News!: Opus Technologies Launches FinGeniusAI Solutions – An Open Innovation Platform for Building Future-Ready Solutions.. Know More
News!: Opus Technologies Launches FinGeniusAI Solutions – An Open Innovation Platform for Building Future-Ready Solutions.. Know More

BLOG

Securing Your APIs Built in MuleSoft Through Noname Security

January 23, 2024

Share:

API security is at the forefront due to the ever-increasing reliance on digital connectivity and widespread use of APIs (Application Programming Interfaces) in modern applications and systems. Companies are building APIs at an enormous scale to meet the needs of their customers, clients, and internal operations. This makes API security critical for your SDLC cycle. Noname offers a wide range of services and is compatible with a number of gateways and technologies. This blog describes how to integrate Noname with MuleSoft in a seamless manner for securing APIs deployed in Mule.

Why is API Security Important?

Here are some more compelling reasons why API security is a very important aspect of software development in today’s world and should not be treated as an afterthought.

  1. APIs facilitate the transfer of data between systems, which makes protection of data imperative.
  2. Security in APIs is also required to maintain data privacy and other guidelines to meet regulatory compliance.
  3. Security breaches through APIs can lead to financial losses as well as loss of trust among customers and partners affecting the company’s reputation.
  4. APIs are often the most vulnerable piece of a software in cyberattacks through Injection.
  5. Mobile Apps, Cloud Computing, IoT and the proliferation of digital channels have increased the surface area of attack on APIs.
  6. Rise in complexities in APIs due to versioning, backward compatibilities, authentication methods, and complex data types have increased the need for security.
  7. Emerging threats and continuous changes in the tech world need an expert system to take care of API security better than what human eyes can accomplish.

What is Noname?

Noname is an industry-grade API security platform that helps you proactively secure your environment from API security vulnerabilities, misconfigurations, and design flaws. It further protects your APIs from cyberattacks, in real-time with automated detection and response.

What is MuleSoft?

MuleSoft has coined the term iPAAS or “Integration Platform as a Service,” providing a full suite of closely coupled applications to provide an end-to-end integration suite. Hosted in the Cloud using AWS-based container technology, it is fully scalable and robust to manage any integration requirement.

In layman’s terms, MuleSoft lets you build APIs to connect your systems in an API-led manner, removing the need for point-to-point connectivity between systems.

Integrating MuleSoft with Noname Security

APIs deployed in MuleSoft are integrated with Noname through a policy that is generated in Noname and applied to Mule-based APIs. This policy generation is a one-time activity. The policy is added to MuleSoft and is then applied to one or many APIs. The policy lets Noname listen to the APIs, gauge the behavior of their usage, including which IPs access them and from which region, and their usage patterns. It gives access to Noname to investigate the request and response field types, which is further used to identify threats and their remediations.

Noname offers both SaaS and deployed versions of the software. It provides a web-based UI that can be used to configure Noname with any gateways or cloud providers. The process of integrating MuleSoft with Noname is described below:

Create the Profile and Policy

  1. Login to Noname instance using a browser. Go to the Marketplace tab in the Noname UI.


  2. Click on the MuleSoft icon displayed on the left. If this is grayed, you might need your Noname admin to activate it for your subscription.
  3. It will open the Setup page. Enter the MuleSoft UUID, which you can get from the MuleSoft Anypoint Exchange (in the Access Management section), and click Next.


  4. In this page, download the Policy and click Next.


  5. Provide an Alias and click on the Finish button to save the integration for future purposes.


Apply the Policy in Mule

  1. Open Anypoint Exchange and go to API Manager and add the Custom Policy downloaded from Noname. Give it a unique name, which tells you later clearly what the policy is all about.
  2. Once added, this should be viewable in the Exchange tab


  3. Now go to the API Manager and click on the API where you want to apply services of Noname Security. Go to the Policies tab on the left Menu and click on Add Policy.
  4. Search the name you have given to the policy (like “Noname security”) and add it to the API by selecting the policy and clicking on the Next button.
  5. Once added, the API would show the Noname policy as added as shown below.

  6. You can always click on the three dots at the end of the box and enable, disable or delete the policy from this API.
  7. Once this is added, Noname is ready to receive information and will start scanning the API for static as well as run time security parameters and vulnerabilities.
  8. If you go back to the Exchange tab and look at the policy, it will also show the API name that is using this policy. This concludes the integration, and these APIs are visible to Noname for assessment.

Post Integration – Security Assessment and Analysis in Noname

When you go back to Noname, you should start seeing the API listed in the APIs section. You would need to give some time for the API stats to get populated in Noname. Remember it will also look at behavioral data and point out attacks if there are anomalies or changes in the regular behavior in the use of the API. The results build over time in the Noname dashboard.

The Dashboard will give you a view of the vulnerabilities with respect to the OWASP top 10 API issues.

The Stats section will provide you API statistics with respect to Security vulnerabilities, giving you a list of data types that are prone to attack and being used in the APIs, along with other important details.

The APIs section would provide you the details and issues with the API that was integrated with Noname.

Lastly, the Issues section gives you the list of issues and advices on their remediation as shown below.

There are other tabs like Attackers, Consumer, Data Types, Reports, etc. These are self-explanatory and provide information about the API and its usage for those factors.

The Integration tab on the left provides you information on whether the integration with MuleSoft is active. A green button indicates that Noname is receiving active traffic. It also displays the total number of requests detected and analyzed till date on that API.

You can always use a tool like JMETER to send a burst and kickoff the Security Analysis in Noname during your development cycles, to catch issues early.

Conclusion

Noname is a very powerful API security tool and its ability to integrate easily with gateways and cloud providers helps developers and architects build secure solutions. It integrates in a seamless manner and starts validating your API from a security perspective and assists in identifying vulnerabilities early in the development cycle. It saves a lot of time and cost for teams concentrating on building APIs for their customers, as it reduces the effort on security testing by automating it. Opus is an implementation partner of Noname and can help in implementing API security for your organization for APIs built and deployed in any technology.

Author:

Debashis Bhattacharyya

Debashis Bhattacharyya has over 18 years of experience planning and delivering technology solutions, specializing in Cloud, API, DevSecOps and Application Modernization. He has been instrumental in Opus’ transformational DevOps initiative with FIS that won the prestigious DevOps Dozen Award for ‘Best DevOps Industry Implementation’ in 2022.

OPUS Organization First letter in white color

Team Opus

We’re giving you a fresh dose of insights, perspectives and the latest trends from the world of payments.

Join our mailing list to be the first to know about industry news, Opus updates & upcoming events