Initiating the API Security Process at Design Time
The starting point for the API’s security is the API definition itself. If the API definition has gaping security holes, applying security measures on top of that just creates a ticking time bomb. The 42Crunch Security Audit helps you lock down API definitions reducing attack surface and removing potential security gaps.
42Crunch API Security Audit Overview
42Crunch API Security Audit automatically performs a static analysis on your API definitions. Your API is audited against the OpenAPI 3.0 or Swagger 2.0 specifications to check that the definition adheres to the specification and to catch any security issues your API might contain, including:
42Crunch API Security Audit performs over 300+ security checks on your API contract, ranging from its structure and semantics to its security and input/output data definitions. Security Audit reviews your API definition on three levels:
- OpenAPI format: Is your API a valid and well-formed OpenAPI file, and does it follow the best practices and the spirit of the OpenAPI Specification? Can it be correctly parsed, reviewed, or protected?
- Security: How good are the security definitions in your API? Have you defined authentication and authorization methods, and is your chosen protocol secure enough?
- Data validation: What is the data definition quality of your API? How well have you defined what data your API accepts as input or can include in the output it produces, and how strong are the schemas you have defined for your API and its parameters?
Security Audit builds a security report and calculates an audit score for each API it analyzes based on the OpenAPI annotations in the API definition. The audit score reflects the risk associated with exposing the APIs, internally and externally.
The resulting report is quickly actionable by development teams and contains very limited false positives. Each issue contains information about the potential risk and how to address that risk. The report clearly indicates the issues found and their respective severity levels so you can prioritize in which order to start fixing things.
Security Audit can automatically discover your API definitions by crawling code repositories and reporting all the OpenAPI/Swagger files. You instantly get a view of all your APIs and their security health.
Security Governance and Enterprise Compliance
Security teams need to be able to track all APIs within the enterprise and ensure that they all comply with the company’s security standards. By integrating Security Audit into your CI/CD pipelines, you can ensure that all APIs are tested as soon as they are published to the corporate code repository and this, as early as design time.
Security teams can define minimal audit scores, maximum criticality of the issues found by Security Audit and even drill down at issue level (for example, block all APIs which are using API keys as their authentication theme or do not have proper patterns defined for request parameters).
Integrate our plugins with your favorite tools
The 42Crunch integration plugin for REST API Static Security Testing is available off-the-shelf for the following CI/CD solutions — work across teams on one platform, easily collaborate without errors, with the freedom you want and the visibility security and operation teams need.
Click on the boxes to the right to download a plugin for your favorite tool and start securing your contracts today!
Are you protected from the OWASP API Security Top 10?
As a result of the growing threat landscape and increasing usage of APIs, the OWASP API Security Top 10 Project was launched to help companies address security vulnerabilities specific to APIs.
Learn more about the OWASP API Security Top 10 and how 42Crunch can help.
Want to learn more? Here are some resources to help you out!