As an Amazon Associate I earn from qualifying purchases from

Cisco AAFAA Wins CSO50 Safety Award

Enterprise software program builders are more and more utilizing a wide range of APIs of their day-to-day work. With this enhance in use, nonetheless, it’s changing into tougher for organizations to have a full understanding of these APIs. Are the APIs safe? Do they adhere to the group’s insurance policies and requirements?  It will be extremely useful to have a set of options that gives insights to those questions and extra. Luckily, Cisco has launched our An-API-For-An-API mission to deal with these issues.


An-API-For-An-API (AAFAA) is a mission that controls the end-to-end cycle for enterprise API companies and helps builders, from code creation to deployment right into a cloud, provisioning of API gateways, and reside monitoring of API use whereas the appliance is in manufacturing.  Leveraging APIx Supervisor, an open-source mission from Cisco, it combines CI/CD pipelines the place API interfaces are examined to enterprise (safety) insurance policies, computerized deployment of functions behind an API gateway in a cloud system, and dynamic evaluation of the API service by way of.

Determine 1. offers an summary of how the varied items of the AAFAA answer match and work collectively. Let’s take a look at the items and what insights they every present the developer.

Determine 1. AAFAA Suite

APIx Supervisor

The central piece of the AAFAA answer suite is an open-source answer, APIx Supervisor, which offers API insights to builders within the day-to-day developer workflow. APIx Supervisor creates a browser-based view that may be shared with the DevSecOps crew for a single supply of fact on the standard and consistency of the APIs – bridging a crucial communication hole. All these options assist to handle the API life cycle to offer a greater understanding of modifications to the APIs we use each day. These will be considered both by way of the browser or by way of an IDE Extension for VS Code. APIx Supervisor may optionally combine with and leverage the ability of APIClarity, which brings Cloud Native visibility for APIs.

By creating dashboards and experiences that combine with the CI/CD pipeline and produce insights into APIs, builders and operations groups can have a single view of APIs. This enables them to have a typical body of reference when discussing points reminiscent of safety, API completeness, REST guideline compliance, and even inclusive language.


APIClarity provides one other degree of insights into the AAFAA answer suite by offering a view into API visitors and Kubernetes clusters. Through the use of a Service Mesh framework, APIClarity provides the flexibility to check runtime specs of your API to the OpenAPI specification. For functions that don’t but have an outlined specification, builders can examine an API specification towards the OpenAPI or firm specs or reconstruct the Spec if it’s not printed.

Monitoring the utilization of Zombie or Shadow APIs in your functions is one other crucial safety step. By implementing APIClarity with APIx Supervisor, Zombie and Shadow API utilization is seen throughout the IDE extension for VS Code. Seeing when APIs drift out of sync with OpenAPI specs or begin to use Zombie and Shadow at runtime, particularly in a Cloud Native utility, is important for the development of the safety posture of your utility.


Including Panoptica to your AAFAA instrument equipment brings much more insights into your API utilization and safety posture. Panoptica offers visibility into doable threats, vulnerabilities, and coverage enforcement factors on your Cloud Native functions. Panoptica is a vital answer as nicely for being a bridge between improvement and operations groups to deliver safety into the CI/CD cycle earlier within the course of.

Let’s take into consideration what this implies from a sensible, day-to-day standpoint.

AAFAA in Apply

As enterprise utility builders, we’re tasked with constructing and deploying safe functions. Many corporations at the moment have outlined guidelines for functions, particularly Cloud Native ones. These guidelines embody issues like utilizing high quality parts, e.g., third-party APIs, and never deploy functions with recognized vulnerabilities. These vulnerabilities can come within the type of all kinds of areas, from the cloud safety posture, utility construct photos, utility configuration, the appliance itself, or the best way APIs are applied.

There isn’t something new about this. How we obtain the aim of constructing and deploying safe functions has modified dramatically prior to now a number of years, with the potential of vulnerabilities ever growing. That is the place AAFAA comes into service.

AAFAA makes use of three principal parts in offering insights from the very starting all the best way till the top of an utility improvement lifecycle:

  • APIx Supervisor
  • CI/CD pipelines & computerized deployment of functions, and
  • dynamic assessments of the API service by way of APIClarity.

APIx Supervisor

With its built-in integration into improvement instruments, reminiscent of VS Code, APIx Supervisor is the beginning of the journey into AAFAA for the developer. It permits builders to realize API safety and compliance insights when they’re wanted probably the most. At first of the event cycle. Bringing these matters to the eye of builders earlier within the improvement lifecycle, shifting them left, makes them a precedence within the utility design and coding course of. There are a lot of benefits to implementing a Shift-Left Safety design follow for the event crew. It is usually an incredible profit for the Ops groups as they will now see, by way of APIx Supervisor’s Comparability performance, when points have been addressed and in the event that they have been a developer, Ops, or joint drawback that wanted to be resolved or if there was one thing that also wants consideration. From the start of the software program improvement cycle to the top, APIx Supervisor is a key part of AAFAA.

CI/CD Pipeline & Computerized Deployment

With the velocity at which functions are being produced and updates being rolled out as a part of the Agile improvement cycle, CI/CD pipelines are how builders are used to working. After we considered our API options, we needed to deliver insights into the workflow that builders already use and are comfy with. Introducing one other app that builders should verify wasn’t a sensible choice. By incorporating APIx Supervisor, for instance, into the CI/CD pipeline, we enable builders to realize insights into API safety, completeness, customary compliance, and language inclusivity of their already established work stream.

There continues to be large development in Cloud Native functions. Gartner estimates that by 2025, only a quick three years away, greater than 95% of recent digital workloads shall be deployed on cloud platforms. That’s a powerful quantity. Nonetheless, as functions transfer to the cloud and away from platforms which can be wholly managed by inside groups, we lose a little bit of perception and management over our functions. Don’t get me unsuitable, there are various nice issues about shifting to the cloud, however as builders and operation professionals, we have to be vigilant in regards to the functions and experiences we offer to our finish customers.

Dynamic Assessments

APIClarity is designed to offer observability into API visitors in Kubernetes clusters. As builders make the transfer to Cloud Native functions and rely an increasing number of on APIs and clusters, the visibility of our utility’s safety posture turns into extra obscured. Instruments like APIClarity enhance that visibility by way of a Service Mesh framework which captures and analyzes API visitors to establish potential dangers.

When mixed with APIx Supervisor, we deliver the evaluation degree proper to the developer’s workflow and into the CI/CD pipeline and the IDE, presently by way of a VS Code extension. By offering these insights into platforms, builders are already utilizing, we’re serving to to shift safety to the left within the improvement course of and supply visibility on to builders. Along with safety issues, APIx Supervisor offers worthwhile insights into different areas reminiscent of API completeness, adherence to API requirements, in addition to flagging firm inclusive language insurance policies.

As a part of the An-API-For-An-API suite of instruments, APIx Supervisor and APIClarity present dynamic evaluation and Cloud Native API surroundings visibility, respectively.

What Else?

A number of groups right here at Cisco have labored side-by-side to create AAFAA. It’s been nice to see all of it come collectively as an answer that may assist builders and operations with visibility into the APIs they use. The AAFAA mission has additionally been acknowledged with a prestigious CSO50 Award for “safety tasks or initiatives that exhibit excellent enterprise worth and thought management.” Please be a part of me in congratulating the crew for such a excessive honor for a job nicely performed.


We will be happy to hear your thoughts

Leave a reply

Enable registration in settings - general
Compare items
  • Total (0)
Shopping cart