Source: thenewstack.io
Application Security Tools Are Not up to the Job of API SecurityCategory: Software, Security, github
Adversaries have increasingly attacked these applications, and defenders have adopted various testing tools and technologies to protect them. Today most enterprises have in place an Application Security (AppSec) program to manage the deployment of these tools and manage associated vulnerabilities.
The workhorse of any AppSec program is the Static Application Security Testing (SAST) which is a “white box” assessment of the vulnerabilities in an application derived by examining the source code and creating a model of the data flow through an application to determine where an application may be vulnerable to external attack by, for example, injection attacks.
Even in this case without a deeper understanding of the API endpoints, DAST tools can’t provide an intelligent assessment of API security.
In contrast, API security tooling that can add value to the development effort (for instance allowing continuous validation of API specifications) within their environments is more likely to be adopted and actively used.
The workhorse of any AppSec program is the Static Application Security Testing (SAST) which is a “white box” assessment of the vulnerabilities in an application derived by examining the source code and creating a model of the data flow through an application to determine where an application may be vulnerable to external attack by, for example, injection attacks.
Even in this case without a deeper understanding of the API endpoints, DAST tools can’t provide an intelligent assessment of API security.
In contrast, API security tooling that can add value to the development effort (for instance allowing continuous validation of API specifications) within their environments is more likely to be adopted and actively used.
Related Articles
Community Partners
DevOps Careers