Api security Checklist
Run fuzzing and dynamic testing against deployed APIs
Yüklə 2,4 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Check for known vulnerable code dependencies
|
Run fuzzing and dynamic testing against deployed APIs:
absent code scanning, the other approach to testing custom APIs is the use of fuzzers and dynamic application security testing DAST tools. Fuzzers are difficult to configure properly and require subject matter expertise to run effectively. However, fuzzing typically results in more thorough testing and identifying a wide range of exploitable conditions in code. The time it takes for a fuzzer to run to completion can be unpredictable, and subsequent runs can produce different results due to the number of variables in play. DAST fairs slightly better, since tools, particularly commercial-grade options, are designed to be easier to get started with. When automating the scanning of APIs with DAST, you will need API schema along with recorded traces of an application session or automation scripts like Selenium or Appium to drive the scanner. While DAST scanners can be effective with traditional web application designs, they will often fail to understand how to exercise APIs. It is common to see a DAST scan run for a few minutes and return trivial results because the scanner wasn’t configured properly to navigate API functionality in the right sequence. 4. Check for known vulnerable code dependencies: similar to VA/VM where the goal is identifying CVE IDs, dependency analyzers and software composition analysis SCA scanners can identify known vulnerable open-source software packages and third-party libraries in API source code, infrastructure-as-code, and container images that all play a part in the complete systems that run APIs. Quickly identifying these known vulnerable dependencies helps knock out a wide range of potentially exploitable code that inevitably becomes part of your running APIs and serving infrastructure. Run these dependency analysis tools during code commits, in build, in delivery, and continuously. API infrastructure may be mutable depending where your organization is at with DevOps maturity and pursuit of infrastructure automation. New vulnerable dependencies may be inadvertently introduced making it crucial to run these checks continuously. 5. Yüklə 2,4 Mb. Dostları ilə paylaş:
|