Cisco AAFAA Wins CSO50 Safety Award

Enterprise software program builders are more and more utilizing quite a lot of APIs of their day-to-day work. With this enhance in use, nonetheless, it’s changing into harder for organizations to have a full understanding of these APIs. Are the APIs safe? Do they adhere to the group’s insurance policies and requirements?  It will be extremely useful to have a set of options that gives insights to those questions and extra. Thankfully, Cisco has launched our An-API-For-An-API undertaking to handle these considerations.


An-API-For-An-API (AAFAA) is a undertaking that controls the end-to-end cycle for enterprise API providers and helps builders, from code creation to deployment right into a cloud, provisioning of API gateways, and dwell monitoring of API use whereas the appliance is in manufacturing.  Leveraging APIx Supervisor, an open-source undertaking from Cisco, it combines CI/CD pipelines the place API interfaces are examined to enterprise (safety) insurance policies, computerized deployment of functions behind an API gateway in a cloud system, and dynamic evaluation of the API service by means of.

Determine 1. offers an outline of how the assorted items of the AAFAA answer match and work collectively. Let’s have a look at the items and what insights they every present the developer.

Determine 1. AAFAA Suite

APIx Supervisor

The central piece of the AAFAA answer suite is an open-source answer, APIx Supervisor, which offers API insights to builders within the day-to-day developer workflow. APIx Supervisor creates a browser-based view that may be shared with the DevSecOps workforce for a single supply of fact on the standard and consistency of the APIs – bridging a crucial communication hole. All these options assist to handle the API life cycle to offer a greater understanding of adjustments to the APIs we use day by day. These will be considered both by means of the browser or by means of an IDE Extension for VS Code. APIx Supervisor also can optionally combine with and leverage the facility of APIClarity, which brings Cloud Native visibility for APIs.

By creating dashboards and reviews that combine with the CI/CD pipeline and convey insights into APIs, builders and operations groups can have a single view of APIs. This permits them to have a typical body of reference when discussing points equivalent to safety, API completeness, REST guideline compliance, and even inclusive language.


APIClarity provides one other degree of insights into the AAFAA answer suite by offering a view into API visitors and Kubernetes clusters. By utilizing a Service Mesh framework, APIClarity provides the flexibility to check runtime specs of your API to the OpenAPI specification. For functions that don’t but have an outlined specification, builders can evaluate an API specification in opposition to the OpenAPI or firm specs or reconstruct the Spec if it’s not printed.

Monitoring the utilization of Zombie or Shadow APIs in your functions is one other crucial safety step. By implementing APIClarity with APIx Supervisor, Zombie and Shadow API utilization is seen inside the IDE extension for VS Code. Seeing when APIs drift out of sync with OpenAPI specs or begin to use Zombie and Shadow at runtime, particularly in a Cloud Native software, is important for the development of the safety posture of your software.


Including Panoptica to your AAFAA software equipment brings much more insights into your API utilization and safety posture. Panoptica offers visibility into potential threats, vulnerabilities, and coverage enforcement factors to your Cloud Native functions. Panoptica is a vital answer as effectively for being a bridge between improvement and operations groups to carry safety into the CI/CD cycle earlier within the course of.

Let’s take into consideration what this implies from a sensible, day-to-day standpoint.

AAFAA in Follow

As enterprise software builders, we’re tasked with constructing and deploying safe functions. Many firms at present have outlined guidelines for functions, particularly Cloud Native ones. These guidelines embody issues like utilizing high quality elements, e.g., third-party APIs, and never deploy functions with recognized vulnerabilities. These vulnerabilities can come within the type of all kinds of areas, from the cloud safety posture, software construct pictures, software configuration, the appliance itself, or the best way APIs are applied.

There isn’t something new about this. How we obtain the objective of constructing and deploying safe functions has modified dramatically prior to now a number of years, with the potential for vulnerabilities ever growing. That is the place AAFAA comes into service.

AAFAA makes use of three principal elements in offering insights from the very starting all the best way till the top of an software improvement lifecycle:

  • APIx Supervisor
  • CI/CD pipelines & computerized deployment of functions, and
  • dynamic assessments of the API service by means of APIClarity.

APIx Supervisor

With its built-in integration into improvement instruments, equivalent to VS Code, APIx Supervisor is the beginning of the journey into AAFAA for the developer. It permits builders to achieve API safety and compliance insights when they’re wanted probably the most. Initially of the event cycle. Bringing these subjects to the eye of builders earlier within the improvement lifecycle, shifting them left, makes them a precedence within the software design and coding course of. There are lots of benefits to implementing a Shift-Left Safety design apply for the event workforce. Additionally it is an amazing profit for the Ops groups as they will now see, by means of APIx Supervisor’s Comparability performance, when points had been addressed and in the event that they had been a developer, Ops, or joint drawback that wanted to be resolved or if there was one thing that also wants consideration. From the start of the software program improvement cycle to the top, APIx Supervisor is a key element of AAFAA.

CI/CD Pipeline & Computerized Deployment

With the velocity at which functions are being produced and updates being rolled out as a part of the Agile improvement cycle, CI/CD pipelines are how builders are used to working. Once we considered our API options, we wished to carry insights into the workflow that builders already use and are comfy with. Introducing one other app that builders should verify wasn’t a practical choice. By incorporating APIx Supervisor, for instance, into the CI/CD pipeline, we enable builders to achieve insights into API safety, completeness, commonplace compliance, and language inclusivity of their already established work stream.

There continues to be large progress in Cloud Native functions. Gartner estimates that by 2025, only a quick three years away, greater than 95% of latest digital workloads will probably be deployed on cloud platforms. That’s a powerful quantity. Nevertheless, as functions transfer to the cloud and away from platforms which might be wholly managed by inner groups, we lose a little bit of perception and management over our functions. Don’t get me fallacious, there are numerous nice issues about transferring to the cloud, however as builders and operation professionals, we must be vigilant in regards to the functions and experiences we offer to our finish customers.

Dynamic Assessments

APIClarity is designed to offer observability into API visitors in Kubernetes clusters. As builders make the transfer to Cloud Native functions and rely increasingly on APIs and clusters, the visibility of our software’s safety posture turns into extra obscured. Instruments like APIClarity enhance that visibility by means of a Service Mesh framework which captures and analyzes API visitors to determine potential dangers.

When mixed with APIx Supervisor, we carry the evaluation degree proper to the developer’s workflow and into the CI/CD pipeline and the IDE, presently by means of a VS Code extension. By offering these insights into platforms, builders are already utilizing, we’re serving to to shift safety to the left within the improvement course of and supply visibility on to builders. Along with safety issues, APIx Supervisor offers worthwhile insights into different areas equivalent to API completeness, adherence to API requirements, in addition to flagging firm inclusive language insurance policies.

As a part of the An-API-For-An-API suite of instruments, APIx Supervisor and APIClarity present dynamic evaluation and Cloud Native API atmosphere visibility, respectively.

What Else?

A number of groups right here at Cisco have labored side-by-side to create AAFAA. It’s been nice to see all of it come collectively as an answer that may assist builders and operations with visibility into the APIs they use. The AAFAA undertaking has additionally been acknowledged with a prestigious CSO50 Award for “safety tasks or initiatives that display excellent enterprise worth and thought management.” Please be a part of me in congratulating the workforce for such a excessive honor for a job effectively performed.


Leave a Reply

Your email address will not be published.