API Security - enabled by default

[ValentinZakharov]

What Does This Do

API Security enabled by default
To disable API Security use environment variable DD_API_SECURITY_ENABLED=false or startup option -Ddd.api-security.enabled=false

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	vzakharov/enable_api_sec
git_commit_date	1710368126	1710403001
git_commit_sha	ee9c0f8	85fa55e
release_version	1.32.0-SNAPSHOT~ee9c0f803a	1.32.0-SNAPSHOT~85fa55e998

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1710406572	1710406572
ci_job_id	459469557	459469557
ci_pipeline_id	30080924	30080924
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 51 metrics, 12 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.32.0-SNAPSHOT~85fa55e998, baseline=1.32.0-SNAPSHOT~ee9c0f803a

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.077 s) : 0, 1076880
Total [baseline] (9.188 s) : 0, 9187693
Agent [candidate] (1.078 s) : 0, 1078428
Total [candidate] (9.209 s) : 0, 9209110
section appsec
Agent [baseline] (1.207 s) : 0, 1206744
Total [baseline] (9.24 s) : 0, 9239915
Agent [candidate] (1.205 s) : 0, 1204897
Total [candidate] (9.307 s) : 0, 9306692
section iast
Agent [baseline] (1.21 s) : 0, 1209860
Total [baseline] (9.372 s) : 0, 9371951
Agent [candidate] (1.218 s) : 0, 1217592
Total [candidate] (9.389 s) : 0, 9389161
section profiling
Agent [baseline] (1.277 s) : 0, 1276829
Total [baseline] (9.363 s) : 0, 9363051
Agent [candidate] (1.273 s) : 0, 1272806
Total [candidate] (9.318 s) : 0, 9317896

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.077 s	-
Agent	appsec	1.207 s	129.864 ms (12.1%)
Agent	iast	1.21 s	132.98 ms (12.3%)
Agent	profiling	1.277 s	199.949 ms (18.6%)
Total	tracing	9.188 s	-
Total	appsec	9.24 s	52.223 ms (0.6%)
Total	iast	9.372 s	184.259 ms (2.0%)
Total	profiling	9.363 s	175.359 ms (1.9%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.078 s	-
Agent	appsec	1.205 s	126.469 ms (11.7%)
Agent	iast	1.218 s	139.165 ms (12.9%)
Agent	profiling	1.273 s	194.378 ms (18.0%)
Total	tracing	9.209 s	-
Total	appsec	9.307 s	97.583 ms (1.1%)
Total	iast	9.389 s	180.051 ms (2.0%)
Total	profiling	9.318 s	108.787 ms (1.2%)

gantt
    title petclinic - break down per module: candidate=1.32.0-SNAPSHOT~85fa55e998, baseline=1.32.0-SNAPSHOT~ee9c0f803a

