--- title: Getting Started with App and API Protection description: >- Set up Datadog App and API Protection to secure web applications and APIs. Enable threat detection, code security, and vulnerability scanning for production. breadcrumbs: >- Docs > Getting Started > Getting Started with Security > Getting Started with App and API Protection --- # Getting Started with App and API Protection {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Overview{% #overview %} Datadog App and API Protection (AAP) helps secure your web applications and APIs in production. - With threat detection, Datadog provides real-time protection against attacks and attackers targeting code-level vulnerabilities. - With [Code Security](https://docs.datadoghq.com/security/code_security), Datadog detects code and library vulnerabilities in your repositories and your running services, providing end-to-end visibility from development to production. This guide walks you through best practices for getting your team up and running with AAP. ## Identify services that have security risk{% #identify-services-that-have-security-risk %} **Identify services vulnerable or exposed to attacks** that would benefit from AAP. On the [**Software Catalog > Security page**,](https://app.datadoghq.com/services?&lens=Security) view and select the services you wish to enable. {% image source="https://datadog-docs.imgix.net/images/getting_started/appsec/ASM_activation_service_selection_v2.2b3d0d2566001d017f856cf8ea87891f.png?auto=format" alt="AAP Services page view, showing Vulnerabilities and sorted by Suspicious requests column." /%} These security insights are detected from data reported by APM. The insights help prioritize your security efforts. AAP identifies, prioritizes, and helps remediate all security risks on your services. **Note**: If no vulnerabilities or suspicious requests are reported, ensure your services are using a recent Datadog tracing library version. From the [Security Software Catalog](https://app.datadoghq.com/services?hostGroup=%2A&lens=Security), open any service's side panel and look at its **Tracing Configuration**. {% image source="https://datadog-docs.imgix.net/images/getting_started/appsec/ASM_Tracing_Configuration.d823f2ef45982127a64a03e52eaa0794.png?auto=format" alt="Tracer Configuration tab in APM Software Catalog page view. Highlighting which version of the Datadog Agent, and Datadog tracing library are being used by your services." /%} ## Enable AAP{% #enable-aap %} ### Enable AAP with in-app instructions{% #enable-aap-with-in-app-instructions %} - To enable App and API Protection in-app, navigate to [**App and API Protection > Setup**](https://app.datadoghq.com/security/configuration/asm/setup). - To enable Code Security in-app, navigate to [**Code Security > Setup**](https://app.datadoghq.com/security/configuration/asm/setup). ### Enable AAP with Remote Configuration{% #enable-aap-with-remote-configuration %} #### Prerequisites:{% #prerequisites %} - Datadog Agent versions 7.42.0 or higher installed on your hosts or containers. - Datadog Tracer versions are [compatible with Remote Configuration](https://app.datadoghq.com/organization-settings/remote-config). #### Setup Remote Configuration (if not enabled already){% #setup-remote-configuration-if-not-enabled-already %} Follow the steps to enable [Remote Configuration](https://app.datadoghq.com/organization-settings/remote-config) in your Datadog UI. This includes: 1. Activate Remote Config capability for your organization. 1. Add Remote Configuration capability to an existing API key, or create a new one. 1. Update your Datadog Agent configuration to use the API key with Remote Configuration capability. See [Setting up Remote Configuration](https://docs.datadoghq.com/tracing/guide/remote_config) for more information. ### Test AAP{% #test-aap %} Once enabled, AAP immediately identifies application vulnerabilities and detects attacks and attackers targeting your services. 1. **Validate vulnerabilities**: Navigate to the [Vulnerabilities tab](https://app.datadoghq.com/security/appsec/vm?&group=vulnerability), triage and remediate your vulnerabilities. 1. **Validate attacks**: Send attack patterns to trigger a test detection rule. From your terminal, run the following script: ```sh for ((i=1;i<=250;i++)); do # Target existing service's routes curl https://your-application-url/ -A 'dd-test-scanner-log'; # Target non existing service's routes curl https://your-application-url/ -A 'dd-test-scanner-log'; done ``` Go to [Security Signals Explorer](https://app.datadoghq.com/security/appsec/signals?query=%40workflow.rule.type%3A%22Application%20Security%22&column=time&order=desc&view=signal&viz=stream&start=1674824351640&end=1675429151640&paused=false) to see the signal that is generated after a few seconds. ## Disable AAP{% #disable-aap %} For information on disabling AAP or its related capabilities, see the following: - [Disabling threat management and protection](https://docs.datadoghq.com/security/application_security/troubleshooting/#disabling-threat-management-and-protection) - [Disabling Code Security (SAST, SCA, or IAST)](https://docs.datadoghq.com/security/code_security/troubleshooting/) ## Reports and notifications{% #reports-and-notifications %} {% alert level="info" %} Datadog does not send security notifications through webhooks due to HIPAA restrictions. Security alerts won't be sent to the webhook for HIPAA-enabled accounts. If you have a HIPAA-enabled account, you cannot use `@webhook...` in the Notify the following recipients setting within Datadog security notifications. If you want these alerts sent, please [contact support](https://docs.datadoghq.com/help/). {% /alert %} 1. Set up [notification rules](https://app.datadoghq.com/security/configuration/notification-rules) to receive alerts using Slack, Jira, email, and more. 1. Subscribe to the weekly [threat digest](https://app.datadoghq.com/security/configuration/reports) reports to begin investigation and remediation of the most important security threats discovered in the last seven days. ## Further reading{% #further-reading %} - [App and API Protection terms and concepts](https://docs.datadoghq.com/security/application_security/terms) - [How App and API Protection works](https://docs.datadoghq.com/security/application_security/how-it-works) - [Join an interactive session to elevate your security and threat detection](https://dtdg.co/fe) - [Security research, reports, tips, and videos from Datadog](https://securitylabs.datadoghq.com/)