Vulnerability Discussion

The API Gateway must audit execution time and performance metrics to ensure efficient traffic management, optimize resource usage, and maintain a high-quality user experience across all services. As the entry point for all incoming API requests, the gateway plays a crucial role in routing traffic, load balancing, and handling cross-cutting concerns like security and rate limiting. By auditing execution time and performance metrics, the gateway can track the response times of both it and the backend services, identifying potential bottlenecks, latency issues, or inefficient processing. This enables timely intervention to resolve performance problems before they impact users or cause system failures.

Along with knowing when an event occurred, monitoring execution time can help detect unusual patterns, such as distributed denial-of-service (DDoS) attacks or misconfigured services, which could slow down the system.

Check

If an API Gateway is not in use, this is Not Applicable.

Verify the API Gateway audits execution time and performance metrics.

1. Inspect the API Gateway's logs to verify they capture performance-related data, such as execution times, request latency, and throughput.

2. Simulate various requests and monitor the execution times, verifying performance metrics are logged for each request or operation.

3. Verify the API Gateway is configured to log execution times and track key performance metrics, including thresholds for alerts.

4. Review the API Gateway's documentation to ensure auditing of execution time and performance metrics is properly configured and operational.

If the API Gateway is not auditing execution time and performance metrics, this is a finding.

Fix

Build or configure the API Gateway to log execution times and track key performance metrics, including thresholds for alerts.