Leveraging Sucuri’s API

Name: Joshua Hammer – Title: Sales Operations Manager

Valentin Vesa: Good morning everyone and welcome back to the Sucuri short webinar series. This is your host, Val, and it is my pleasure to welcome you back to today’s episode. During this webinar, you will learn how to leverage Sucuri’s API. This is part of the sales enablement series that we’re doing and as presenters today, we have with us Joshua Hammer, he’s the Sales Operation Manager here at Sucuri and our colleague Victor Santoyo, an account executive.

Valentin Vesa: But before I hand it over to them to talk about the key takeaways and introduce themselves, just a few housekeeping rules. As usual, we’d love to hear from you during today’s presentation, so if you have a question for our presenters, please feel free to send it through the Q&A tab in your Zoom window, or you can also tweet us at Sucuri Security using the hashtag #AskSucuri. Our panelists will be answering your questions at the end of the session, but if we don’t get to your question during today’s webinar, no worries. We’ll post them to the webinar page and also you’ll get them via email. Today’s webinar will also be available as a video recording and all the slides will be sent to all registrants. We’d like to encourage you to share today’s webinar with your friends and followers on your social profiles and with that, boys, all yours.

Victor Santoyo: Thanks, Val, and, as Val mentioned, if you’re a first time here in our webinar series, my name is Victor. I’m an account executive here with Sucuri, been here about four years. A little bit about me and if you don’t know much already is I’m a big technology enthusiast and especially, you know, searching online for new online security topics to share, big runner as well, and a big sports fan with the family who’s due to grow soon as I have my second due in January. There’s my twitter handle there at the bottom. If you want to follow me, I love to retweet other people. Otherwise I’ll introduce Hammer.

Joshua Hammer: Hey, hey, my name is Joshua Hammer. I’m the Sales Operation Manager here at Sucuri. A little about me, I’ve been here for about four years. I’m married, have two beautiful little girls, and I love games and laughing, whether it’s video games, board games, even security is a game. So let’s figure that out together. So today, what are we going to go over? We’re going to learn how to use our API to share data with your customers, adjust any of the firewall settings that you see on our dashboard via the API, clear the cache and how the add team members, among other things. With that, I’m going to hand you back over to Victor, who’s our specialist in this area, so take it away.

Victor Santoyo: Thank you, sir.

Victor Santoyo: So before we start to dive into some of the things that can be useful for leveraging the API for, let’s talk about what those benefits are specifically. You know, why do we want to be using these APIs that we have? For a lot of you, that’s a silly question, but for some that are a startup agency trying to figure out some more efficient techniques, it’s an important question. So first things first, automation. Automation helps things run a lot faster. Computers are faster than we are. They work faster than we do and in a lot of cases, forget less than we do, right? I can write the same name over and over and over, but it’s very likely that I’ll misspell, forget a name, you know, all those other things, where if I can automate some of this process, it really just eliminates that stuff that slips through the cracks.

Victor Santoyo: Updates. You may have an existing update workflow already in place that uses APIs from other third-party vendors. Our APIs can allow you then to just, you know, it can help in terms of furthering or make more robust that workflow and in terms of maybe making adjustments based on those updates and allowing things to work as they should.

Victor Santoyo: Customization, probably the big takeaway for me because it allows a lot more creativity. You can specify what specific functions you want to have adjusted based on the task at hand and in terms as well, it might be also something that for one business, a specific API call or workflow may work but not for the next one. And so the ability to review examples online and see how it may work for your business, maybe adding, removing, or whatnot, is important.

Victor Santoyo: Adaptation as well. Things change over time. For the most part, people who often might find themselves migrating to different hosts or using different technologies, so having some universal APIs as well, if you have, let’s say, a specific vendor or technology of choice that you’ll never leave can be useful in knowing that on the fly you can make adjustments in the event of, well, if I need to migrate to a different host, then I know with my Sucuri API workflow I can to make some adjustments around origin API I’m moving to, things of that nature.

