APIDefender Platform Security

We employ a full suite of secure software development activities and controls. We carefully segment each of these technology layers via network and access controls. Within the code itself, our development team leverages as many of the security functions that are made available by the Java framework. Our code is tested via static analysis and black box scanning prior to being deployed to our production environment.

In addition to our secure development methodology, APIDefender deploys a number of controls to protect the confidentiality and integrity of our customers and their data. Some of these controls include but are not limited to:

 

  • Data at rest encrypted using AES 256
  • User passwords stored in one way salted hash
  • Centralized logging & alerting
  • All-network traffic encrypted via SSL and SSH
  • All application traffic over SSL/TLS
  • Three-tiered architecture/ compartmentalized & firewalled
Data Center Operations: Physical and Environmental Controls
We are proud to be an Amazon AWS partner. Consequently, APIDefender is able to leverage the built-in Amazon AWS infrastructure security as follows:

AWS Security Centre

The AWS cloud infrastructure has been architected to be one of the most exible and secure cloud computing environments available today. It provides an extremely scalable, highly reliable solution that enables customers to deploy applications and data quickly and securely.

World-Class Protection

With the AWS cloud, not only are infrastructure headaches removed, but so are many of the security issues that come with them. AWS’s world-class, highly secure data centers utilize state-of-the art electronic surveillance and multi-factor access control systems. Data centers are staed 24×7 by trained security guards, and access is authorized strictly on a least privileged basis. Environmental systems are designed to minimize the impact of disruptions to operations. And multiple geographic regions and Availability Zones allow you to remain resilient in the face of most failure modes, including natural disasters or system failures. The AWS virtual infrastructure has been designed to provide optimum availability while ensuring complete customer privacy and segregation. For a complete list of all the security measures built into the core AWS cloud infrastructure, solutions, and services, please read our Overview of Security Processes whitepaper.

Built-in Security Features

Not only are your applications and data protected by highly secure facilities and infrastructure, but they’re also protected by extensive network and security monitoring systems. These systems provide basic but important security measures such as distributed denial of service (DDoS) protection and password brute-force detection on AWS Accounts. Additional security measures include:

  • Secure access – Customer access points, also called API endpoints, allow secure HTTP access (HTTPS) so that you can establish secure communication sessions with your AWS services using SSL.
  • Built-in firewalls – You can control how accessible your instances are by configuring built-in firewall rules – from totally public to completely private, or somewhere in between. And when your instances reside within a Virtual Private Cloud (VPC) subnet, you can control egress as well as ingress.
  • Unique users – The AWS Identity and Access Management (IAM) tool allows you to control the level of access your own users have to your AWS infrastructure services. With AWS IAM, each user can have unique security credentials, eliminating the need for shared passwords or keys and allowing the security best practices of role separation and least privilege.
  • Multi-factor authentication (MFA) – AWS provides built-in support for multi-factor authentication (MFA) for use with AWS Accounts as well as individual IAM user accounts.
  • Private Subnets – The AWS Virtual Private Cloud (VPC) service allows you to add another layer of network security to your instances by creating private subnets and even adding an IPsec VPN tunnel between your home network and your AWS VPC.
  • Encrypted data storage – Customers can have the data and objects they store in Amazon S3, Glacier,
    Redshift, and Oracle RDS encrypted automatically using Advanced Encryption Standard (AES) 256, a
    secure symmetric-key encryption standard using 256-bit encryption keys.
  • Dedicated connection option – The AWS Direct Connect service allows you to establish a dedicated network connection from your premise to AWS. Using industry standard 802.1q VLANs, this dedicated connection can be partitioned into multiple logical connections to enable you to access both public and private IP environments within your AWS cloud.
  • Isolated GovCloud – For customers who require additional measures in order to comply with US ITAR regulations, AWS provides an entirely separate region called AWS GovCloud (US) that provides an
    environment where customers can run ITAR-compliant applications, and provides special endpoints that utilize only FIPS 140-2 encryption.
  • Dedicated, hardware-based crypto key storage option – For customers who must use Hardware Security Module (HSM) appliances for cryptographic key storage, AWS CloudHSM provides a highly secure and convenient way to store and manage keys.
  • Trusted Advisor – Provided automatically when you sign up for premium support, the Trusted Advisor service is a convenient way for you to see where you could use a little more security. It monitors AWS resources and alerts you to security configuration gaps such as overly permissive access to certain EC2 instance ports and S3 storage buckets, minimal use of role segregation using IAM, and weak password policies.

Because the AWS cloud infrastructure provides so many built-in security features, you can simply focus on the security of your guest OS and applications. AWS security engineers and solution architects have developed whitepapers and operational checklists to help you select the best options for your needs and recommend security best practices, such as storing secret keys and passwords in a secure manner and rotating or changing them frequently.

APIDefender Design and Development
At APIDefender we take the security and privacy of your data very seriously. We make every eort to help ensure that your data stays protected whenever you use our products or services. The summarized list shown below are some of the key ways that our APIDefender service has been designed and developed to better protect your data

Design

  • Defense in Depth design
  • Secure Defaults design
  • Reduced Attack Surface design
  • Non-repudiation design
  • Automated data protection for data at rest
  • Automated data protection for data in transit
  • Automated data expiration and availability

Testing

  • Self-code review using expert manual techniques and automated code analysis tools
  • Automated functional and security test suite to help ensure high code quality and prevent regressions

Maintenance

  • Security patches deployed within 24-48 hours of public release and verfication testing
  • Regularly vulnerability scanning using proprietary, commercial and open-source tools
  • Full vulnerability management and remediation via APIDefender instance
  • Regularly scheduled self-penetration testing

Development

  • Standard FIPS-approved encryption algorithms and implementations
    • AES 256-bit for symmetric encryption processes
    • Variable-length RSA encryption for asymmetric encryption processes
    • SHA-512 for internal/core data integrity checking
  • Mandatory input validation for all untrusted inputs with a definable format, length, type and range.
    Otherwise, we mitigate risk with some other remediation depending on the risk (parameterized stored
    procedures, encoding, etc.)
  • Parameterized stored procedures for all calls to database backends
  • Data encoding for all untrusted inputs using standard libraries
  • Generic exception handling to help prevent information disclosure attacks
  • 100% managed code to reduce risk from common attacks associated with non-managed languages, such as buffer overflows
  • Anti-recovery techniques to help prevent malicious recovery of deleted data

Development

  • Least privilege deployment for both front and backend services
  • Reduced Attack Surface deployment
  • Generic exception handling to help prevent information disclosure attacks
  • Built-in solution protection, in addition to implementation controls to reduce risk from common web-based threats, such as cross-site scripting attacks (XSS) and cross-site request forgery (CSRF)
  • Automatic session expiration after a certain period of inactivity
  • Firewall that restricts network access to only the necessary ports