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (694.502 ms) : 0, 694502
BytebuddyAgent [candidate] (695.101 ms) : 0, 695101
GlobalTracer [baseline] (290.658 ms) : 0, 290658
GlobalTracer [candidate] (291.871 ms) : 0, 291871
AppSec [baseline] (49.004 ms) : 0, 49004
AppSec [candidate] (48.787 ms) : 0, 48787
Remote Config [baseline] (722.105 µs) : 0, 722
Remote Config [candidate] (712.147 µs) : 0, 712
Telemetry [baseline] (7.798 ms) : 0, 7798
Telemetry [candidate] (7.749 ms) : 0, 7749
section appsec
BytebuddyAgent [baseline] (700.05 ms) : 0, 700050
BytebuddyAgent [candidate] (699.927 ms) : 0, 699927
GlobalTracer [baseline] (292.633 ms) : 0, 292633
GlobalTracer [candidate] (291.534 ms) : 0, 291534
AppSec [baseline] (154.032 ms) : 0, 154032
AppSec [candidate] (153.669 ms) : 0, 153669
IAST [baseline] (17.987 ms) : 0, 17987
IAST [candidate] (17.765 ms) : 0, 17765
Remote Config [baseline] (616.316 µs) : 0, 616
Remote Config [candidate] (606.376 µs) : 0, 606
Telemetry [baseline] (6.951 ms) : 0, 6951
Telemetry [candidate] (6.869 ms) : 0, 6869
section iast
BytebuddyAgent [baseline] (804.455 ms) : 0, 804455
BytebuddyAgent [candidate] (810.933 ms) : 0, 810933
GlobalTracer [baseline] (289.215 ms) : 0, 289215
GlobalTracer [candidate] (290.863 ms) : 0, 290863
AppSec [baseline] (49.541 ms) : 0, 49541
AppSec [candidate] (49.339 ms) : 0, 49339
IAST [baseline] (22.414 ms) : 0, 22414
IAST [candidate] (24.423 ms) : 0, 24423
Remote Config [baseline] (606.576 µs) : 0, 607
Remote Config [candidate] (612.003 µs) : 0, 612
Telemetry [baseline] (8.994 ms) : 0, 8994
Telemetry [candidate] (6.628 ms) : 0, 6628
section profiling
BytebuddyAgent [baseline] (690.416 ms) : 0, 690416
BytebuddyAgent [candidate] (688.719 ms) : 0, 688719
GlobalTracer [baseline] (376.974 ms) : 0, 376974
GlobalTracer [candidate] (376.43 ms) : 0, 376430
AppSec [baseline] (49.772 ms) : 0, 49772
AppSec [candidate] (49.356 ms) : 0, 49356
Remote Config [baseline] (728.309 µs) : 0, 728
Remote Config [candidate] (812.613 µs) : 0, 813
Telemetry [baseline] (7.526 ms) : 0, 7526
Telemetry [candidate] (7.391 ms) : 0, 7391
ProfilingAgent [baseline] (95.156 ms) : 0, 95156
ProfilingAgent [candidate] (94.069 ms) : 0, 94069
Profiling [baseline] (95.179 ms) : 0, 95179
Profiling [candidate] (94.092 ms) : 0, 94092

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.32.0-SNAPSHOT~85fa55e998, baseline=1.32.0-SNAPSHOT~ee9c0f803a

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.085 s) : 0, 1084644
Total [baseline] (8.557 s) : 0, 8557429
Agent [candidate] (1.081 s) : 0, 1080855
Total [candidate] (8.562 s) : 0, 8562170
section iast
Agent [baseline] (1.22 s) : 0, 1220001
Total [baseline] (9.087 s) : 0, 9086685
Agent [candidate] (1.211 s) : 0, 1211107
Total [candidate] (9.077 s) : 0, 9076605
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.204 s) : 0, 1204445
Total [baseline] (9.028 s) : 0, 9028373
Agent [candidate] (1.206 s) : 0, 1205924
Total [candidate] (9.036 s) : 0, 9035969
section iast_TELEMETRY_OFF
Agent [baseline] (1.195 s) : 0, 1195256
Total [baseline] (9.024 s) : 0, 9023905
Agent [candidate] (1.197 s) : 0, 1197479
Total [candidate] (9.052 s) : 0, 9052412

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.085 s	-
Agent	iast	1.22 s	135.358 ms (12.5%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.204 s	119.801 ms (11.0%)
Agent	iast_TELEMETRY_OFF	1.195 s	110.612 ms (10.2%)
Total	tracing	8.557 s	-
Total	iast	9.087 s	529.255 ms (6.2%)
Total	iast_HARDCODED_SECRET_DISABLED	9.028 s	470.943 ms (5.5%)
Total	iast_TELEMETRY_OFF	9.024 s	466.476 ms (5.5%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.081 s	-
Agent	iast	1.211 s	130.252 ms (12.1%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.206 s	125.069 ms (11.6%)
Agent	iast_TELEMETRY_OFF	1.197 s	116.625 ms (10.8%)
Total	tracing	8.562 s	-
Total	iast	9.077 s	514.436 ms (6.0%)
Total	iast_HARDCODED_SECRET_DISABLED	9.036 s	473.799 ms (5.5%)
Total	iast_TELEMETRY_OFF	9.052 s	490.243 ms (5.7%)

gantt
    title insecure-bank - break down per module: candidate=1.32.0-SNAPSHOT~85fa55e998, baseline=1.32.0-SNAPSHOT~ee9c0f803a