Victor Santoyo: Now those are the whys, those are the benefits of it, but more specific when should we be using these APIs? So beyond the actual infrastructure, your code and all that, there are just more behavioral things that are important in when to exercise those APIs. Very common thing are listed here, when I talk to other partners, when a new remote developer joins a team, and this is even something we do practice internally here at Sucuri where we have workflows in place to ensure that a developer is going to join, they may have a static IP at home that they know they’ll always connect from, and so we need to know that that IP needs to be applied into our systems so they gain access to everywhere they’re supposed to, right? So we want to make sure that they’re given access to systems they’re going to work with versus everything, just a big security tip, but yeah, it could be a very useful principle to apply.

Victor Santoyo: Notice of unusual behavior, right? Having an API, they may alert you if, let’s say you identify an IP that’s bombarding, say you’re on WordPress, your wp-admin, or just seeing a lot of requests come through within a short period of time. Having an API workflow in place or APIs that can help facilitate functions in the event of that unusual behavior is useful. I’ll go over an example towards the end of that, about something just like this.

Victor Santoyo: Content changes. It’s never going to stay the same forever, and so if you’re utilizing our services and our firewall, you should know that we are built on top of a content-delivery network to help optimize performance and cache your content, but you may be also using something else, WP Rocket on WordPress, a third-party vendor out there that also functions as a content-delivery network, so having a workflow in place to ensure that those caching layers are purged in the right order so things are displayed properly is important.

Victor Santoyo: An inventory change, right? That’s common. You know, you might lose or gain clients, you know, much to our chagrin, but, you want to be able to as well automate and speed up the ability to add or remove those domains that come off and add on those new products that come on.

Victor Santoyo: So from here we’ll go into some examples of the API. We’ll split this into two sections, first that are very single action in nature, right? You’re doing one specific thing to accomplish one specific goal and we’ll go through a lot of common examples. Just know if you are, of course, a paid customer of ours and utilizing our services, there are many more APIs then what I’m going to describe here. I just don’t have enough time but these are very common examples of usage of the API that have been found invaluable to a lot of the partners we work with. So just bear that in mind in terms of if you’re a startup, you know, things to focus on. The second section we’ll talk on more conditional usage of the API if you’re saying one thing, how to use this, but we’ll take it one step at a time.

Victor Santoyo: So first example, we want to add sites to the portal, right? So you might be coming on for the first time and, you know, making sure you want to add in all your assets at once. In some cases you may find that might be a big strenuous. Now the portal itself makes it really easy, but in the event that, moving forward, you want to automate this process quite a bit. For example, here’s a curl request that you can add into your terminal or whatnot that will allow you to add in the the particular domain you’re going to add. Now for the purposes, of course, I’m not going to disclose a known API key or a known site that we’re using, but use this as sort of a broad example of what to expect when using our API. So that’s the key right there. A one, two, three, three, through nine example, where we’ll use Google in this example and you’ll get a response back letting you know, okay, added Google has been added to your Sucuri portal. This will also initially engage the monitoring to initiate the first scan. So that’s already some automation on your part, and make it really easy as you add on a new prospective client into your inventory.

Victor Santoyo: Now it could be one site or it could be many, and so in this example is a for loop that is intended to basically ensure that, let’s say you have a large client, 100 sites, 200 sites, that are going to come on board with that many domains. This is an example where you can create a text file and place it on your desktop or wherever, you name it inventory, and so what this loop is going to do is that for every item in that inventory list, we’re going to execute the same command you saw before, right? The only difference is, of course, a variable there. I’ve left the i so that it’ll go through that entire list. It’ll echo the response back, and then basically as an example there at the bottom, you’ll see a couple of sites listed back-to-back-to-back, and the idea is of course you add them, add them, add them, and then it’s done. It makes it really easy. I use this extensively. It’s about a minute’s worth of effort, whether I’m adding 10 sites, 50, or 200, okay? So it makes it really easy for you, especially where all you have to do is add a bunch of sites to a file, update the file and run the loop.

