APIs (Application Programming Interfaces) have become the backbone of modern applications, enabling seamless communication and data exchange between different systems and platforms. With the increasing reliance on APIs comes the need for proper security measures to protect sensitive information and prevent unauthorized access.
A convenient point to apply API security is within API Gateways. An API Gateway is a server that acts as a reverse proxy for API requests from clients to backend services. Its main purpose is to route API requests, as well as to provide features such as authentication, rate limiting, monitoring, and caching.
In modern microservice architectures, API Gateways are often used to manage and route requests to multiple backend services, allowing the backend services to evolve and scale independently. This can lead to a more flexible, scalable, and manageable architecture, as well as a better developer experience for consuming APIs.
API security can help to protect sensitive information and to prevent unauthorized access to your backend services. It can also prevent data breaches, data theft, and malicious attacks, which can result in significant financial losses and damage to your organization's reputation. Therefore, it’s essential to add to your API a further layer of protection and integrate it with a dedicated tool that can prevent zero-day and OWASP-Top-10 attacks.
Applying the “Separation of Concerns” principle, typically the scope of action for each of the layers would be as follows:
API Gateway:
Application & User Authentication (Basic Authentication, API Key, OAuth/OIDC, LDAP, etc.)
Access control (ACLs, JWT scopes, etc.)
Encryption tunnels with digital certificate exchange (mTLS)
Cross-origin resource sharing (CORS).
Rate limiting & caching.
API security:
Network Threat Prevention (SQL Injection, Path Traversal, Cross-Side Scripting (XSS), XXE, Command Execution and more). Note: What’s typically missing in most solutions is preemptive zero-day attack prevention.
OWASP Top10 Protection (Injections, IDOR (Insecure direct object references), and more).
API structure awareness.
Malicious traffic sources (Tor actor, blocking countries, etc.)
API abuse and misuse.
And more…
One of the most popular and advanced API Gateways is Kong. In this article, we will present open-appsec API security and zero-day attack protection as a seamless plug-in to Kong API Gateway.
open-appsec
open-appsec is an open-source Web Application & API Security solution, available at GitHub, which provides automatic security using machine learning. It has proven multiple times to effectively protect against zero-day and OWASP-TOP-10 attacks, as it is not depending on any signatures but uses contextual machine learning instead.
open-appsec reduces the administrative effort as well as the amount of false positives significantly while providing stronger protection even for unknown attacks. open-appsec supports all typical deployment platforms like VMs, Kubernetes, and Docker and integrates with Kong, and other web proxies and ingress controllers for K8s.
As signatures for new attacks by design can only be created after new attacks have been published, a WAF solution that relies solely on signatures will never protect preemptively (in advance) against zero-day attacks. This is especially important as a vulnerability usually exists for a long time within the affected code of a software or a library, before the first public disclosure of a corresponding CVE record describing it.
The following timeline visualizes the three relevant phases related to the ‘Vulnerability Window’:
open-appsec's Machine Learning-based approach can solve this challenge and provide true preemptive protection against zero-day attacks while functioning independently of any signature updates and keeping false positives to a minimum level. open-appsec’s automatic machine learning engine continuously analyzes HTTP/S requests to Websites or APIs. Incoming HTTP requests are evaluated against two machine-learning models:
a supervised model that was trained offline with millions of malicious and benign requests.
a non-supervised model that is built in real-time in the protected environment and is specific to its traffic patterns.
Contextual analysis includes the application’s structure and how users interact with its content, in order to automatically stop and block malicious requests and bad actors.
In parallel to the ML engine, open-appsec provides additional security capabilities. To name a few, IPS engine with Snort support, behavioral AntiBot protection (in Premium edition), and a huge collection of cloud IOCs for blocking malicious IPs, Anonymizers, and Tor (in Enterprise edition).
Kong Gateway
Kong Gateway is a popular, cloud-native, platform-agnostic, scalable open-source API gateway and microservices management platform. It can be used to handle traffic management, authentication, and authorization for microservices. Kong Gateway can simplify scaling microservices by being the abstraction layer that routes users to the application’s existing upstream service while building a new service.
It also applies a common policy for each request and response, no matter where the target service is. The benefit of this is that you gain architectural freedom and modernize your application without impacting your clients.
