![\"\"](\"https:\/\/staging2022.42crunch.com\/wp-content\/uploads\/2024\/05\/VHS.png\")
<\/p>\n<\/p>\n
If you\u2019re a child of the 80s like me, you may have had the distinction of being the only one in your house who knew how to program your VCR. My motivation was strong. Clarinet lessons were interfering with my favorite show, the A Team. I was the one in the family who handled most AV responsibilities at the time and I was confident that this would be a simple task. Nope. After fighting with the VCR for 20 minutes, I went digging through the stack of manuals in our kitchen drawer and found the one that said Sylvania. Five minutes later, I had the weekly recording set up and took comfort in knowing I\u2019d never miss another episode.<\/p>\n
These days, reading a manual to do anything seems practically medieval. I can now record my favorite shows with a click of my Roku remote. And thanks to a trend Apple started long ago with the iPhone, most of the consumer electronics that I buy don\u2019t even come with a physical manual. And yet, there are still many cases where having accurate and complete documentation pays big dividends. API Security testing happens to be one of them.<\/p>\n
Know before you test<\/strong> So why aren\u2019t all web applications tested this way? In short, because this approach takes too much time and requires too many people. Developers have little time to produce technical documentation and even if they did, security engineers are so vastly outnumbered by developers they\u2019d struggle to keep up and take advantage. In reality, most security teams rely on traditional DAST scanning tools (often based on something like OWASP Zap) that utilize a one-size-fits-all library of dynamic tests against their applications. While these tools can be useful in finding common vulnerabilities, they are usually accompanied by a high volume of false positives and fail miserably at finding most of the top API vulnerabilities.<\/p>\n OpenAPI as a boon for security<\/strong> Based on the points in the previous section, you can see why OAS should be viewed as an absolute gift for security testers. Along with the many business benefits of having good API documentation, the value that this provides to security teams can\u2019t be overstated:<\/p>\n Despite these significant benefits, many AppSec teams continue to use their legacy DAST tools to test APIs. I get it – these teams are already stretched and are not looking to add yet another tool that might introduce more false alarms and slow their devs down. At a time when CISOs are looking for tool consolidation, a specialty API security testing tool might not make the cut. However, those organizations that view APIs as a large and fast growing attack surface with minimal governance and control are ready for a better approach to security testing.<\/p>\n At 42Crunch, we\u2019re dedicated to helping customers drive security into their API development lifecycle. We have been evangelizing the use of OpenAPI Specifications for testing and protecting APIs for years and have seen our customers make huge strides in their API security programs through continuous and increased adoption of our approach. If you\u2019re ready to begin this journey, we\u2019d be proud to help.<\/p>\n","protected":false},"excerpt":{"rendered":" If you\u2019re a child of the 80s like me, you may have had the distinction of being the only one in your house who knew how to program your VCR. My motivation was strong. Clarinet lessons were interfering with my favorite show, the A Team. I was the one in the family who handled most […]<\/p>\n","protected":false},"author":14,"featured_media":18867,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"Why Use the OpenAPI Specification for API Security Testing","_seopress_titles_desc":"Leveraging the OpenAPI Specification to document your APIs and create API design files \/ contracts is a huge advantage for anyone wishing to perform security testing. Here is why","_seopress_robots_index":"","site-sidebar-layout":"default","site-content-layout":"disabled","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"disabled","ast-hfb-above-header-display":"disabled","ast-hfb-below-header-display":"disabled","ast-hfb-mobile-header-display":"disabled","site-post-title":"disabled","ast-breadcrumbs-content":"disabled","ast-featured-img":"disabled","footer-sml-layout":"disabled","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[46,21],"class_list":["post-18802","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-api-security-testing","tag-openapi-specification"],"_links":{"self":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/18802"}],"collection":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/comments?post=18802"}],"version-history":[{"count":2,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/18802\/revisions"}],"predecessor-version":[{"id":18811,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/18802\/revisions\/18811"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media\/18867"}],"wp:attachment":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media?parent=18802"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/categories?post=18802"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/tags?post=18802"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nBut why be so specific? Isn\u2019t good documentation useful for any software security testing, not just APIs? Of course! Having deep knowledge about how a web application functions, how it\u2019s built, and even how it\u2019s deployed is a huge advantage for anyone wishing to perform security testing. Armed with this knowledge, a security engineer can model specific threats and formulate a custom test plan that covers all components of the application. As a result, the testing can be far more effective than if the tester had minimal knowledge of the application.<\/p>\n
\nSpeaking of APIs, let\u2019s get back to how they\u2019re different from web applications. One major difference is that web and mobile applications are heterogeneous by nature. Because there\u2019s no standard approach to building a web application, there\u2019s also no standard way to document how they work. In contrast, REST APIs are highly structured and adhere to various RFC standards. This has led to the emergence of a widely adopted documentation standard that describes every aspect of an API called OpenAPI Specification (OAS) or more commonly Swagger. The original purpose of OAS was to provide a human and machine readable language for producers to share information about APIs with consumers. In fact, producers that publish Swagger files early can enable consumers to build integrations at the same time that the API is being built.<\/p>\n\n