Victor Santoyo: Similarly, you can do something on the firewall side if you wanted to add them in bulk. Now, if you’re familiar with the service, you know that when adding a site to the firewall, this part can be a bit of a time usage. So you’ll see a panel like you see there on the right hand side of the screen where it’ll ask you to check off a couple of things, if you want, you know, optional services, like if you’re currently under DDoS, we have a way to, you know, ensure that we can restrict some access there to get you back up to make this site available, restrict your backend.

Victor Santoyo: [inaudible 00:11:00] only specific IPs, or even utilize our DNS management, which is optional. But if you’re adding in bulk, this takes time. All right? So it’ll be a similar loop here, on the left hand in the example, where for the purposes of this example, I’m going to opt out out of all of that, all right? And the opt out, specific thing you’ll notice there in the example is zero. If I were to enable it, I’d replace it with one.

Victor Santoyo: But it’ll be a similar thing. I’ll have an inventory similar on my desktop, local machine, and then for every item in that inventory, I’ll run that kernel for adding a specific domain into the firewall portal. And just let it run. And you’ll log in to your portal next time, and then you’ll see your inventory jump from two to 200 in a matter of what, five minutes? Maybe?

Victor Santoyo: So really useful and especially on this part of the portal. Makes it really easy if you’re a developer or a large team looking to onboard [inaudible 00:11:51].

Victor Santoyo: Now, next example would be flushing the cache. And so, course as a content delivery network, you’re gonna cache a lot of your assets. Based on the caching mode you’ve enabled, it could operate a lot of different ways. So one thing you can do is basically automate the process of clearing cache. So if you’re going to automate updates or make changes to your site on a weekly basis, you can include the specific [inaudible 00:12:18] or, you know, a command here, to flush the cache for a specific domain. All right?

Victor Santoyo: The format you see here under K is the API key you’re given for your accounts. Under S is for that specific domain in question. All right? So for the purpose of this example, we have cleared the cache for Google. All right? But you will get a response back letting you know that the cache for that domain has been cleared. Similarly, though, if, you know, you’re working on this site and you just want to make it easier, at the bottom I’ve red-lighted a example of a URL that you can bookmark as well.

Victor Santoyo: Now, in terms of other features you can do, similar features, as well, is allowlisting an IP address. So under the portal, you have the different areas in which you can do this, but one thing you want to make sure of, of course, is you can allowlist your current one. Suppose you’re traveling and connecting from an airport network and you need to get into something very time-sensitive, you can utilize our APIs to gain access, if you’ve gone to the trouble of restricting or protecting access to certain URLs.

Victor Santoyo: Or, more specifically, like if you have a new team member joining, you can specify a defined IP address that they provided to you. Or a list of IP addresses, so to speak. That way it won’t be blocked by our security rules, especially if they’re accessing the back end that you’ve restricted, and beyond that just making sure they have full access.

Victor Santoyo: The example of a script is there, of course, so you can define the IP there as, like, provide a generic example, 1-2-3-4-5, whatnot, and similarly you’ll get a response back letting you know it’ll be allowlisted, you know, in that, for that particular domain.

Victor Santoyo: One thing to know about our services, though, is that you would have to do this, of course, for each and every domain. If you have a team member that’s going to, you know, take advantage of managing all of those assets. So we do have a ways to manage that in bulk. Reach out to your account manager to get that list. Or otherwise you can take a similar approach, like I mentioned, with the cache, which is a URL at the bottom you can bookmark, share with team members in the event that things change. It’s also something really easy you can document, so that as new team members join on, they have access to these URLs that they can allowlist themselves.

Victor Santoyo: Now, one thing I’m highlighting here with the screenshot is our protected page feature. I know when you set up a site, I touched on the fact you can restrict your WP admin, for example, to be locked down to certain IP addresses. But certain file paths in general could be something you could restrict, as well. Might have internal use only paths, you know, access to specific parts of the site that aren’t ready or whatnot. And you can restrict them by IP address and ideally if you’ve already got most of the team allowlisted, makes it really easy to control access to those URL paths.

