As I was writing APIs one day at work, I realized that I wasn't too sure whether those APIs were secure. So I started looking for simple GUI tools that can be used by teams to evaluate their API security posture.
And in this process I found 3 categories of tools:
Penetration-as-a-service vendors
I wasn't too keen on black-box testing techniques as they come late into the development life-cycle and don't offer much transparency with respect to testsOpen-source API fuzzers
There are quiet a few robust tools out there. But again these require some time and effort to setup and get going.Paid tools
Again I could find a bunch of platforms that run 100s of tests but were expensive.
And so I set forth to writing one by myself. As part of my research, I found out that OpenAPI specification is a good starting point at describing APIs since it's an industry standard and that lot of tooling is available around it.
Also took the same approach as the other paid and free/open-source tools to finding API security flaws.
However, I have attempted the following:
- To keep the UI simple (easy to navigate)
- Maintain OpenAPI Spec validation errors at a minimal so that developers can quickly get documentation out of their way
Finding Schema validation errors is simple:
- Upload a spec or Postman Collection or start with a
petstore
template - Fix validation errors and get to a RUN_API status
- Go the Run Tab, select API Endpoint URL and hit Run to find schema validation errors
Although it's still work in progress, would love for you guys to check it out and share feedback.
For more information, do check out: https://cymitra.com or head directly to https://apihome.io
Thank you
Top comments (0)