DocumentationAPI Reference

BFLA Testing

Suggest Edits

The BFLA tab in the Risk Findings section shows Broken Function Level Authorization (BFLA) findings. These findings are authorizations made by workloads that are not consistent with a model of which workloads should be making the authorizations (and which should not). See, for example, here for more information.

In order to run BFLA tests, a model of 'normative' authorizations must be made. This is used a as reference to compare actual API traffic, to identify deviations, which are listed as findings.

BFLA modelling

The BFLA model is created by monitoring 'normal' API traffic for a period of time. Once created, you can review the traffic model, and modify it, to make corrections where necessary.

Once this is done, you can begin monitoring actual API traffic, and generate findings based on deviations from the model.

Follow these steps to create the BFLA model.

  1. Select the API to be modelled from the list in the Internal tab.
  2. Select the Risk Findings tab, and then BFLA.
  3. Select the learning period of time for the model, and then click OK. API traffic will be monitored, and a model created from it. Once the learning period is complete, the model will be shown.
597

When the learning period is complete, the model will be shown, as a list of tags. You can expand them, to see details.

1206

You can review details for the tags, in the model and, if necessary, modify them.
Click on a tag to see details for it.

1449

Click Edit to open the tag for editing.

You can mark a tag as 'legitimate' to indicate this is normative behavior, when compared with actual traffic during monitoring. Alternatively, you can mark it as 'illegitimate', to effectively remove it from the model.

You can also add additional namespaces to tags discovered in the modelling. These can be considered as legitimate or illegitimate cases, and used accordingly when monitored traffic is compared against the model.

1444

Make changes, then click SAVE.

You can resume modelling, to improve the model with more traffic, or you can restart (reset) the modelling, discarding information already collected, and collecting new information.

Click Resume BFLA model learning, to resume, or Reset, to start fresh.

1291

BFLA monitoring (detection)

After the BFLA model is made, you can monitor API traffic and compare it to the model.

Follow these steps to start monitoring:

  1. Select the API to be modelled from the list in the Internal tab.
  2. Select the Risk Findings tab, and then BFLA.
  3. Click Start BFLA detection.
1283
  1. Select the monitoring period, and then click OK.
1276

BFLA findings

Discrepancies between monitored API traffic and the BFLA model are reported as findings, in the Security Posture tab.
The source for these findings is bfla.

905

Updated 2 months ago

What’s Next