このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Overview

API Security Inventory monitors your API traffic to provide visibility into the security posture of your APIs, including:

  • Authentication: Whether the API enforces authentication.
  • Authentication Method: Type of authentication used, such as Basic Auth and API key.
  • Public Exposure: Whether the API is processing traffic from the internet.
  • Sensitive data flows: Sensitive data handled by the API and flows between APIs.
  • Attack Exposure: If the endpoint is targeted by attacks (powered by Application Threat Management).
  • Business Logic: Business logic and associated business logic suggestions for this API.
  • Vulnerabilities: If the endpoint contains a vulnerability (powered by Code Security and Software Composition Analysis).
  • Findings: Security findings found on this API.
  • Dependencies: APIs and Databases the API depends on.

Using the API Security Inventory you can:

  • See at a glance which endpoints process sensitive data, are authenticated, have vulnerabilities or findings, or are publicly available.
  • See which endpoints are at risk, and pivot directly into the Threat Monitoring and Protection service for further investigation or response.
  • See which endpoints are associated to your business’s logic, and find business logic suggestions based on your endpoint’s traffic history.
API Security Inventory main page

Configuration

To use API Security on your services, you must have ASM Threats Protection enabled. The following library versions are compatible with API Security Inventory. Remote Configuration is required.

TechnologyMinimum tracer versionSupport for sensitive data scanning
Pythonv2.1.6Requests and responses
Javav1.31.0Requests only
PHPv0.98.0Requests and responses
.NET Corev2.42.0Requests and responses
.NET Fxv2.47.0Requests and responses
Rubyv1.15.0Requests only
Golangv1.59.0Requests only
Node.jsv3.51.0, v4.30.0 or v5.6.0Requests and responses

Note: On .NET Core and .NET Fx tracers, you need to set the environment variable DD_API_SECURITY_ENABLED=true for API Security features to work properly.

How it works

API Inventory leverages the Datadog tracing library with ASM enabled to gather security metadata about API traffic, including the API schema, types of sensitive data processed, and the authentication scheme. API information is evaluated per endpoint, every 30 seconds, which should ensure minimal performance impact.

API Inventory Security uses Remote Configuration to manage and configure scanning rules that detect sensitive data and authentication.

The following risks are calculated for each endpoint:

Security trace activity

See the number of attacks your API experienced within the last week.

Processing sensitive data

ASM matches known patterns for sensitive data in API requests. If it finds a match, the endpoint is tagged with the type of sensitive data processed.

The matching occurs within your application, and none of the sensitive data is sent to Datadog.

Supported data types

CategoryCategory facetType facet
Canadian social insurance numberspiicanadian_sin
United States social security numberspiius_ssn
UK national insurance numberspiiuk_nin
US vehicle identification numberspiivin
Passport numberspiipassport_number
E-mail addressespiiemail
American Express card numberpaymentcard
Diners Club card numberpaymentcard
JCB card numberpaymentcard
Maestro card numberpaymentcard
Mastercard card numberpaymentcard
VISA card numberpaymentcard
IBAN bank account numberpaymentiban

Business logic

These tags are determined by the presence of business logic traces, associated to the endpoint.

Suggested business logic

We can suggest a business logic tag for your endpoint based on its HTTP method, response status codes, and URL.

Publicly accessible

Datadog marks an endpoint as public if the client IP address is outside these ranges:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16
  • 169.254.1.0/16

See Configuring a client IP header for more information on the required library configuration.

Endpoint authentication

Authentication is determined by:

  • The presence of Authorization, Token or X-Api-Key headers.
  • The presence of a user ID within the trace (for example, the @usr.id APM attribute).
  • The request has responded with a 401 or 403 status code.

Datadog reports the type of authentication when available in a header through the Authentication Method facet.

Supported authentication methods

CategoryCategory facet
JSON Web Token (JWT)json_web_token
Bearer tokens (found in Authorization headers)bearer_token
Basic Authenticationbasic_auth
Digest access authenticationdigest_auth

Vulnerabilities count

Counts the Code Security vulnerabilities on the endpoint , in addition to the Software Composition Analysis vulnerabilities of its service.

Further reading

お役に立つドキュメント、リンクや記事: