1. About this document

This document provides step-by-step instructions for configuring the Akamai App and API Protector Integration and pulling the security misconfigurations in applications to SAFE. The integration pulls in the hostnames protected by Akamai WAF. This document provides detailed, step-by-step instructions for configuring the Akamai App and API Protector integration with SAFE and importing security misconfigurations from applications into SAFE. Through this integration, hostnames protected by Akamai App & API Protector are onboarded into SAFE, where the strength of their WAF and DDoS-related security policies is assessed. The integration identifies misconfigurations in security settings, such as WAF rules, to determine their alignment with best practices for mitigating risks like DDoS attacks, Cross-Site Scripting (XSS), Remote File Inclusion (RFI), etc. These checks ensure that hostnames protected by Akamai are included in the organization’s overall risk posture assessment and checks the strength of the WAF and DDoS-related policies in the security configurations that are protecting the hostnames.

2. Introduction

This integration allows you to onboard your applications and get WAF and DDOS misconfigurations for the applications from Akamai into SAFE. SAFE Admins can configure this integration from the Akamai App & API Protector card available on the Integrations page.

Prerequisites

An Akamai user to create a read-only API Client.
Hostnames part of a certain security configuration and security policy to be onboarded into SAFE.
SAFE access with an admin role.

3. Generate connection details

To integrate SAFE with Akamai, we need four details from the Akamai console:

Host (Akamai host)
Client Token
Client Secret
Access Token

Below are steps that can be followed to generate these details:

Login to control.akamai.com.
Navigate to the options button on the homepage:

Scroll down and click on Identity and Access Management tab:

Make sure you’re on Users and API Clients tab. Now click on Create API Client on the extreme right.

If you want to create credentials for yourself, stay on the Myself tab and click on Advanced.

If you wish to create credentials for another user, click on Another User tab, select the user from the dropbox and then click Advanced.

Fill name and description and then click on Select APIs.
Click on Clear API Selection in the window.

Select READ-ONLY for Application Security. Then click on Submit.

Back in the User and API Client, either keep the same groups option or click on Restrict Groups.

If you click on Restrict Groups, select the necessary groups and then click on Submit.

Note:
Make sure to include all groups part of App & API Protector so that hostnames are covered.

Click on Create API Client.

Once the credentials have been created, they can be used to configure the integration in SAFE.

4. Configure Akamai App & API Protector in SAFE

Follow the below steps to configure Akamai App & API Protector in SAFE.

Go to the Integrations page and click the Akamai App & API Protector card.
Open the Configure page.
Enter the following details: Akamai Host, Client Token, Client Secret, Access Token - generated as part of API Credentials in step 3.13.

Once configured:

Click the Test Connection button.
Once the connection is validated, click the Save button.
Once the configuration is saved, click the Sync Now button to trigger the on-demand sync outside the scheduled auto sync.

5. View Result

To view the assets and the assessment result:

From the Integrations page, click on Akamai App & API Protector card.
A page with Finding View and Asset View tabs will open up.
The finding view will contain all the findings assessed from Akamai.
Asset view will list all the applications (hostnames) pulled from Akamai.
1. The asset name will follow the convention <hostname> - Akamai Hostname
Alternatively, you can navigate to Technology and filter the asset list for Finding source in Akamai App & API Protector.

FAQs

What data does SAFE pull from Akamai by configuring this integration?

SAFE pulls in the applications (hostnames) in Akamai and assesses WAF and DDOS Security Configurations for the same.

How do I know which findings are pulled in by the Integration?

Findings pulled by Akamai integration have an in Akamai added at the end.

What does the custom rules are set to deny finding mean?

This finding verifies whether all custom WAF rules, if configured, within a security policy are set to Deny mode. It applies exclusively to hostnames in the security policy that have custom WAF rules defined.