Victor Santoyo: So those are an example of senior action, right? One thing, one goal. Here we’re gonna speak on just two examples on multilayered approaches to utilizing some of the same functions we just discussed, right? What scenarios can we enable these features, and what would make sense?

Victor Santoyo: Now, for the first example, it’s actually an example I drew from a blog post that came out today. Blog.sucuri.net. Northon, one of our firewall engineers, did a really good job on really touching on API usage or our firewall. And but the example he touched on is basically accounting for the number of https requests to hit a specific origin server, that will then trigger the API to, you know, basically enable once that threshold is met.

Victor Santoyo: Now, for a demonstration, of course, these are not maybe numbers that you’d want enabled as a threshold, but just, you know, in terms of what we’re looking for. So what we’re going to do is we have an option for emergency DDOS prevention, right, in the event that we do see a lot of hit requests hit the server. So if for example, we see that requests hit up to 500 and beyond that, then what that will do is, if and when we see that specific threshold, then we’re going to execute the API.

Victor Santoyo: As I touched on earlier, you have the key for the accounts and the key for a specific domain, with the credentials. So this could be something that, then, you’d want to make sure that you have each and every domain accounted for, in the event that those requests are navigating the origin.

Victor Santoyo: Well, that’s one example of an if and then situation, right? Practical, because you may be seeing unusual behavior. Another generic thing you can do with this principle, as well, is if you are identifying a lot of requests from a specific region, and that is unusual for your audience, then you can enable country blocking, as well. And we do have a lot of extensive regions that we can enable with our country blocker. Either both get or post methods, okay?

Victor Santoyo: The next example. This will be in the event that you need a clear cache based on changes made to your files. Now, earlier, I kind of, you know, made the condition known that if you make, you know, content changes to your site, you would go through and make the process of, you know, you accessing the URL that’s bookmarked in your browser, clear the cache on your own. And that can be useful if you remember to access the URL to clear the cache. You know, it might be very late at night, you’ve finally finished the page or the new blog post or new layout, and you just forget to clear the cache, and based on your caching mode with us, it may not show for the amount of time that you want it to show up to or as quickly as you would like.

Victor Santoyo: So for the purpose of this example, I will go with a timestamp from the last modified date in the file system, right? This may be something that makes sense to you, if you have a different approach, by all means. But just, so sort of get your mind thinking about ways you can, you know, basically make sure the crumbs are picked up behind you once you make those changes, or other team members execute changes as well.

Victor Santoyo: So the … we’re using, here, an I Notify weight, which is a Linux-based tool to monitor for last-modified and whatnot. Of course it’s Linux-based, so, you know, if you’re utilizing something else, I apologize. But the general principle is that we’re going to check against last-modified in your file system. If and when we do see that, then we’re going to execute the clear cache for a specific domain. Okay? Or a list of domains, you may flush the entire inventory you have set you with our service just to cover your tracks. But that’s the idea, right, you want to make sure you have some automation in place to get that done, so that if and when you make those changes and, you know, you have a function in place to catch that … great, all the better.

Victor Santoyo: Last piece we’ll go on and touch on is something I know partners have asked about in the past. And that’s pulling data from the dashboard. When you’re talking to customers, you know, how, what type of a type of vector they’re seeing, how much we’re blocking, and whatnot … may not be useful. But for most customers, what they just simply want to know is that their sites have no malware, and their site’s not blocklisted.

Victor Santoyo: So on the right is an example of what the dashboard look like, when you log in. But as most of you know, it’s a central portal, and, you know, it’s not something necessarily you would share access with for the customer, so there’s got to be a way that you can get this out to them. We do have some, like, an example of a way to pull that data correctly, and then you can monitor that data and present it as you’d like. Whether that’s tapping into a portal, a page, a report that’s automated and generated, you can have a lot of flexibility here, but you at least get the raw data of what it looks like.

