It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda WAF-as-a-Service

API Discovery

  • Last updated on

Overview

API discovery analyses application traffic to discover API endpoints and payload structure for that application. Every API endpoint consists of a base URL, a resource path, and the request payload details. The discovered information is used to create security rules (API profiles and key profiles). Applying these security rules to your application enables all subsequent API requests to be validated against the discovered characteristics. 

Before you enable API Discovery, ensure that Enable Advanced Bot Protection is set to ON on the BOT PROTECTION > Dashboard page.

Traffic Analytics

Traffic analytics provides information about the discovered API endpoint that helps the administrator to understand the traffic pattern. Barracuda-WAF-as-a-Service analyses traffic patterns for multiple days to discover relevant characteristics of the API endpoint and the associated structure.

A confidence factor is associated with each discovered endpoint and parameter. This confidence factor indicates the stability of the discovered entity. If the discovered characteristics of the entity do not vary significantly then the confidence factor will be high. The confidence factor is determined based on “Advanced API Discovery Engine”, which is further used to create API profiles.

Confidence Level

Description

60-75% (Moderate)

The discovered endpoint still has scope for analysis after which the confidence level may change.

76-85% (Confident)

The discovered endpoint is stable and JSON profile/Key profiles are recommended based on this confidence.

86-100% (Very Confident)

The discovered endpoint's characteristics do not vary significantly and JSON Profile/Key Profiles are recommended based on this confidence.

API Profile

An API profile consists of two parts. The first part represents the API endpoint while the second captures information about each individual key and value that are a part of the API payload.

The endpoint of the API is represented by a JSON Profile which captures details such as content-type, HTTP method, keys/params, security policy associated with the profile, etc. API profiles are generated/created when the Barracuda WAF-as-a-Service discovers API endpoints in the application.

Information related to the parameters and its values is captured in the Key Profile. It has information such as value type (String, Number, Array or Object), maximum and minimum length of characters/numbers/array elements or number of name/value pairs in the key, value class and allow NULL details of the key.


API Discovery Overview

API_Security.png
Steps to Enable API Discovery

To enable API Discovery for an application, do the following:

  1. On the WAF-as-a-Service web interface, go to the APPLICATIONS page and click on the application to which you want to enable API Discovery.

  2. On the application page, click API Discovery in the left panel.

  3. On the API Discovery page, click Enable API Discovery.

  4. On the API Discovery Settings pop-up window:

  5. Set API Discovery to Enabled.

  6. Select an option (Automatic or Manual) to create API profiles for the discovered endpoints.:

    1. Automatic – In the Automatic mode, API endpoints and associated structures are learned, and the required security configuration is automatically applied to the discovered API endpoints and structures.

    2. Manual – In the Manual mode, API endpoints are learned, and profiles are displayed under API Discovery for review. You can review the endpoints, its structure, analytics information and apply the configuration.

  7. Click Save.


To change the API learning behavior, click Settings on the API Discovery page.

API Discovery in the Automatic Mode

When API Discovery is enabled in the Automatic mode, the Barracuda WAF-as-a-Service analyzes the incoming traffic, creates API profiles for discovered endpoints and associated structures that have the higher confidence factor, and applies them automatically. You can view the applied API profiles and key profiles on the JSON Security page.

API Discovery in the Manual Mode

When API Discovery is enabled in the Manual mode, the Barracuda WAF-as-a-Service analyzes the incoming traffic, creates API profiles for discovered endpoints and associated structures, and displays them on the API Discovery page. You can review the URL endpoints, key profiles, and then apply them as needed.

Note: It is recommended to set API Discovery in the Manual mode.

Data Classification

Data classification is the process of labeling the data and categorizing it as High, Medium, or Low based on its type, sensitivity, and business value. The classified data for a given endpoint can help the administrator to apply appropriate security policies and safeguard the data.

The Barracuda WAF-as-a-Service analyzes the API transactions asynchronously and recognizes Personal Identifiable Information (PII) entities in the data that is sent as the response to the client. Later, the recognized data is categorized into various sensitivity levels (High, Medium, or Low) and displayed for each endpoint under DATA CATEGORY on the API Discovery web interface.

  • High Sensitivity - Confidential data such as personal details, financial records, etc. Example: Credit Card Number, SSN, Bank details.

  • Medium Sensitivity - Data intended for internal use only, such as emails and documents with no confidential data. Examples: Email addresses, Phone numbers, etc.

  • Low Sensitivity - Data intended for public view. Examples: URLs, Vehicle registration number, etc.