Kong and Wallarm Partner Up to Boost Microservices API Security

2017-04-11T17:08:02
ID WALLARMLAB:02B09B36D22F5A97E92E492FD78510C8
Type wallarmlab
Reporter Wallarm
Modified 2017-04-11T17:08:02

Description

Wallarm has partnered with Mashape to provide the microservices community with API security. Mashape enterprise customers who use Kong API gateway can now quickly add API security protection without change in Kong user’s deployment. Read more about Kong and Wallarm partnership in this blog.

Today Kong is used in mission critical deployments at small and large organizations.

  • Scalable: Kong easily scales horizontally by simply adding more machines, meaning your platform can handle virtually any load while keeping latency low.
  • Modular: Kong can be extended by adding new plugins, which are easily configured through a RESTful Admin API.
  • Runs on any infrastructure: Kong runs anywhere. You can deploy Kong in the cloud or on-premise environments, including single or multi-datacenter setups and for public, private or invite-only APIs.

With over 9,200 stars on Github, Kong is the most popular open-source API gateway and microservices management layer. Since both Kong and Wallarm rely on the built in NGINX, a high-performance web server and load balancer, the combined solution works great for distributed and cloud applications where high availability, throughput, and flexible deployment models are required.

> “Kong always welcomes ecosystem partners to extend the current offering, more so around security”, said Marco Palladino, CTO of Mashape. “Wallarm is a perfect choice for continuous integration environments since it’s optimized for protection of frequently updated applications; also with its hybrid architecture their solution is uniquely suited for micro-services and Kong API management deployments.”

Since its inception, Wallarm has focused on providing security to modern web protocols. Wallarm excels in highly dynamic environments, where legacy WAFs that lack application context and rely on ACLs and signatures might fail.

These technology concepts translate very well to microservices security. Some of the inherent characteristics of microservices require a new security model:

  • Microservces, containers and APIs between them are frequently inside the corporate perimeter or follow hybrid deployment model where some of the microservices are internal and some are in the cloud
  • Services running inside the containers may be developed by 3rd party and can not always be trusted
  • Containers are dynamic and can come up and get shut down quickly with non-constant IP addresses.
  • It doesn’t map well to corporate security and compliance policies because each application contains dozens of services; some service too generic to be under compliance mandates on their own
  • Microservice are chatty — each North to South request generates a flurry of East-West API calls
  • Container driven development is driven by CI/CD, which means the quick release cycle does not allow time for traditional security checks and balances
  • Many of the API protocols have multi-layer nested (matryoshka) structure. One example is JSON inside Base64 encoding inside another JSON. Parsing this type of protocols requires complex DPI analysis and manual turning for every protocol and every individual API call or action.

Many of these concerns, such as border crossing, chattiness, isolation and security policies are alleviated through the use of API gateways, such as Mashape Kong. To address others, specialized security solutions are required.

Wallarm API security is ideally suited for microservices environment.

  • It figures out the micro-service’s logic and payload boundary from stateless http traffic analysis — without access to the code inside the container
  • It discovers new containers as they come on-line and uses machine learning to create dynamic security rules, instead of ACLs and signatures
  • It works well with CI/CD by updating security rules automatically and using vulnerability verification to cut down on the noise and false positives
  • It learns and decodes all the data formats including nested and “matryoshka” custom API protocols. Look at this as an example (XXE attacks inside the XML document which is inside the JSON document):

Wallarm is excited to work with Mashape and we look forward to providing better security to Kong’s customers. To learn more about Wallarm and Kong Enterprise solutions, please contact us to set up a demo.


Kong and Wallarm Partner Up to Boost Microservices API Security was originally published in Wallarm on Medium, where people are continuing the conversation by highlighting and responding to this story.