Victor Santoyo: So in this example, this is an example of my site, right here. You’ll see it’s running on the Sucuri Firewall, you’ll see the IP address there. There’s no spam, it’s not blocklisted, everything’s up to good. So I’m gonna run [Micro 00:19:51] here, from my monitor with my key, and get the data for my site. And this is a part of the data, not everything. You know, you can only fit so much on a slide, but I want to hit in some key notes here to understand what did [AE 00:20:05] get access to, right? So of course, the domain itself. What are we looking at? What IP is it on? What CMS is it running on? What version of WordPress is it running on, right? So you have a better understanding of, like, what else we’re identifying, JavaScript, you know, URLs of the domain. More specifically, the blocklists that we’re clean against, right?

Victor Santoyo: So this is very clean, it’s a good example of a site that’s good. Now, for a clean site that’s useful, and maybe a good way to present valuable data to your customers, to let you know the service is working. Well in some cases, you also need APIs to alert you to an issue. So we’re gonna use John Hacked’s site. Okay? And I’ve highlighted here specific issues with the site that may be worth noting, in a way, like I mentioned earlier, to conditionally trigger either the API or just internal alerts to issues based on the data you’re seeing here.

Victor Santoyo: So for example, if you identify that WordPress right now, we’re crawling towards Gutenberg in 5.0. For those that are familiar. This particular domain’s on 4.8.2, meaning it’s outdated. So if you can identify, on the web app info for example, that this particular version of WordPress does not match the current version, you know it’s outdated. So that would be a good alert for your team, might be good alert to execute an update or whatnot, or just even notify the customer, that they’re aware that they’re on an outdated version of WordPress. So some flexibility here.

Victor Santoyo: Next set of highlights here are malware that’s identified. Again, an internal alert to let you know to either come to us to get it cleaned or handle it internally, however you’d prefer, and more specific to what we’re seeing, right? So we have some known SEO spam. Viagra being sold on this particular site through SEO spam. And, you know, some JavaScript injection as well or whatnot. So really important to be alerted to internally, and possibly also communicate to the customer, that, “Hey, by the way,

Victor Santoyo: … A, there’s Malware on this site. Last and not least, certainly of course, is blocklists. You want to make sure that we also get alerted to the fact that we know blocklist this domain may have landed on so that once the cleanup is done, and maybe once we’ve also pushed an update to this particular WordPress site, we can go to add index, McAfee, Google and what not to request the D-list to make sure the site reverts back to good standing.

Victor Santoyo: In this particular example, one thing to note if you see blocklist info means the domain is clean and you can sort of copy that text after the fact so you know, “Okay, domain is clean by Google safe browsing security malware labs.” More specifically, if you get a blocklist warn, that means it’s blocklisted somewhere. It’ll even include the link where you can follow up the reason for the block as well.

Victor Santoyo: Those are some examples. Running on 20+ minutes, so don’t want to take too much else of your time, but sort of get your mind thinking about ways you can get creative with the API. You can listen to execute just basic functions day to day. By all means, if you have any questions, let me have them. Val, be more than happy to answer.

Joshua Hammer: One of my favorites is the clear cache. I love the fact that even though you might have hundreds of different accounts in there, and you don’t want to give people access to your dashboard, you can give them that clear cache URL, and that clears it for just their site and they never have to log into us.

Victor Santoyo: Yeah, external communication out of the portal. It’s a good security tool, too, right? They don’t have to have access to other client sites. It still gets them to accomplish the goal they need.

Valentin Vesa: Awesome. Yes, we do have questions. Also, we don’t have that much time, but I like to go over a few of them. First one that came in here from Michelle is: “How much coding do I need to know in order to use your API?” I’m assuming any API, for that matter.

Victor Santoyo: I would say, to know how much coding is just to understand the principle of the URL you’re working with. I came on four years ago, and a lot of this was unknown to me, but you work with something enough to understand where they make do. You may even think about testing, like adding a dev or staging site to our portal and then playing around there like, “What happens if I did enable this API? Oh, whoops, I shouldn’t have done that, but now I know what happens.” Just learning that you can organically learn, understand better ways to do it.

