Discover APIs

Introduction 

 

API Security Policies play a crucial role in safeguarding the communication between systems and ensuring that APIs are properly managed and protected. These policies are particularly important once a website has been onboarded and successfully accessed, as they provide a framework for discovering, securing, and monitoring APIs.  

In this document, we will explore how API Security Policies facilitate the discovery of APIs.  

  • Navigate to Applications & Groups.  
  • Select an API site from the All Domains drop-down tab. 
  • Go to Discovered APIs Section.  

 

Discovery Summary 

The summary shows the total APIs discovered, total approved APIs, APIs waiting for review, and Sensitive APIs. 

APIs that consist of tags in it are considered as Sensitive APIs. 

 

The APIs that consist of tags are considered as sensitive APIs. 

An API is marked as Modified when any of its parameters are changed during a subsequent discovery. Once an API is in the Modified state, the user must review it and update its status to Approved. 

Discovered APIs  

This section shows the details of number of endpoints used and the remaining endpoints scan capacity.  Additionally, the name of the swagger file uploaded, and the last date and time of swagger file uploaded is displayed here. 

A search bar is given to allow the users to search the endpoint by name, type, and label. 

Also, users can apply various filters to select specific APIs by HTTP methods, Type of APIs (Sensitive APIs and Authenticated APIs), and API Status. 

 

All the APIs discovered during onboarding are displayed on the table.   

Parameter Description  
API   The API endpoint column displays the full URL or path of the API that was discovered during the onboarding process.  
Discovered on  This field shows the date and time when the API was discovered  
Methods  The HTTP method (e.g., GET, POST, PUT, DELETE) indicates the type of requests that can be made to the API. If an API has 2 or more methods then that API will be clubbed as per the methods. 
Authenticated The authentication status indicates if any authentication is required to access the API.   
Tag  

We have three different tags.  

PCI – Payment Card Information  

Deals with payment cards, such as credit cards and debit cards  

PII – Personally Identifiable Information  

Deals with a broad range of personal information.  

PHI – Protected Health Information  

Deals with health-related data.   

Status  

When the API is discovered, the status shows pending. 

Customers change the status to deprecated or approved from the configure menu. 

Action  This field allows customers to configure the API policies. 

 

Configure Discover Policy 

 Click the Configure button on the API Discovery table. 

There’re three different sections present. 

  1. General 
  2. Details 
  3. Policy Enforcement 

General: Once the parameters are set, click Save to apply the changes. 

Parameter Description 
Endpoint This field displays the endpoint name and cannot be edited. 
Status 

This field allows the user to set the status as approved or blocked. 

If a user sets the status as approved, then the user must select the appropriate actions from the policy enforcement section.  

Auth required There is a drop-down menu given for the use to set either YES or NO, which means authentication is required or not to access the API. 
Tags 
  • A user can add multiple tags. 
  • Click on the + icon to add tags. 
  • The edit icon allows user to edit the tag. 
  • Use the delete icon to remove the tag. 

Details: This section displays details of different parameters used in the API, such as query, path, and body parameters. Also, it displays different http methods to call the API. 

Users can click on any of the methods identified and can see their parameters. 

Policy Enforcement: This part triggers when the user sets the API status as approved, which means approving API to use and confirming that it meets the security and operational standards. 

There are five different parameters given for the positive security model. Based on selecting the parameters positive security model applied to the API accordingly. 

  1. Blocks this API - When a user selects the option Block All Requests For This API, the system disables the positive security model for the API and blocks access to API.   
  2. Block new Methods - When userselects this option, the system disables positive security model for the all the new methods of same API. 
  3. Enforce path parameters - The positive security model applied only when the endpoint contains path parameters. Example: GET /users/{userId}/posts 
  4. Enforce query parameters – The positive security model applies when the endpoint contains query parameters. Example: GET /search?query=shoes 
  5. Enforce body parameters: The positive security model applied when the API must contains body parameters. Example: Name, email, password 

 

Upload APIs 

  • Click Upload APIs

 

  • A pop-up opens to upload a swagger file. 
  • Once the file is added, click Upload

 

  • After the file uploads successfully, the system displays the file's information, including the number of endpoints used, the remaining endpoints for scanning, the file name, and the upload date and time. 

 

Download APIs 

Users can download a single, multiple, or all APIs using the checkboxes. 

When a user clicks on the checkbox of a specific APIs or selects all APIs, then the Download APIs option triggers in the bottom.  

Users can also approve or block multiple or specific APIs by selecting checkboxes. 

 

Enable/Disable APIs 

  • Navigate to WAAP Policies > List of Rules & Policies > API
  • A table is given to display the approved and deprecated policies. 
  • This section allows users to enable or disable the positive security model to the API. 
  • Click the specific checkbox to enable/disable the security model. 
  • A confirmation pop-up appears. Click Confirm

 

Approve Deprecated APIs 

  • Download the API file.  
  • Open the API file in any notepad.  
  • Enter false in the deprecated field.  

 

  • Save the API file.  
  • Re-upload the saved file again.  
  • APIs will be approved automatically.  

 

 

Was this helpful?