer the following questions:

Who are my users?
What are the role entitlements for these users?
What specific API endpoints and JSON objects are being accessed via the role entitlements?

Current observability methods are too intrusive

Packet Capture — no TLS visibility & too CPU intensive

InApp Agents — require code changes & lead to increased latency

Sidecar Agents — require code changes & lead to increased latency

Conventional observability is based on Traffic Mirroring (packet capture), In-App Agents, or Sidecar Proxy Agents.

All these techniques require application code/config changes, lead to increased application latency, and increased operational overhead (additional steps during debugging, upgrading, etc.)

Conventional tools result in increased friction between Developers, Operations, and Security.

eBPF enables frictionless IAM Observability

eBPF is a revolutionary technology that provides superpowers for API observability.

eBPF probes can be used to passively instrument modern API driven apps, and capture the full request/response payloads of APIs.

Below are top benefits of an eBPF based API observability solution:

Instant & comprehensive observability for your APIs, roles, and users.
Agent-less, and does not require code or configuration changes to your applications.
Full TLS / SSL visibility for all applications and services.
TLS observability does not require sharing of private keys.
Completely passive, and not inline with the application.
No impact to the application’s latency.
No impact to daily operational workflows (debugging, upgrading, etc.).
Eliminates friction between Developers, Operations, and Security, that is common with conventional tools.

Want to learn more about eBPF powered API Observability?

You can learn more about frictionless API Observability & Security here.

Making Security Fun for Developers

Harish Nataraj — Wed, 25 May 2022 19:01:44 +0000

Developers do care about security

Developers want to do the right thing for security. The real challenge is that they do not understand what that “right thing” is.

Developers are naturally curious souls, and tend to operate based on principles and causation of things. They will easily do the “right thing”, when application security issues are presented in a format that is well aligned with how they absorb information.

OWASP crAPI aims to make security fun

OWASP crAPI is a vulnerable demo application from the OWASP foundation, that makes learning about API security fun for developers.

crAPI stands for Completely Ridiculous API, and is built on modern API/microservices based architecture. Corey Ball, author of Hacking APIs refers to crAPI extensively in his lab exercises.

Levo gives crAPI a facelift

We at Levo.ai have made a number of improvements to the original crAPI, leading to a much better learning experience. Below is a summary of these improvements.

Fast Install & Startup

As part of quick-start, we offer a single pre-built docker container, that gets you instant access to crAPI on your laptop.

Full OpenAPI Specifications

crAPI now has an embedded API explorer with full OpenAPI 3.x specifications, for all its endpoints. You can invoke these APIs directly from this interface and elicit responses.

Pre-populated user accounts & data

User accounts and related data have been pre-populated for rapid access to crAPI.

User Roles for Privilege Escalation Exercises

CrAPI’s APIs now have clearly defined roles. This is critical in learning about privilege escalation and abuse.

HackPad

Embedded within crAPI is a HackPad interface, that allows you to interactively hack crAPI’s APIs, and learn more about API vulnerabilities.

Improved Documentation

The documentation has been spruced up for quick access to important information.

Stay tuned for the hacking APIs series

We will be posting a series of articles on hacking crAPI’s APIs. In meantime we encourage you to take crAPI for a spin on your laptop.

If you prefer to try a fully hosted version of crAPI, signup for a forever free account, and experience crAPI via Levo SaaS.