Developing MuleSoft Policies for ML-Based 3 Layer API Security
The Challenge
MuleSoft customers that develop and deploy API-led solutions must address API security. It’s no secret that the rise in API usage has increased. Unfortunately, that has also increased the desire of bad actors to exploit unsecured (or minimally secured) APIs. Gartner predicts that in 2022, APIs will become the most frequent attack vector.
Big Compass’ recommendation is a 3-layered approach. These layers include an API Gateway, Web Application Firewall (WAF) or Runtime Application Self Protection (RASP), and a Machine Learning (ML) solution for “Zero Trust”
Third-party ML-based API security vendors want to extend their solutions to MuleSoft customers as part of their 3-layer security approach. This desire to serve MuleSoft customers presented a challenge to two vendors (and Big Compass partners) in the ML-based security area. They either did not have a ready-made, proven policy or had had an outdated policy that needed to be updated to align with MuleSoft 4.
The vendors wanted a custom policy for their security solution that:
- Would be used with MuleSoft 4
- Could be used with MuleSoft 3 (a separate policy)
- Work with JSON and other payload types
- Support synchronous and asynchronous communication with the ML server
- Support API request metadata (e.g., headers and query parameters)
- Be easy to maintain, enhance, and debug
- Configuration option to trust self-signed certificates
The Solution
Big Compass utilized the MuleSoft provided archetype as a starting point to build the custom policies. We used a configuration YAML file to permit the users to configure their policies in API Manager. Finally, where appropriate, we enabled ML server failover, which increases the reliability of the ML solution.
The Results
MuleSoft customers now have the ability to enable “Zero Trust” security by adding this custom policy to their API Manager instance. This custom policy integrates with the ML vendors’ server to analyze HTTPS payloads and other elements (source IP, headers, query parameters, and other metadata). The custom policy, when applied with other API Manager policies and a WAF/RASP, enables MuleSoft customers to implement the recommended 3-layer security approach.