Deep dive on PCI DSS 4.0 API Security Requirements

Deployment - API Gateway Plugin

  1. AppSentinels comes with Kong plugin that is deployed on the KONG server.

  2. Additionally AppSentinels Edge Controller is deployed in the environment and should be reachable from the Kong plugin.

  3. AppSentinels Kong plugin gets HTTP traffic and forward the logs to AppSentinels Edge Controller for security processing.

  4. AppSentinels Kong plugin supports two modes configurable via a knob – OOB/Transparent & Service-chaining/Enforcement. In both the modes, AppSentinels process a copy of the packet.

  5. In OOB/transparent mode, plugin forwards the packet to the Application and Edge controller simultaneously. In service-chaining mode, the plugin forwards the packet to Edge Controller and waits for it’s output before forwarding the packet to Application. This allows the plugin to enforce inline action based on response received from Edge Controller.

  6. AppSentinels Service-chaining mode has optional max-latency configuration. In case Edge controller response is delayed and latency crosses configured threshold, plugin gets into fail-open mode and forwards the packet to Application thereby ensuring availability and responsiveness in case of a slowness or an outage.