Kong Gateway also provides features such as rate limiting to prevent abuse and ensure that the API remains available and responsive to legitimate users, caching and request/response transformations, acting as a reverse proxy, and can further be used to monitor and analyze the performance of your microservices. Kong's functionality can be further extended by adding plugins. It can be easily deployed on-premises or in the cloud based on VMs, K8s, or Docker.
In addition, being an open-source platform, Kong has a large and active community of developers who contribute to its development and support.
open-appsec for Kong Gateway
We are excited to update that open-appsec now supports Kong Gateway (community/open-source as well as Enterprise edition) to provide Kong users effective, integrated, and effortless security which covers fully preemptive protection against sophisticated zero-day and OWASP-Top-10 attacks, like the recent Log4Shell attacks.
In addition, it provides strong protection for many common attack categories like SQL Injection, Path Traversal, Cross-Side Scripting (XSS), XXE, Command Execution, and many more. In addition, it provides Schema Enforcement capabilities for APIs.
open-appsec is fully integrated, supports full traffic inspection with TLS termination configured on Kong Gateway, and also eliminates the ‘Vulnerability Window’. It is an enterprise-grade solution that also offers Premium and Enterprise tiers in case e.g. a specific support level is required.
Deployment of open-appsec for Kong Gateway
open-appsec can be integrated with Kong easily and flexibly in each of the below deployment scenarios. Hereby the Kong gateway always gets enhanced with an attachment module that forwards traffic for inspection and security decision-making to open-appsec.
Note that the following diagrams show basic embedded deployment options of Kong, you can check Kong docs for more advanced deployment types like separation of data plane and control plane (Kong Docs).
Deploying Kong with open-appsec security in Kubernetes A helm chart is offered which is always built upon the latest available Kong helm chart enhanced with open-appsec running as a plugin within each Kong pod. You can customize the helm chart exactly the same way as the original Kong helm chart, but you will get the additional benefit of the advanced, preemptive, ML-based protection capabilities that open-appsec provides. This helm chart also contains an easy option allowing you to switch between deployment with/without open-appsec.
Deploying Kong with open-appsec security on a virtual machine When you have a running Kong environment you can easily add open-appsec to get advanced, preemptive, ML-based protection capabilities for your Kong Gateways. You just need to run a simple command which will automatically detect your already-deployed Kong Gateway details and add open-appsec automatically as a plugin to it.
Deploying Kong with open-appsec security on Docker If you are using Docker as your deployment platform for Kong Gateway, adding open-appsec on top of it, is easy as well. To do that, you need to deploy two containers: a Kong for open-appsec container and an open-appsec agent container. We will provide you with open-appsec-enhanced Kong container versions, for Kong Gateway (available for the latest Kong open-source as well as enterprise container). It's basically the same container as the original Kong Gateway container with an added plugin for sending traffic to a separate open-appsec-agent container, which we also provide.
You will find the full ‘Getting Started’ deployment details for all the above scenarios here.
Flexible, agile management options
open-appsec lets you decide about your desired management style:
DevOps and DevSecOps engineers will typically prefer the local declarative management option provided by open-appsec. In K8s this is based on CRDs and annotations, while for regular deployments on e.g. VMs and for Docker containers a declarative configuration file can be used.
Alternatively, also a comfortable WebUI (SaaS service) is offered, that can be used to centrally manage open-appsec for Kong alongside other open-appsec deployments (e.g. securing ingress controllers or proxies). The WebUI provides additional values like central monitoring, reporting, configuration, etc.
As some might prefer the local, declarative management style but also want to benefit from the granular and comfortable visibility that the central WebUI offers, a "hybrid-mode" management option was recently added that allows connecting local management environments to the WebUI (for visibility only), combining the best of both worlds.
Want to test open-appsec for Kong?
Several virtual hands-on lab environments are available, which give you e.g., a Kubernetes cluster or a VM for open-appsec deployment ready at the tip of your fingers. Walking through each of those Playground will take just a couple of minutes. Check it out here.
Alternatively, just follow the 'Getting Started’ guides available in our documentation for the deployment method of your choice.
Thanks very much for the Kong team for you collaboration!
