API Audit provides instant security scoring for prioritization and remediation advice at design-time to help developers to define and build the best OpenAPI contract possible. It performs over 300+ security checks on your OpenAPI contract, ranging from the structure and semantics to the security and input/output data definitions. The API security audit is a core shift-left element of our API Security Platform.
Three-Tier Security Audit
API Audit & Linter reviews your OpenAPI definition file on three levels:
- It assesses if your API is a valid and well-formed OpenAPI file that adheres to the OpenAPI Specification (OAS).
- It reviews the security definitions in your API, if you have defined authentication and authorization methods and if the protocol is secure.
- It assesses the data definition quality of your API and how strong are the schemas defined for your API and its parameters.
Help Developers Focus on the security gaps that matter
The starting point for an API’s security is the OpenAPI definition itself. API Audit helps you lock down the OpenAPI definition at design time, to reduce the attack surface and remove any potential security gaps. Let your developers focus on the problems that matter and avoid the noise.
Developers get instant scoring to make fixes inside their IDE and CI/CD pipelines
Security Governance and Enterprise Compliance
Keep your APIs compliant with visibility at design and runtime. Security teams can define minimal audit scores, maximum criticality of the issues found by Security Audit and even drill down at issue level (for example, block all APIs which are using API keys as their authentication theme or do not have proper patterns defined for request parameters).
The OpenAPI contract can also be audited from the CI/CD to ensure it is of sufficient quality to pass security requirements. In addition, security teams can overlay security policies to enhance the OpenAPI contract, which can then be enforced by the API Protect micro firewall.
Ready to Learn More?
Developer-first solution for delivering API security as code.