AppSpider's got even more Swagger now!

As you may remember, we first launched improved RESTful web services security testing last year. Since that time, you have been able to test the REST APIs that have a Swagger definition file, automatically without capturing proxy traffic. Now, we have expanded upon that functionality so that AppSpider can automatically discover Swagger definition files as part of the application crawl phase. You no longer have to import the Swagger definition file, delivering an even easier and more automatic approach for security testing RESTful web services (APIs, microservices, and web APIs). This is a huge timesaver and another evolution along AppSpider's long history of being better at handling modern applications than other application security scanning solutions.

Challenges with Security Testing RESTful APIs

When it comes to RESTful web services, most application scanning solutions have been stuck in the traditional web application dark ages. As APIs have proliferated, security teams have been forced to manually crawl each API call, relying on what little - if any - documentation is available and knowledge of the application. With a manual process like that, the best we can hope for is to not miss any path or verb (GET, PUT, POST, DELETE) within the API. In this scenario, you also have to figure out how to stay current with a manually documented API. The introduction of documentation formats such as Swagger, API Blueprint, and RAML helped, but testing it was still a manual process fraught with errors.

RESTful Web Services: Security Testing Made Easy

Enter Rapid7.

At the end of 2015, we released a revolutionary capability for testing your REST APIs with the introduction of Swagger-based DAST scanning. This ability for AppSpider to learn how to test an API by consuming a Swagger definition (.json) file revolutionized the way DAST solutions handle API security testing. Doing so allowed our customers for the first time, to easily scan their API without a lot of manual work. Now, we are taking it up another notch by making REST API security testing even easier.

What's New?

This is no trivial task as it's not just parsing data out. When our engineers started this task, the first thing they thought about was how customers would use this feature. We quickly realized that just like everything else in application security, when we start scanning new technologies in the web application ecosphere, we realize that we encounter the same challenges we did when learning to effectively scan traditional web applications. So, here are three of the latest enhancements we have made to speed REST security testing.

  1. Automated Discovery of Swagger Definitions - Instead of feeding your Swagger definition file into AppSpider, you can simply point AppSpider to the URL that contains your Swagger definition and AppSpider will automatically ingest it and begin to take action.

  2. Parameter Identification and Testing with Expected Results - Application security testing solutions always have the challenge of knowing what the parameters are and what data they are expecting. Web applications can have many different parameters, some of which may be unique to just that API. We knew that if this was going to be effective we needed to be able to account for these unique types of parameters. This led us to expand our capability so that you can give AppSpider guidance on what these parameters mean to your application. Your guidance allows AppSpider to improve the comprehensiveness of the testing. AppSpider remembers your guidance and uses it in subsequent tests.

Quick tip: Regardless of which application security testing solution or experts you use, be sure that your scanner or testers are using expected results (a date for ‘date', a name for ‘last name' and a valid credit card number for ‘ccn'). Without expected results, the test is largely ineffective.

  1. Scan restrictions - Just like any other area of a web application, APIs have sensitive portions that you may not want to scan, a good example of this is a HTTP verb like DELETE. Many teams have effectively documented ALL of their REST API. This is great and is really where you should be, but we need to be able to avoid testing certain sections. We are already very good at customizing your web application scanning to make it the best it can be. We have just extended this capability into the handling of APIs. Now you can leverage AppSpider's scan restrictions capability and exclude any parameter or HTTP verb you do not want to use.

By leveraging AppSpider's automated testing of RESTful web services that includes both parameter training with scan restrictions, you really have an unparalleled opportunity to test the security of your REST APIs quickly and frequently. We know you thought this was out of reach, but it's not!

So keep this in mind next time you are having a discussion on how to efficiently scan and understand the security weaknesses in your APIs. If you're stuck in manual process it might be time to take a look at how to automate these processes using something like Swagger. Note, Swagger has been renamed to the (OpenAPI Specification). If you are already automated well then we can give you an answer you've always wanted..we can automate your API scanning like never before.

You may also be interested in :

AppSpider Release Notes

Blog: AppSpider's Got Swagger: The first end-to-end security testing for REST APIs