Splunk cloud rest API call related security questions

santosh121 — Tue, 01 Jun 2021 10:06:04 GMT

Dear All,

We are trying to build splunk cloud rest api call where we will be sending data from splunk cloud to another server via rest api call.

Since it is production data below are few points raised by security team and asked us to get that verified whether splunk supports these security noums or not.

1. All the APIs must be served securely over HTTPS using TLS v1.2 with oauth 2.0 implementation.

2. Any HTTP API requests must be rejected or redirected to HTTPS.

3. The API token must be validated for signing, tampering and expiry before any details are extracted from the token.

4. The API token expiry must be limited to 15 mins only.

5. The IP whitelisting must be performed for all INTERNET facing API endpoints to reject any unauthorized requests.

6. The API credentials must be set to expire and rotated at least annually.

7. The API credentials must be stored encrypted in Key vault and access must be granted to application or user following principle of least privilege.

8. The API credentials must not be hardcoded within the application source code, client-side scripts, or configuration files.

9. The tokens or credentials must not be passed in the URL parameters.

10. The API tokens must be scoped following the principle of least privilege and validated at method level.

11. Enumerable ID values must not be used in API methods.

12. Proper error or exception handling must be performed to return only generic error messages.

13. API rate limiting must be performed.

14. Proper input and content validation must be performed at the APIs including length, datatype etc.

15. In case of file uploads, file type, content type validation and scanning must be performed.

16. Un wanted HTTP methods must be disabled.

17. Log failed attempts, denied access, input validation failures, any failures in security policy checks must be logged.

18. No sensitive data must be captured in the logs.

19. The API logs must be ingested automatically into Genpact SIEM using standard integration mechanism for monitoring.

20. APIs must implement strict authentication, security headers, redirects, CORS etc.

21. All the API endpoints internally or externally exposed must undergo InfoSec design review and security testing before moving to production.

can someone provide any details on them.

Regards,

Santosh

Re: Splunk cloud rest API call related security questions

venkatasri — Thu, 10 Jun 2021 03:08:51 GMT

Hi @santosh121

It's quite extensive list, some of them being directly supported and others need to be supported through other products example Load balancer front of Splunk API's. I would recommend to connect with Splunk support for the correct guidance.

---

An upvote would be appreciated if it helps!

topic Re: Splunk cloud rest API call related security questions in Security

Splunk cloud rest API call related security questions

Re: Splunk cloud rest API call related security questions