August 22, 2022

Last Updated on January 19, 2024

The move from traditional web applications with 3-tier (client-server-database) architectures to today’s API-first apps has cancelled out traditional sources of app security data, such as Apache logs. In their place are disruptive new paths to “observability” of API-first apps, such as continuous API scanning.

How does continuous API scanning work? What data does it rely on? And how does it reveal potential threats?

To uncover the leading edge of API-first application security, a recent episode of The Virtual CISO Podcast features Rob Dickinson, CTO at Resurface Labs. The podcast is hosted as usual by John Verry, Pivot Point Security CISO and Managing Partner.

Picture a Wireshark swimming in a data lake…

Think of Resurface Labs’ continuous API scanning solution as akin to “Wireshark for APIs.” It has a Wireshark-like ability to gather and index data to help security teams understand what they’re looking at. But instead of dealing with very limited quantities of data, Resurface works against a data lake.

“Think of Resurface as a big data version of Wireshark,” quips Rob. “We’re not just collecting the transactions that you’re doing for testing. We’re collecting all the transactions that happen in the production environment and creating a searchable database out of all that data. The continuous scanning is basically about automatically searching that codex of information for known problems that the organization should be paying attention to, and raising red flags and driving the automation flows then around those things.”

Somewhat like a specialized SIEM solution, Resurface records real-time data about what’s occurring with the API calls, then applies various rules to it. If a pattern surfaces that could mean an attack, alarms are automatically raised or other intelligent actions taken.

An on-premises solution eliminates third-party data transfers

Another parallel between Resurface and Wireshark is that both are on-premises solutions.

“Wireshark is a piece of software that you control, that you install and run on your own equipment, and you control the data going in and out of it,” explains Rob. “That’s also true with Resurface. We are the only first-party API security vendor out there right now. We’re not a SaaS.”

Say you’re running your API-first app on AWS. It’s easy to install Resurface on AWS alongside the APIs that you’re running. Resurface handles all the automation through Kubernetes and Helm. You’re not sending your data to Resurface to be analyzed. That obviates a lot of security and regulatory concerns.

“Having to go through that third-party data transfer is a huge no-no for a lot of the folks that we work with,” discloses Rob.

Mixing standard and custom attack signatures

A strength of Resurface is that it offers out-of-the-box attack profiles plus the ability to add custom attack profiles. This includes a degree of group-sourced best practices.

“We have a library of signatures that we provide out of the box, both to help drive a minimum standard of care, but also to demonstrate what the platform can do,” notes Rob. “The OWASP rules are a great place to start, but I know what my API is supposed to be doing. So, can I enforce more specific policies about what I know that my clients should be doing?”

That ability to create custom signatures on the fly without custom programming and without having to go back to Resurface has been a focal point. So is extending the built-in signature set.

“With Resurface, we’re doing that kind of analysis completely asynchronously to the application, completely asynchronously to the API and the calls that it’s making,” Rob offers. “So, if I only had perimeter security available to me, I would have to express that as a rule on the firewall and I would pay a performance penalty for doing that. The more of those rules I add, the more processing my firewall has to do, and the slower it gets.”

“How much of a performance penalty are you willing to pay on the WAF?” Rob relates. “What kinds of inspections are you really looking to do on the WAF? You need that immediate level of interception. Shut that session off! Versus how much of that can you do asynchronously where you’re really driving a workflow that’s more about hardening the API or improving the quality of the system rather than just about attenuating the user session?”

Resurface wants to open up that second “swim lane” around being able to do all different kinds of both out-of-the-box and custom inspections on the continuous API scanning traffic without introducing any performance penalty or any latency on the transactions themselves.

In other words, Resurface isn’t intrusion protection. It’s providing critical data that DevOps teams can use to optimize their API security.

“We are a surveillance camera,” analogizes Rob. “We can’t interfere with the burglars, but we can watch the burglars and we can ring the alarm bell.”

What’s next?

To catch the complete podcast episode with Rob Dickinson.

Does your org have an overall strategy for attack surface management? Here’s a great podcast on that topic: EP#88 – Michelangelo Sidagni – Understanding Attack Surface Management and how it applies to your cyber security strategy