Imperva Cyber Community

Hi, a few questions about API Security:

1. What kind of API protection do we get by default without API Security module enabled?

2. Gartner MQ 2020 states: "Imperva offers comprehensive API security, including DDoS protections and the ability to parse JSON and XML, websockets, webhooks, GraphQL, gRPC and server-side events (SSE)" - Do these require "API Security" enabled? And is there a reference doc which describes this functionality and all the supported protocols?

Thank you




#APISecurity
#CloudWAF(formerlyIncapsula)

------------------------------
Max
------------------------------

@Max X,

Thanks for the post! I am trying to get you some good answers to your questions here, but in the meantime, take a look at a few things that I think you will find helpful.

@Peter Klimek hosted a couple of webinars on the topic and covered Imperva API Security in depth. 

1. Introduction to Imperva API Security: Community Webinar - This webinar is focused on helping security professionals better understand API's, the unique challenges of securing API's, and most importantly, how to identify and address common weaknesses in API's. 
2. Securing API's Part 2 Mitigating Input Validation Vulnerabilities Community Webinar - This webinar will explore in depth how API's are susceptible to Mass Assignment and Injection attacks, OWASP API Top 10 #6 & #8 respectively. We will walk through the vulnerabilities with code examples, demonstrate live attacks, and finally walk through the mitigations that security practitioners can apply to prevent and stop these attacks from occurring.

Community Blogs that could be helpful: 
Enforcing API Schema Specifications in Imperva
Creating Custom Error Responses for APIs

​
​

------------------------------
Christopher Detzel
Community Manager
Imperva
------------------------------

Original Message:
Sent: 11-05-2020 09:35
From: Max X
Subject: API Security Questions

Hi, a few questions about API Security:

1. What kind of API protection do we get by default without API Security module enabled?

2. Gartner MQ 2020 states: "Imperva offers comprehensive API security, including DDoS protections and the ability to parse JSON and XML, websockets, webhooks, GraphQL, gRPC and server-side events (SSE)" - Do these require "API Security" enabled? And is there a reference doc which describes this functionality and all the supported protocols?

Thank you




#APISecurity
#CloudWAF(formerlyIncapsula)

------------------------------
Max
------------------------------

@Max X 
Here is another answer I received from one of our experts: "An API is an automated process that looks and smells like a BOT - in most cases it must be whitelisted w/o API protection.​"



------------------------------
Christopher Detzel
Community Manager
Imperva
------------------------------

Original Message:
Sent: 11-05-2020 09:35
From: Max X
Subject: API Security Questions

Hi, a few questions about API Security:

1. What kind of API protection do we get by default without API Security module enabled?

2. Gartner MQ 2020 states: "Imperva offers comprehensive API security, including DDoS protections and the ability to parse JSON and XML, websockets, webhooks, GraphQL, gRPC and server-side events (SSE)" - Do these require "API Security" enabled? And is there a reference doc which describes this functionality and all the supported protocols?

Thank you




#APISecurity
#CloudWAF(formerlyIncapsula)

------------------------------
Max
------------------------------

Thank you Christopher, I am closely familiar with the links above.

As to the response from the experts - I think it is aimed to answer Q1. Is the way to interpret it - "API projects have zero benefit from being placed behind Imperva Cloud WAF w/o API Security enabled? In fact, there could harm/interference via Imperva's Bot Protection"?
​​
And what about Q2: Gartner MQ 2020 states - "Imperva offers comprehensive API security, including DDoS protections and the ability to parse JSON and XML, websockets, webhooks, GraphQL, gRPC and server-side events (SSE)" - Do these require "API Security" enabled? And is there a reference doc which describes this functionality and all the supported protocols?

------------------------------
Max
------------------------------

Original Message:
Sent: 11-05-2020 11:15
From: Christopher Detzel
Subject: API Security Questions

@Max X 
Here is another answer I received from one of our experts: "An API is an automated process that looks and smells like a BOT - in most cases it must be whitelisted w/o API protection.​"



------------------------------
Christopher Detzel
Community Manager
Imperva

Original Message:
Sent: 11-05-2020 09:35
From: Max X
Subject: API Security Questions

Hi, a few questions about API Security:

1. What kind of API protection do we get by default without API Security module enabled?

2. Gartner MQ 2020 states: "Imperva offers comprehensive API security, including DDoS protections and the ability to parse JSON and XML, websockets, webhooks, GraphQL, gRPC and server-side events (SSE)" - Do these require "API Security" enabled? And is there a reference doc which describes this functionality and all the supported protocols?

Thank you




#APISecurity
#CloudWAF(formerlyIncapsula)

------------------------------
Max
------------------------------

Hi Max,
By default, Cloud WAF will automatically parse and protect JSON (REST/GraphQL), XML (Web Services), and Protobuf (gRPC) payloads without any additional configuration or features required.  This will apply any WAF rules (SQLi, XSS, Unauthorized Resource Access, etc.) or custom Rules and IP ACL's against those payloads automatically. 

