New insights into your API traffic are made available by leveraging data science and applying machine learning to data derived from your API traffic. To obtain such data, you need to tap into the network or obtain metadata indirectly from a source that has visibility into the API traffic, such as a gateway or load balancer.
Today, many organizations complain about a lack of visibility into all of their API traffic. APIs are published to different environments, often using different stacks with different technologies. Some APIs bypass API governance systems and practices altogether – rogue APIs. In other cases, APIs evolve and leave behind old forgotten versions that are still running and fall off the organization’s radar. These situations, singly or in combination, lead to visibility that is disjointed and has gaps.
The goal of Ping Identity’s specialized AI solution for API security, PingIntelligence for APIs, is to show all your API traffic, from all your environments, and we are constantly working on maximizing this reach by integrating with technologies that are most likely to be processing API traffic in the first place.
NGINX as a Collection Point for API Metadata
Being one of the two dominant web server technologies in use today, NGINX is privy to an impressive chunk of web traffic. The best web technologists reuse the same trusted core tools from project to project, and NGINX has built a reputation for being fast, powerful, and stable. It’s not surprising, then, that when web APIs became a popular technology pattern, NGINX became one of the common tools on top of which many core API management requirements became implemented, such as routing, rate limiting, authentication, and more. Not only does NGINX see a lot of web traffic, it sees a lot of web API traffic specifically.
The mechanism for extending NGINX is an important contributor to its enduring success. There is a rich set of open source and third‑party modules built for NGINX. Entire systems and platforms are built around NGINX as the core technology. We see NGINX as a strategic point of data collection when it comes to feeding API traffic metadata into PingIntelligence for APIs.
Integrating NGINX with PingIntelligence for APIs
Ping Identity has now released an NGINX integration for PingIntelligence for APIs. All interaction between NGINX and PingIntelligence for APIs goes through our API Security Enforcer (ASE) component, which acts as a sideband to NGINX rather than inserting itself into the API path. The ASE takes in API traffic metadata from NGINX and communicates back to the API traffic node about whether or not to block an API client.
The NGINX integration is composed of three separate modules:
- ngx_ase_integration_module.so – Provides a communication channel for the sideband ASE and is used by the other two modules.
- ngx_http_ase_integration_request_module.so – Installs an event handler in the
NGINX_HTTP_ACCESS_PHASEof NGINX processing; it collects the relevant metadata about the incoming API call and sends it to the ASE. The ASE returns the blacklist status of the API client. The actual analysis of the API metadata is out‑of‑band.
- ngx_http_ase_integration_response_module.so – Installs a response filter which correlates the API response metadata with the request, again for out‑of‑band analysis.
If you have a PingIntelligence for APIs subscription, you can download the modules from our website. We also offer a free trial of PingIntelligence for APIs. The download includes a script that adds the ASE configuration to the NGINX configuration, and the modules can be built and started in static or dynamic modes.
PingIntelligence for APIs Provides Detailed Analysis and Anomaly Detection
On its side, PingIntelligence for APIs itself requires little to no configuration; once the connection between NGINX and the ASE is established, PingIntelligence for APIs automatically receives API traffic metadata from the NGINX server. Your APIs are discovered and the history of your API traffic is preserved for later analysis. Dashboards and reports provide insights into your APIs and how your users are calling them, plus detailed forensics for each token and key used to access your APIs.
The AI Engine component starts a machine‑learning process to model API and user behaviors for each of the APIs. This modeling allows for the detection of anomalies and, when configured for it, PingIntelligence for APIs can instruct NGINX, via the ASE, to block a token or an IP address because it is predicted to be associated with an API attack or abuse.
Whether you use NGINX as a web server, an API gateway, or a load balancer, adding PingIntelligence for APIs to existing and new NGINX deployments lets you unlock advanced API insights and attack protection.
Ping Identity was a Gold sponsor at NGINX Conf 2019 and presented a breakout session on AI‑powered API cybersecurity for NGINX. We enjoyed meeting developers, operators, and architects looking to modernize their application delivery infrastructure, and look forwarding to discussing your use cases as well.