Overview

API Security Inventory monitors your API traffic to provide visibility into the security posture of your APIs, including:

• Authentication: Whether the API enforces authentication.
• Authentication Method: Type of authentication used, such as Basic Auth and API key.
• Public Exposure: Whether the API is processing traffic from the internet.
• Sensitive data flows: Sensitive data handled by the API and flows between APIs.
• Attack Exposure: If the endpoint is targeted by attacks (powered by Application Threat Management).
• Business Logic: Business logic and associated business logic suggestions for this API.
• Vulnerabilities: If the endpoint contains a vulnerability (powered by Code Security and Software Composition Analysis).
• Findings: Security findings found on this API.
• Dependencies: APIs and Databases the API depends on.

Using the API Security Inventory you can:

• See at a glance which endpoints process sensitive data, are authenticated, have vulnerabilities or findings, or are publicly available.
• See which endpoints are at risk, and pivot directly into the Threat Monitoring and Protection service for further investigation or response.
• See which endpoints are associated to your business’s logic, and find business logic suggestions based on your endpoint’s traffic history.

Configuration

To use API Security on your services, you must have ASM Threats Protection enabled. The following library versions are compatible with API Security Inventory. Remote Configuration is required.

Note: On .NET Core and .NET Fx tracers, you need to set the environment variable DD_API_SECURITY_ENABLED=true for API Security features to work properly.

How it works

API Inventory leverages the Datadog tracing library with ASM enabled to gather security metadata about API traffic, including the API schema, types of sensitive data processed, and the authentication scheme. API information is evaluated per endpoint, every 30 seconds, which should ensure minimal performance impact.

API Inventory Security uses Remote Configuration to manage and configure scanning rules that detect sensitive data and authentication.

The following risks are calculated for each endpoint:

Security trace activity

See the number of attacks your API experienced within the last week.

Processing sensitive data

ASM matches known patterns for sensitive data in API requests. If it finds a match, the endpoint is tagged with the type of sensitive data processed.

The matching occurs within your application, and none of the sensitive data is sent to Datadog.

Supported data types

Business logic

These tags are determined by the presence of business logic traces, associated to the endpoint.

Suggested business logic

We can suggest a business logic tag for your endpoint based on its HTTP method, response status codes, and URL.

Publicly accessible

Datadog marks an endpoint as public if the client IP address is outside these ranges:

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
• 169.254.1.0/16

See Configuring a client IP header for more information on the required library configuration.

Endpoint authentication

Authentication is determined by:

• The presence of Authorization, Token or X-Api-Key headers.
• The presence of a user ID within the trace (for example, the @usr.id APM attribute).
• The request has responded with a 401 or 403 status code.

Datadog reports the type of authentication when available in a header through the Authentication Method facet.

Supported authentication methods

Vulnerabilities count

Counts the Code Security vulnerabilities on the endpoint , in addition to the Software Composition Analysis vulnerabilities of its service.

Further reading

추가 유용한 문서, 링크 및 기사:

Mitigate the primary risks to API securityBLOG