The API Security feature is designed to extend this functionality for REST API endpoints and will enforce the Swagger/OAS specification that is defined for the endpoint.  It's important to note that this subset of features is applicable to REST API's only today, however we're looking at expanding this further in the future to more broadly apply to GraphQL and gRPC services as well.

Cheers,
Peter

------------------------------
Peter Klimek
Principal Architect
Imperva
------------------------------

Original Message:
Sent: 11-05-2020 13:40
From: Max X
Subject: API Security Questions

Thank you Christopher, I am closely familiar with the links above.

As to the response from the experts - I think it is aimed to answer Q1. Is the way to interpret it - "API projects have zero benefit from being placed behind Imperva Cloud WAF w/o API Security enabled? In fact, there could harm/interference via Imperva's Bot Protection"?
​​
And what about Q2: Gartner MQ 2020 states - "Imperva offers comprehensive API security, including DDoS protections and the ability to parse JSON and XML, websockets, webhooks, GraphQL, gRPC and server-side events (SSE)" - Do these require "API Security" enabled? And is there a reference doc which describes this functionality and all the supported protocols?

------------------------------
Max

Original Message:
Sent: 11-05-2020 11:15
From: Christopher Detzel
Subject: API Security Questions

@Max X 
Here is another answer I received from one of our experts: "An API is an automated process that looks and smells like a BOT - in most cases it must be whitelisted w/o API protection.​"



------------------------------
Christopher Detzel
Community Manager
Imperva

Original Message:
Sent: 11-05-2020 09:35
From: Max X
Subject: API Security Questions

Hi, a few questions about API Security:

1. What kind of API protection do we get by default without API Security module enabled?

2. Gartner MQ 2020 states: "Imperva offers comprehensive API security, including DDoS protections and the ability to parse JSON and XML, websockets, webhooks, GraphQL, gRPC and server-side events (SSE)" - Do these require "API Security" enabled? And is there a reference doc which describes this functionality and all the supported protocols?

Thank you




#APISecurity
#CloudWAF(formerlyIncapsula)

------------------------------
Max
------------------------------

Thank you Peter. And what about support for websockets, webhooks and server-side events (SSE)?

------------------------------
Max
------------------------------

Original Message:
Sent: 11-05-2020 15:45
From: Peter Klimek
Subject: API Security Questions

Hi Max,
By default, Cloud WAF will automatically parse and protect JSON (REST/GraphQL), XML (Web Services), and Protobuf (gRPC) payloads without any additional configuration or features required.  This will apply any WAF rules (SQLi, XSS, Unauthorized Resource Access, etc.) or custom Rules and IP ACL's against those payloads automatically. 

The API Security feature is designed to extend this functionality for REST API endpoints and will enforce the Swagger/OAS specification that is defined for the endpoint.  It's important to note that this subset of features is applicable to REST API's only today, however we're looking at expanding this further in the future to more broadly apply to GraphQL and gRPC services as well.

Cheers,
Peter

------------------------------
Peter Klimek
Principal Architect
Imperva

Original Message:
Sent: 11-05-2020 13:40
From: Max X
Subject: API Security Questions

Thank you Christopher, I am closely familiar with the links above.

As to the response from the experts - I think it is aimed to answer Q1. Is the way to interpret it - "API projects have zero benefit from being placed behind Imperva Cloud WAF w/o API Security enabled? In fact, there could harm/interference via Imperva's Bot Protection"?
​​
And what about Q2: Gartner MQ 2020 states - "Imperva offers comprehensive API security, including DDoS protections and the ability to parse JSON and XML, websockets, webhooks, GraphQL, gRPC and server-side events (SSE)" - Do these require "API Security" enabled? And is there a reference doc which describes this functionality and all the supported protocols?

------------------------------
Max

Original Message:
Sent: 11-05-2020 11:15
From: Christopher Detzel
Subject: API Security Questions

@Max X 
Here is another answer I received from one of our experts: "An API is an automated process that looks and smells like a BOT - in most cases it must be whitelisted w/o API protection.​"



------------------------------
Christopher Detzel
Community Manager
Imperva

Original Message:
Sent: 11-05-2020 09:35
From: Max X
Subject: API Security Questions

Hi, a few questions about API Security:

1. What kind of API protection do we get by default without API Security module enabled?

2. Gartner MQ 2020 states: "Imperva offers comprehensive API security, including DDoS protections and the ability to parse JSON and XML, websockets, webhooks, GraphQL, gRPC and server-side events (SSE)" - Do these require "API Security" enabled? And is there a reference doc which describes this functionality and all the supported protocols?

Thank you




#APISecurity
#CloudWAF(formerlyIncapsula)

------------------------------
Max
------------------------------