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (699.813 ms) : 0, 699813
BytebuddyAgent [candidate] (696.736 ms) : 0, 696736
GlobalTracer [baseline] (292.453 ms) : 0, 292453
GlobalTracer [candidate] (292.185 ms) : 0, 292185
AppSec [baseline] (49.293 ms) : 0, 49293
AppSec [candidate] (49.115 ms) : 0, 49115
Remote Config [baseline] (757.094 µs) : 0, 757
Remote Config [candidate] (725.053 µs) : 0, 725
Telemetry [baseline] (7.792 ms) : 0, 7792
Telemetry [candidate] (7.798 ms) : 0, 7798
section iast
BytebuddyAgent [baseline] (811.917 ms) : 0, 811917
BytebuddyAgent [candidate] (805.082 ms) : 0, 805082
GlobalTracer [baseline] (291.818 ms) : 0, 291818
GlobalTracer [candidate] (290.14 ms) : 0, 290140
AppSec [baseline] (50.137 ms) : 0, 50137
AppSec [candidate] (50.093 ms) : 0, 50093
IAST [baseline] (23.354 ms) : 0, 23354
IAST [candidate] (22.428 ms) : 0, 22428
Remote Config [baseline] (611.653 µs) : 0, 612
Remote Config [candidate] (608.14 µs) : 0, 608
Telemetry [baseline] (7.376 ms) : 0, 7376
Telemetry [candidate] (8.207 ms) : 0, 8207
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (799.974 ms) : 0, 799974
BytebuddyAgent [candidate] (801.928 ms) : 0, 801928
GlobalTracer [baseline] (288.613 ms) : 0, 288613
GlobalTracer [candidate] (289.136 ms) : 0, 289136
AppSec [baseline] (50.211 ms) : 0, 50211
AppSec [candidate] (50.136 ms) : 0, 50136
IAST [baseline] (23.215 ms) : 0, 23215
IAST [candidate] (23.107 ms) : 0, 23107
Remote Config [baseline] (626.157 µs) : 0, 626
Remote Config [candidate] (624.301 µs) : 0, 624
Telemetry [baseline] (7.43 ms) : 0, 7430
Telemetry [candidate] (6.674 ms) : 0, 6674
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (792.059 ms) : 0, 792059
BytebuddyAgent [candidate] (792.794 ms) : 0, 792794
GlobalTracer [baseline] (288.295 ms) : 0, 288295
GlobalTracer [candidate] (289.406 ms) : 0, 289406
AppSec [baseline] (50.526 ms) : 0, 50526
AppSec [candidate] (52.392 ms) : 0, 52392
IAST [baseline] (23.018 ms) : 0, 23018
IAST [candidate] (21.546 ms) : 0, 21546
Remote Config [baseline] (575.579 µs) : 0, 576
Remote Config [candidate] (575.211 µs) : 0, 575
Telemetry [baseline] (6.399 ms) : 0, 6399
Telemetry [candidate] (6.53 ms) : 0, 6530

Load

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~85fa55e998, baseline=1.32.0-SNAPSHOT~ee9c0f803a
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.353 ms) : 1334, 1372
.   : milestone, 1353,
appsec (1.767 ms) : 1743, 1790
.   : milestone, 1767,
iast (1.507 ms) : 1483, 1531
.   : milestone, 1507,
profiling (1.53 ms) : 1506, 1555
.   : milestone, 1530,
tracing (1.515 ms) : 1491, 1539
.   : milestone, 1515,
section candidate
no_agent (1.35 ms) : 1330, 1369
.   : milestone, 1350,
appsec (1.768 ms) : 1745, 1791
.   : milestone, 1768,
iast (1.516 ms) : 1493, 1539
.   : milestone, 1516,
profiling (1.532 ms) : 1509, 1555
.   : milestone, 1532,
tracing (1.504 ms) : 1482, 1527
.   : milestone, 1504,

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.353 ms [1.334 ms, 1.372 ms]	-
appsec	1.767 ms [1.743 ms, 1.79 ms]	413.741 µs (30.6%)
iast	1.507 ms [1.483 ms, 1.531 ms]	154.341 µs (11.4%)
profiling	1.53 ms [1.506 ms, 1.555 ms]	177.55 µs (13.1%)
tracing	1.515 ms [1.491 ms, 1.539 ms]	162.367 µs (12.0%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.35 ms [1.33 ms, 1.369 ms]	-
appsec	1.768 ms [1.745 ms, 1.791 ms]	418.411 µs (31.0%)
iast	1.516 ms [1.493 ms, 1.539 ms]	166.087 µs (12.3%)
profiling	1.532 ms [1.509 ms, 1.555 ms]	182.549 µs (13.5%)
tracing	1.504 ms [1.482 ms, 1.527 ms]	154.643 µs (11.5%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.32.0-SNAPSHOT~85fa55e998, baseline=1.32.0-SNAPSHOT~ee9c0f803a
    dateFormat X
    axisFormat %s
section baseline
no_agent (360.29 µs) : 341, 380
.   : milestone, 360,
iast (469.92 µs) : 449, 490
.   : milestone, 470,
iast_FULL (535.82 µs) : 515, 556
.   : milestone, 536,
iast_GLOBAL (484.688 µs) : 465, 505
.   : milestone, 485,
iast_HARDCODED_SECRET_DISABLED (472.118 µs) : 452, 493
.   : milestone, 472,
iast_INACTIVE (445.457 µs) : 424, 466
.   : milestone, 445,
iast_TELEMETRY_OFF (468.608 µs) : 448, 489
.   : milestone, 469,
tracing (443.939 µs) : 423, 465
.   : milestone, 444,
section candidate
no_agent (359.761 µs) : 340, 380
.   : milestone, 360,
iast (475.295 µs) : 454, 496
.   : milestone, 475,
iast_FULL (539.856 µs) : 519, 561
.   : milestone, 540,
iast_GLOBAL (491.01 µs) : 470, 512
.   : milestone, 491,
iast_HARDCODED_SECRET_DISABLED (477.928 µs) : 457, 499
.   : milestone, 478,
iast_INACTIVE (446.421 µs) : 426, 467
.   : milestone, 446,
iast_TELEMETRY_OFF (468.053 µs) : 447, 489
.   : milestone, 468,
tracing (437.61 µs) : 417, 458
.   : milestone, 438,

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	360.29 µs [340.543 µs, 380.038 µs]	-
iast	469.92 µs [449.435 µs, 490.406 µs]	109.63 µs (30.4%)
iast_FULL	535.82 µs [515.17 µs, 556.47 µs]	175.53 µs (48.7%)
iast_GLOBAL	484.688 µs [464.544 µs, 504.832 µs]	124.398 µs (34.5%)
iast_HARDCODED_SECRET_DISABLED	472.118 µs [451.687 µs, 492.55 µs]	111.828 µs (31.0%)
iast_INACTIVE	445.457 µs [424.453 µs, 466.462 µs]	85.167 µs (23.6%)
iast_TELEMETRY_OFF	468.608 µs [448.049 µs, 489.168 µs]	108.318 µs (30.1%)
tracing	443.939 µs [423.081 µs, 464.797 µs]	83.649 µs (23.2%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	359.761 µs [339.897 µs, 379.625 µs]	-
iast	475.295 µs [454.117 µs, 496.473 µs]	115.534 µs (32.1%)
iast_FULL	539.856 µs [519.199 µs, 560.513 µs]	180.095 µs (50.1%)
iast_GLOBAL	491.01 µs [470.167 µs, 511.853 µs]	131.249 µs (36.5%)
iast_HARDCODED_SECRET_DISABLED	477.928 µs [457.176 µs, 498.68 µs]	118.167 µs (32.8%)
iast_INACTIVE	446.421 µs [425.531 µs, 467.311 µs]	86.66 µs (24.1%)
iast_TELEMETRY_OFF	468.053 µs [447.079 µs, 489.027 µs]	108.292 µs (30.1%)
tracing	437.61 µs [417.239 µs, 457.982 µs]	77.849 µs (21.6%)