You have probably noticed that we love APIs at StackHawk – especially secure APIs. You may have caught our latest content on how to keep your APIs secure using vulnerability testing, or how to use your OpenAPI spec to run more thorough security testing.
At the end of March we released a TON of new API scanning capabilities in the StackHawk platform.
What are those updates? Why should you use them? And how do they make it even easier to scan your APIs for security vulnerabilities?
Let’s dive in.
New API Security Testing Features from StackHawk
So what did we do exactly?
Our new
autoPolicy
flag in thestackhawk.yml
will pull a pretuned default policy from the StackHawk platform based on your configured API technology. This feature is currently available for GraphQL APIs and APIs built to the OpenAPI spec. Stay tuned for additional API technologies.The
autoInputType
detects the correct request type based on the API technology being tested. The scanner only sends JSON requests to REST and GraphQL APIs and XML requests to SOAP APIs.The scanner now understands REST path parameters and will not re-scan the same page with different data. If you run a website and you have the URL “www.pantsstore.com/{brand},” we won’t scan every brand page individually. The scanner now realizes that {brand} represents data and is not part of the application’s structure. ZAP calls this concept Data Driven Content.
Why We ❤️ These Features
The majority of security testing tools don’t understand the nuances of API technologies.
As a result, other scanners will bombard an API with all different request types until they can receive a response. And, many of the tests the scanner attempts to run aren’t applicable to APIs. This results in scans that run slowly and are full of false positives – resulting in a lot of user frustration.
With these new features, users get faster, more accurate scans of all APIs. The scanner now understands what technology it is scanning and can dynamically adjust its testing approach. You can have confidence that the scanner is running the most relevant tests, finding critical vulnerabilities, and providing accurate results.
Give it a Whirl
To give these new API testing capabilities a go, make sure to sign up for a free StackHawk account. If you don’t have an API to use for testing, check out our intentionally vulnerable Node Express app or GraphQL API.
If you run into problems once you get scanning, check out our webinar on API security testing with the Node Express app, or give our customer support team a shout.