- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
API Security Inventory monitors your API traffic to provide visibility into the security posture of your APIs, including:
Using the API Security Inventory you can:
To use API Security on your services, you must have ASM Threats Protection enabled. The following library versions are compatible with API Security Inventory. Remote Configuration is required.
Technology | Minimum tracer version | Support for sensitive data scanning |
---|---|---|
Python | v2.1.6 | Requests and responses |
Java | v1.31.0 | Requests only |
PHP | v0.98.0 | Requests and responses |
.NET Core | v2.42.0 | Requests and responses |
.NET Fx | v2.47.0 | Requests and responses |
Ruby | v1.15.0 | Requests only |
Golang | v1.59.0 | Requests only |
Node.js | v3.51.0, v4.30.0 or v5.6.0 | Requests and responses |
Note: On .NET Core and .NET Fx tracers, you need to set the environment variable DD_API_SECURITY_ENABLED=true
for API Security features to work properly.
API Inventory leverages the Datadog tracing library with ASM enabled to gather security metadata about API traffic, including the API schema, types of sensitive data processed, and the authentication scheme. API information is evaluated per endpoint, every 30 seconds, which should ensure minimal performance impact.
API Inventory Security uses Remote Configuration to manage and configure scanning rules that detect sensitive data and authentication.
The following risks are calculated for each endpoint:
See the number of attacks your API experienced within the last week.
ASM matches known patterns for sensitive data in API requests. If it finds a match, the endpoint is tagged with the type of sensitive data processed.
The matching occurs within your application, and none of the sensitive data is sent to Datadog.
Category | Category facet | Type facet |
---|---|---|
Canadian social insurance numbers | pii | canadian_sin |
United States social security numbers | pii | us_ssn |
UK national insurance numbers | pii | uk_nin |
US vehicle identification numbers | pii | vin |
Passport numbers | pii | passport_number |
E-mail addresses | pii | email |
American Express card number | payment | card |
Diners Club card number | payment | card |
JCB card number | payment | card |
Maestro card number | payment | card |
Mastercard card number | payment | card |
VISA card number | payment | card |
IBAN bank account number | payment | iban |
These tags are determined by the presence of business logic traces, associated to the endpoint.
We can suggest a business logic tag for your endpoint based on its HTTP method, response status codes, and URL.
Datadog marks an endpoint as public if the client IP address is outside these ranges:
See Configuring a client IP header for more information on the required library configuration.
Authentication is determined by:
Authorization
, Token
or X-Api-Key
headers.@usr.id
APM attribute).Datadog reports the type of authentication when available in a header through the Authentication Method facet.
Category | Category facet |
---|---|
JSON Web Token (JWT) | json_web_token |
Bearer tokens (found in Authorization headers) | bearer_token |
Basic Authentication | basic_auth |
Digest access authentication | digest_auth |
Counts the Code Security vulnerabilities on the endpoint , in addition to the Software Composition Analysis vulnerabilities of its service.
추가 유용한 문서, 링크 및 기사: