The 2023 SANS Survey on API Security (Jun-2023) found that less than 50 percent of respondents have API security testing tools in place. Even fewer (29 percent) have API discovery tools.
Wallarm delivers both these capabilities via our single, integrated App and API Security platform.
Wallarm has long offered the ability to generate OpenAPI Specifications (aka Swagger) based on actual traffic across your endpoints. This allows you to:
- Enumerate all your managed and unmanaged APIs endpoints, including exposed & internal APIs; Rogue, Zombie, Shadow, and Orphan APIs; and Legacy / Unused APIs.
- Identify all changed or removed APIs and endpoints in your portfolio.
- Pinpoint sensitive data flows, including PII, financial data, credentials and more.
Today, we’re excited to announce a new feature to expand our automated testing capabilities by leveraging OpenAPI specifications to easily generate tests which can be integrated directly into your pre-production development pipeline.
By leveraging OpenAPI specs – either as-designed and/or built from actual traffic – to create targeted test cases for common vulnerabilities like cross-site scripting (XSS), SQL injection, and much more, this proactive approach helps you identify and rectify security issues early in the development cycle
Improve Your Pre-Prod API Testing
Wallarm leverages both discovered and provided OpenAPI specs, via the integrated capabilities of API Discovery and OpenAPI Security Testing, along with multiple built-in scanners, to improve API security by looping API vulnerability data into your development pipeline.
- Discovered Specifications. API Discovery provides an “observed” view with no schema required. Instead, it creates OpenAPI specs on the fly based on actual traffic. It identifies where attackers are focused to help prioritize additional scrutiny (e.g., pentesting, bug bounty programs, etc.) and generates pre-production tests automatically via the OpenAPI Security Testing function.
- Provided Specifications. OpenAPI Security Testing provides an “as-designed” view based on user-defined OpenAPI specs. It scans and Identifies issues even if an endpoint has no traffic (e.g., attackers haven’t found them). It generates tests directly, based on uploaded specs, which integrate into your existing CI/CD pipeline for triage and disposition.
Why OpenAPI Specs?
The OpenAPI Specification (fka Swagger) is a powerful tool in the world of API development. It serves as a standardized way to describe and document RESTful APIs, making them easier to understand, consume, and test.
In essence, it's like a blueprint for APIs, offering a clear and structured way to define how an API works. This specification is written in JSON or YAML and contains detailed information about endpoints, data formats, request and response types, authentication methods, and much more.
Some of the reasons we see it used in API development include:
- Contract-First Development: OpenAPI promotes a "contract-first" approach. Before writing a single line of code, developers create an OpenAPI document to define the API's structure. This allows for clear communication between developers and stakeholders, ensuring everyone's on the same page regarding the API's functionality.
- Documentation: OpenAPI is invaluable for creating API documentation. Tools can automatically generate user-friendly, interactive documentation from the specification. This means that developers, clients, and other teams can easily understand how to interact with the API.
- Shift-Left Testing: OpenAPI facilitates early testing in the development process. By using the specification, testing teams can generate test cases and scripts in parallel with development, catching issues sooner in the development lifecycle. This "shift-left" approach helps ensure that the API functions correctly from the start.
Bottom line, the OpenAPI Specification simplifies API development by providing a clear and structured way to define, document, and test RESTful APIs. It fosters collaboration, reduces misunderstandings, and accelerates the development process. For technically-minded individuals, it's a crucial tool that streamlines the entire API lifecycle, including security.
Why It Matters to Security
The OpenAPI Specification (OAS) isn't just a development and documentation tool; it's also a valuable asset for enhancing the security of APIs and applications. For security-focused professionals in the AppSec, DevSec, or DevSecOps realms, here's how OAS can be leveraged:
- Security by Design: OAS promotes the concept of "security by design." By including security definitions, requirements, and best practices directly in the API specification, security becomes an integral part of the development process from day one. This ensures that security considerations aren't an afterthought but are baked into the API's architecture.
- Authentication and Authorization: OAS clearly outlines authentication methods, such as OAuth, API keys, or JWT tokens. This means that security experts can validate these methods and review for potential vulnerabilities. It also helps them ensure that the API only grants authorized access to endpoints and data.
- Input Validation: Security teams can use OAS to validate that API endpoints are properly handling input data. This is crucial in preventing common security issues like injection attacks, where malicious data is inserted into API requests.
- Automated Security Testing: OAS makes it easier to automate security testing. Security tools can use the API specification to create targeted test cases for common vulnerabilities like cross-site scripting (XSS), SQL injection, and more. This proactive approach helps identify and rectify security issues early in the development cycle.
- Vulnerability Assessment: With the OAS in hand, security experts can conduct comprehensive vulnerability assessments. They can perform static analysis on the API specification to identify potential flaws and weaknesses, ensuring that security gaps are addressed before deployment.
Crucially, leveraging OpenAPI Specifications in AppSec, DevSec, or DevSecOps is a proactive and integral way to enhance API and application security. It brings security considerations to the forefront of development, streamlining vulnerability assessments, and reinforcing the principle that security should be a core part of every API and application's DNA.
The ability to identify designed vs. actual behavior and to automate pre-production testing based on real-world traffic data helps identify and mitigate vulnerabilities in your APIs, thus improving your API security posture.
If you are interested in learning more about how we can help you protect your APIs, please schedule a demo with one of our security experts today!