The Logging And Monitoring Challenge (with Anuprita Patankar)

00:00

welcome back to API kitchen where we

00:02

cook up secure API I'm confident stely

00:05

your Chef the cuisine in this unique

00:07

kitchen today we're diving into a

00:10

critical but often overlooked area of

00:12

API management logging and monitoring

00:15

think of it as the seasoning that brings

00:17

out the best in our API dishes so let's

00:20

get cooking step one sifting through

00:23

Matrix our recipe starts by selecting

00:26

the finest Matrix to measure picture a

00:28

chef choosing the best ingredients

00:31

that's what we do in our API kitchen we

00:34

look for failed authentication attempts

00:37

the rate of successful logins the

00:39

zestiness of our API response times the

00:42

mix of HTTP status codes the dash of

00:46

invalid input rates and the pinch of

00:48

error responses but we don't stop there

00:51

we also measure data exfiltration

00:54

attempts rate limiting violations API

00:57

key usage pattern Access Control

00:59

violation security token usage and API

01:02

endpoint activity step two cooking with

01:05

logs every Chef keeps a log book and so

01:08

do we but ours logs more than just

01:11

recipes we track the when with recipe

01:14

date and time stance and where of each

01:18

API call and The Who Behind every

01:21

request we're making a digital bread

01:23

crumb Trail to trace any unexpected

01:25

flavors back to their Source step three

01:29

see reing with security objectives now

01:32

let's sprinkle in some security

01:34

objectives we are not just collecting

01:36

Matrix for the sake of it we're using

01:39

them to whip up alert for suspicious

01:42

authentication activity to tear our way

01:44

to identifying normal user behavior and

01:47

anomalies that we seim down our service

01:50

delivery to a perfectly timed response

01:52

and roast out any potential attacks that

01:56

come with sudden spikes in traffic we

01:58

are basting our API guys with proactive

02:01

vigilance those HTTP status codes like

02:03

401 403 and

02:06

500 I tell you they are not just numbers

02:10

they are smoke signals warning us of

02:12

potential security fires step four

02:15

presentation is everything in the

02:18

kitchen presentation is everything and

02:21

in a digital kitchen it's no different

02:24

our logs are meticulously garnished with

02:26

all the necessary details ensuring that

02:29

we can serve up accountability and

02:31

traceability on a silver platter but

02:34

this is a meal That Never Ends the world

02:37

of API security is a buffet of evolving

02:39

threats and new recipes for protection

02:42

our mission is to stay hungry for

02:44

knowledge and fist on the latest

02:46

security best practices our guests will

02:49

be joining us today at the virtual

02:51

kitchen so let's go hear what they have

02:53

to say about fixing this security issue

02:56

is a product and API security subject

02:59

matter expert and she will be answering

03:02

and just discussing with me about very

03:04

strong issues around logging and

03:06

monitoring welcome Anita thank you

03:09

confidence I'm excited to be part of

03:11

this session thank you so much we we

03:14

cook secure API here you ready in the

03:16

API

03:18

kitchen great okay so my first question

03:21

is how significant do you believe loggin

03:24

and monitoring are in API management

03:27

based on your experience and I'd like

03:30

you to please describe some of the most

03:32

typical mistakes that businesses make

03:35

when it comes to API login and

03:37

monitoring mm yeah for sure so I believe

03:40

logging and monitoring plays an

03:43

extremely important uh role in API

03:46

management as well as in Secure sdlc uh

03:49

because it not only focuses on the

03:52

security aspect of it but also the with

03:55

with the performance and availability

03:57

aspect of the apis uh which are crucial

04:00

to gain customers trust and in the

04:03

success of most businesses and talking

04:05

about the most typical mistakes uh that

04:08

businesses make is number one logging

04:12

too much or too little so most

04:15

organizations are unaware of the

04:17

importance of logs and end up logging

04:20

everything including the sensitive data

04:23

and the pii or sometimes logged

04:26

information is too little that the log

04:29

are not useful in any way and knowing

04:32

exactly what to log helps in meeting

04:35

compliance and audit requirements as

04:37

well as help in forensic investigations

04:41

and um at the time of uh security

04:44

incidents it is similar as to having a

04:48

right amount of ingredients to to make a

04:51

perfect recipe and the second part is

04:54

that not using monitoring mechanism to

04:58

discover forgotten or zombie IPS so most

05:01

of the zombie IPS are always deprecated

05:04

or never documented IPS which are highly

05:07

susceptible to cyber attacks due to the

05:10

lack of security features configured on

05:12

it it should be an organization's atmost

05:15

priority to monitor these end points uh

05:19

for abnormal API usage and log any

05:22

suspicious activity which could be an

05:24

attack that's such a comprehensive

05:26

response and I absolutely loved how you

05:28

tied in properly to even just gaining

05:32

trust because that's the fundamental

05:34

element right just gaining trust and and

05:36

that's what helps business and that's

05:38

how security does enable the business

05:40

because when you gain trust uh your

05:42

customers feel better about your product

05:44

and then you get more customers or you

05:45

retain those you already have so thank

05:47

you so much for making that relationship

05:50

my last question is um what is one on

05:53

utilized API security best practice

05:56

something that you consider the salt of

05:59

the earth

06:00

a basic yet effective factor that can

06:03

greatly improve an organization security

06:06

posture yeah so the one API security bre

06:10

best practice uh that is still

06:13

underutilized in many organizations is

06:16

having a proper authentication and

06:19

authorization and uh on the apis that

06:22

involves sensitive data or endpoints

06:25

that require proper

06:27

authentication and for this uh

06:29

organizations can use oo open ID and jot

06:34

tokens which are also known as Json web

06:37

tokens uh to Define access control and

06:40

determine which users or devices or even

06:44

roles um can access specific endpoints

06:47

by following the zero trust security

06:50

model uh this also helps in restricting

06:52

third party access to internal systems

06:56

and though these all these concepts are

06:59

are different but they help to build a

07:02

proper security if they are intertwined

07:05

together just add a just like adding a

07:09

like many different uh ingredients and

07:11

spices together to make a perfect recipe

07:14

thank you so much for joining us today

07:17

at the virtual kitchen remember chefs in

07:20

the API kitchen our ingredients are

07:23

secure code our spices are Vigilant and

07:27

our final dish is cyber resilient apis

07:30

keep your API Pantry stoed with these

07:33

robust logging and monitoring strategies

07:36

and you'll be serving up secure digital

07:38

experiences with confidence and that's

07:41

how you secure an API in our kitchen in

07:44

the coming episodes we'll be discussing

07:46

even more API security issues and

07:48

working you through how to solve them

07:51

remember to subscribe to C TV and hit

07:54

that notification Bell so you won't miss

07:56

out on new episodes of API Kain showing

07:59

each

08:00

Thursday until then keep your kitchen

08:02

clean your code cleaner and your apis

08:11

secure