We are thrilled to announce a major new innovation in application security testing. AppSpider is the first Dynamic Application Security Testing (DAST) solution capable of testing Swagger-enabled APIs. Swagger is one of the most popular frameworks for building APIs and the ability to test Swagger-enabled APIs is not only a huge time savings for application security testing experts, but also enables Rapid7 customers to more rapidly reduce risk.
Why does this matter?
Modern applications make liberal use of APIs. APIs are powering mobile apps like Twitter and Facebook and they're providing rich client experiences like Gmail. They are also powering the Internet of Things (IoT) – APIs are what connect the billions of IoT devices to the cloud where the data they collect is processed, crunched and made useful.
APIs have enabled the complex web of applications that exists today in almost every corporate and government environment. and at the same time, have quickly become one of the most difficult challenges for security teams because most DAST solutions are blind to them.
These modern problems, like API security testing, require modern solutions. AppSpider is a modern DAST solution designed for today's connected world. DAST solutions must be relevant for today's environment.
Remaining relevant in today's inter-connected world
In today's connected world, security professionals are challenged with securing exploding digital ecosystems that touch every facet of their business from customers and shareholders to employees and partners. These digital ecosystems have become a complex tapestry of old and new web applications, web services and APIs that are highly connected to each. Adding to the complexity, the Internet of Things (IoT) is now driving tremendous innovation by connecting our physical world to our digital one. This inter-connected network of applications is constantly accessing, sharing and updating critical sensitive data.
Your company's data is one of your most precious assets and we know that securing that data is what keeps you up at night.
It keeps us up at night too.
We look at today's application ecosystems as having three pillars:
- Web applications and web services
- Internet of Things (IoT)
- Connected applications (connected by RESTful APIs)
We at Rapid7 are dedicated to bringing you solutions that are relevant to today's ecosystem. We are committed to delivering solutions that can help you be effective at securing your organization's data even in this highly connected and complex world we are in.
AppSpider: Modern DAST for a Connected World
Understanding how AppSpider addresses today's connected, modern technologies requires a little understanding of history about DAST. Legacy DAST solutions communicate with applications through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. Most DAST solutions first perform a “crawl” of the client interface to understand the application and then they conduct an “attack” or “audit” to find the vulnerabilities.
Today's applications – think about Amazon and Google – have rich clients with mini-applications nested inside of it and APIs on the back end checking and updating other data. These applications cannot be crawled using the legacy crawl and attack DAST approach. There are many faceless parts of the application, deep below the surface, that have to be analyzed by a scanner in a different way.
Traditional crawling only works for the first pillar described above, web applications. A modern DAST solution must be relevant for all three pillars.
Let us be the first to say that legacy DAST is dead. It's time for modern DAST solutions.
AppSpider has moved beyond the crawl and attack framework and is able to analyze these modern applications even the portions that it can't crawl. It's capable of understanding IoT and interconnected applications because it can now analyze and test a Swagger-enabled REST API.
APIs: A Source of Pain for Application Security Experts
Unfortunately, APIs carry the exact same security risks that we have been fighting with web applications for years. APIs enable traffic to pass through normal corporate defenses like network firewalls, and, just like web applications, they are vulnerable to SQLInjection, XSS and many of the attacks we're used to because they access sensitive corporate data and pass it back and forth to all kinds of applications.
Today's APIs have newer architectures and names like, RESTful Interfaces, microservices or just "APIs" and they have enabled developers to rapidly deliver highly-scalable solutions that are easy to modify and extend.
As great as APIs are for developers and for end users, they have created some very serious challenges for security experts, and all too often, APIs are going completely untested leaving vulnerabilities undiscovered resulting in security risk.
Until now, most teams haven't had the ability to security test APIs because they have required manual testing. We spoke to one customer who currently has about eight APIs. Each API takes about two hours to test manually and they want to test it every time there is a new build, but many security teams aren't staffed for that level of manual testing.
And, to make matters worse, security experts often don't know the functionality of APIs because they aren't documented in such way that security teams can easily get up to speed. When you end up with is already-strapped-for-time security experts faced with a manual testing effort for functionality they need to learn about.
Enter Swagger (and, of course, AppSpider) to save the day! Swagger, an open source solution, is one of the most popular API frameworks. It defines a standard interface to REST APIs that is agnostic to the programming language. A Swagger-enabled API enables both humans and computers to discover and understand the capabilities of the service.
Because APIs are being delivered so quickly, many APIs and microservices haven't been well documented (or documented only in a Word doc that sits with the development team). With Swagger, teams have increased the documentation for their APIs and have also increased their interoperability and the ability for other solutions. Its this machine readable documentation that enables like modern DAST solutions, to discover and analyze Swagger-enabled APIs.
How AppSpider Tests Swagger-Enabled APIs
AppSpider has two major innovations that enable it to fully test Swagger APIs. The first is AppSpider's Universal Translator and the second is the ability to analyze these Swagger files.
Let's first look at AppSpider's Universal Translator. The Universal Translator was built to enable AppSpider to analyze the parts of the application that can't be crawled, like APIs. The Universal Translator analyzes traffic captured with a proxy like Burp or Paros. Now, AppSpider's Universal Translator is also able to analyze a Swagger file eliminating the need to capture proxy traffic for testing a Swagger-enabled RESTful API. The Universal translator then normalizes traffic and attacks the application.
The diagram above shows how the Universal Translator works. It consumes data that comes in from three sources, a traditional crawl, recorded HTTP traffic and now, Swagger files. It then normalizes that data into a standard format and then completes the attack phase of the application security test.
We like to call the Universal Translator “future-proof” because its designed to be adaptable to this rapidly changing digital environment - we can easily extend it as technologies become available, like Swagger, which now enables further innovation.
What can you do to improve API security testing on your team?
There are many things you can do to begin testing APIs more effectively.
- Learn about them: Regardless of whether you test an API manually or automatically, it's important to understand the functionality. Security testers should invest the time to learn the API's functionality and then plan an appropriate test. Go to your developers and ask them how they are documenting APIs and how you can learn about them.
- Does your team have Swagger? Find out if your developers are using Swagger. If they aren't, encourage them to check it out. You can add Swagger files to existing APIs to make them machine readable and enable automated testing with AppSpider.
- Does your DAST have Swagger? Consider using a DAST solution that further automates testing of APIs. AppSpider is able to test Swagger APIs from end to end and it also automates much of the testing process for other APIs.
- Test APIs with AppSpider: If your team is interested in further automating API testing, download AppSpider to evaluate if it's a fit for your team and if it can help you address more of your attack surface automatically.