Tutorials

Navigating the Security Audit Report

Navigating the OpenAPI Security Audit Report

In our previous tutorial, we have created an API collection, and imported and audited an OpenAPI definition. Now we are going to drill into the report and walk you through how to get the most out of it.

Viewing Checks

API Contract Security Audit is a static analysis of your OpenAPI file using OpenAPI Specification. We run 200+ checks on your API definition, and you can view all of them in our API Security Encyclopedia by clicking on View Checks within the dashboard.

API Security Encyclopedia

The API Security Encyclopedia collects together information on the risks, guidelines, and recommendations relating to API security. The encyclopedia has the following main sections:

  • OWASP API Security Top 10: The OWASP project dedicated to API security lists the most important risks or attack vectors in API security.
  • Audit issues from API Contract Security Audit: This section provides descriptions and remediations for all the issues that API Contract Security Audit might find in your API definitions. Both OpenAPI Specification (OAS) v2 and v3 are supported. You can find the articles applicable to each version in their dedicated sections.

Audit Score Overview

The audit score of your API is shown at the top of the report. The security audit is broken down into 3 sections:

  • Security – Possible score of 30
  • Data Validation – possible score of 70
  • OpenAPI Format – Formatting issues are not scored, but should be remediated first so you can proceed with protecting your API.

NOTE: If you import an API definition that is not a valid OpenAPI definition (that has issues in its format), you see a yellow warning at the top of the API summary page, and the found issues are marked with red in the report. To ensure accuracy of the audit, make sure that your OpenAPI definition is well-formed first.

Navigating the Report

All actual security issues are scored based on the risk involved. The greater the risk, the higher the score (priority). You can filter issues by priority or category, or view all found issues as a list. You can also search for specific issues both in ‘All Issues’ and in each individual category.

You can immediately start fixing issues from the priority list, or click into individual issues and remediate from there. Clicking on Go to Issue takes you to the place in your code where the issue occurs and shows you a description and remediation recommendations.

Tutorials: In our next tutorial learn how to read the report and fix OpenAPI security issues
Watch Now

Resources

Want to learn more? Here are some resources to help you out!

Free Tools

Looking to make OpenAPI editing easier in VS Code? Or want to check how secure your API is? Check out our free tools.

Get Started

API Security Top 10

Are you protected from the OWASP API Security Top 10? 42Crunch can help with that! We also have a free cheat sheet you can download.

Learn More

API Sec Encyclopedia

Information on the risks, guidelines, and fixes relating to the OpenAPI Specification. Both OAS v2 and v3 are available!

Learn More

Ready to Get Started?

Developer-first solution for delivering API security as code.