Victor Santoyo: Joshua mentioned just having a URL in place, those are simple things. You can bookmark something. You can have a folder in your browser, say clear cache Sucuri folder. Then you can have sub-folders for each particular domain that you’re managing. Inside of that is a link to either flush to cash or allowlist your API. That’s, for the most part, I think something that you can get your head around and at least accomplishing two very common things you need to get done on a daily or weekly basis.

Valentin Vesa: That’s already using the API right?

Victor Santoyo: Yeah. If you need help on fetching them, let us know. We can help.

Valentin Vesa: Awesome. Next one: “Do you have an API guide or tutorial, or how do I find the commands for your API?”

Joshua Hammer: There’s a lot inside the dashboard. You’ll see a link at the bottom that says API, and that’ll point you over to some of it. We also have guides and books internally that we can send out. Just reach out to your account manager and they can get you that info.

Valentin Vesa: Awesome. Next. “You mentioned detecting by last modified date in your caching example, is there another way to do it?”

Victor Santoyo: There are. I used that because to me it probably made most sense if you’re modifying the file or anything. You’re likely making some changes you want reflected. In some cases, though, that could be an alert to malware. That was a tricky example to use. In other cases you may look at things like identifying what the code itself looks like and matching that against something else. You could look at the date it was open even, maybe just to cover your tracks so you understand if there are any changes there.

Victor Santoyo: There are different ways you can look at different principles. You could go online to forums. You’ll see different people exercise different beliefs on that. That’s up to you, but whatever you think makes more sense for you. If you know that to you it’s easier to wrap your head around the modified date, go with that.

Valentin Vesa: Awesome. You wanted to add something, Josh?

Joshua Hammer: No.

Valentin Vesa: Okay. Tommy’s asking here kind of a long-ish one, so I’m gonna read it. “Are there other API features beyond the caching and allowlisting that are popular?” He says, “I’m trying to understand what I can tell my dev team.”

Joshua Hammer: Everything on our firewall side, everything that’s on our dashboard can be accessed via API. Technically you could rebuild the firewall portal and have everything done via API on your own program. You could build a complete plugin that you could give to your individual clients that does everything that our firewall dashboard would do.

Victor Santoyo: Yeah, it’s something that … I actually got off a call about 30 minutes ago or about an hour ago with another group that was actually asking just that. How much flexibility do I have if I want to build my own plugin to work on? They also utilize another vendor for cashing purposes. There is a lot of flexibility to do so. We’re always making updates to our API’s. I would say most, if not all of the firewall, like Joshua’s alluding to, is available. Monitoring site, there’s also a lot of flexibility there.

Victor Santoyo: I think in terms of making sure that you wanted to build your own customer portal plugin page, whatever, that’s something everything from country blocking to neighboring additional security setting, uploading or updating your SSL certificate within our portal is something you can do with your API.

Valentin Vesa: Thanks, guys. Two more questions for today. Next one is, “Is the allowlist temporary or permanent, and will I be needing to use the wireless API over and over?”

Victor Santoyo: You can specify the portal in terms of time, I believe, Joshua.

Joshua Hammer: Correct.

Victor Santoyo: For the purposes of the API, it’ll essentially be permanent so you don’t have to worry about re-allowlisting every 20 minutes or every hour. It’s a little more important as someone … a lot of us will promote or at least travel a lot to events and whatnot. It’s a good tool to have ready before you leave home base, so that if you’re connecting from a work camp or any of these other large events, you’re not locked out of your own stuff and sort of scrambling to get access back in.

Valentin Vesa: Perfect, and a question I have been waiting for: Is there an additional cost for the API access?

Victor Santoyo: No.

Joshua Hammer: No, that’s included in your plan. We do have an API that is separate that is for monitoring that does cost, but in terms of the API’s that we covered here today it’s included with all of your plans.