- Essentials
- Getting Started
- Datadog
- Datadog Site
- DevSecOps
- Serverless for AWS Lambda
- Agent
- Integrations
- Containers
- Dashboards
- Monitors
- Logs
- APM Tracing
- Profiler
- Tags
- API
- Service Catalog
- Session Replay
- Continuous Testing
- Synthetic Monitoring
- Incident Management
- Database Monitoring
- Cloud Security Management
- Cloud SIEM
- Application Security Management
- Workflow Automation
- CI Visibility
- Test Visibility
- Test Impact Analysis
- Code Analysis
- Learning Center
- Support
- Glossary
- Standard Attributes
- Guides
- Agent
- Integrations
- OpenTelemetry
- Developers
- Authorization
- DogStatsD
- Custom Checks
- Integrations
- Create an Agent-based Integration
- Create an API Integration
- Create a Log Pipeline
- Integration Assets Reference
- Build a Marketplace Offering
- Create a Tile
- Create an Integration Dashboard
- Create a Recommended Monitor
- Create a Cloud SIEM Detection Rule
- OAuth for Integrations
- Install Agent Integration Developer Tool
- Service Checks
- IDE Plugins
- Community
- Guides
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- In The App
- Dashboards
- Notebooks
- DDSQL Editor
- Sheets
- Monitors and Alerting
- Infrastructure
- Metrics
- Watchdog
- Bits AI
- Service Catalog
- API Catalog
- Error Tracking
- Change Tracking
- Service Management
- Infrastructure
- Application Performance
- APM
- Continuous Profiler
- Database Monitoring
- Agent Integration Overhead
- Setup Architectures
- Setting Up Postgres
- Setting Up MySQL
- Setting Up SQL Server
- Setting Up Oracle
- Setting Up MongoDB
- Setting Up Amazon DocumentDB
- Connecting DBM and Traces
- Data Collected
- Exploring Database Hosts
- Exploring Query Metrics
- Exploring Query Samples
- Exploring Recommendations
- Troubleshooting
- Guides
- Data Streams Monitoring
- Data Jobs Monitoring
- Digital Experience
- Real User Monitoring
- Product Analytics
- Synthetic Testing and Monitoring
- Continuous Testing
- Software Delivery
- CI Visibility
- CD Visibility
- Test Optimization
- Code Analysis
- Quality Gates
- DORA Metrics
- Security
- Security Overview
- Cloud SIEM
- Cloud Security Management
- Application Security Management
- AI Observability
- Log Management
- Observability Pipelines
- Log Management
- Administration
API Security Inventory
Overview
API Security Inventory monitors your API traffic to provide visibility into the security posture of your APIs, including:
- Authentication: Whether the API enforces authentication.
- Authentication Method: Type of authentication used, such as Basic Auth and API key.
- Public Exposure: Whether the API is processing traffic from the internet.
- Sensitive data flows: Sensitive data handled by the API and flows between APIs.
- Attack Exposure: If the endpoint is targeted by attacks (powered by Application Threat Management).
- Business Logic: Business logic and associated business logic suggestions for this API.
- Vulnerabilities: If the endpoint contains a vulnerability (powered by Code Security and Software Composition Analysis).
- Findings: Security findings found on this API.
- Dependencies: APIs and Databases the API depends on.
Using the API Security Inventory you can:
- See at a glance which endpoints process sensitive data, are authenticated, have vulnerabilities or findings, or are publicly available.
- See which endpoints are at risk, and pivot directly into the Threat Monitoring and Protection service for further investigation or response.
- See which endpoints are associated to your business’s logic, and find business logic suggestions based on your endpoint’s traffic history.
Configuration
To use API Security on your services, you must have ASM Threats Protection enabled. The following library versions are compatible with API Security Inventory. Remote Configuration is required.
| Technology | Minimum tracer version | Support for sensitive data scanning |
|---|---|---|
| Python | v2.1.6 | Requests and responses |
| Java | v1.31.0 | Requests only |
| PHP | v0.98.0 | Requests and responses |
| .NET Core | v2.42.0 | Requests and responses |
| .NET Fx | v2.47.0 | Requests and responses |
| Ruby | v1.15.0 | Requests only |
| Golang | v1.59.0 | Requests only |
| Node.js | v3.51.0, v4.30.0 or v5.6.0 | Requests and responses |
Note: On .NET Core and .NET Fx tracers, you need to set the environment variable DD_API_SECURITY_ENABLED=true for API Security features to work properly.
How it works
API Inventory leverages the Datadog tracing library with ASM enabled to gather security metadata about API traffic, including the API schema, types of sensitive data processed, and the authentication scheme. API information is evaluated per endpoint, every 30 seconds, which should ensure minimal performance impact.
API Inventory Security uses Remote Configuration to manage and configure scanning rules that detect sensitive data and authentication.
The following risks are calculated for each endpoint:
Security trace activity
See the number of attacks your API experienced within the last week.
Processing sensitive data
ASM matches known patterns for sensitive data in API requests. If it finds a match, the endpoint is tagged with the type of sensitive data processed.
The matching occurs within your application, and none of the sensitive data is sent to Datadog.
Supported data types
| Category | Category facet | Type facet |
|---|---|---|
| Canadian social insurance numbers | pii | canadian_sin |
| United States social security numbers | pii | us_ssn |
| UK national insurance numbers | pii | uk_nin |
| US vehicle identification numbers | pii | vin |
| Passport numbers | pii | passport_number |
| E-mail addresses | pii | email |
| American Express card number | payment | card |
| Diners Club card number | payment | card |
| JCB card number | payment | card |
| Maestro card number | payment | card |
| Mastercard card number | payment | card |
| VISA card number | payment | card |
| IBAN bank account number | payment | iban |
Business logic
These tags are determined by the presence of business logic traces, associated to the endpoint.
Suggested business logic
We can suggest a business logic tag for your endpoint based on its HTTP method, response status codes, and URL.
Publicly accessible
Datadog marks an endpoint as public if the client IP address is outside these ranges:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.1.0/16
See Configuring a client IP header for more information on the required library configuration.
Endpoint authentication
Authentication is determined by:
- The presence of
Authorization,TokenorX-Api-Keyheaders. - The presence of a user ID within the trace (for example, the
@usr.idAPM attribute). - The request has responded with a 401 or 403 status code.
Datadog reports the type of authentication when available in a header through the Authentication Method facet.
Supported authentication methods
| Category | Category facet |
|---|---|
| JSON Web Token (JWT) | json_web_token |
Bearer tokens (found in Authorization headers) | bearer_token |
| Basic Authentication | basic_auth |
| Digest access authentication | digest_auth |
Vulnerabilities count
Counts the Code Security vulnerabilities on the endpoint , in addition to the Software Composition Analysis vulnerabilities of its service.
Further reading
| |