AppSwag API

Swagger-based API Security
AppSwag API, Swagger-based Dynamic Application Security Testing (DAST) is now fully supported by IBM Security AppScan Standard, AppScan Enterprise and ASOC. AppSwag API now provides IBM Security AppScan the ability to test RESTFul APIs by consuming their Swagger definition (json) files revolutionizing the way IBM Security AppScan handles API security testing. Doing so now allows our customers for the first time, to easily Dynamically scan their APIs without a lot of manual work.

READ MORE
AppSwag API
AppSwag API Lite is an API that can convert the Swagger API definition ex (http://petstore.swagger.io/v2/swaggerjson) into an IBM Security AppScan Enterprise artifact file, that can then be imported or uploaded to the IBM Security AppScan Enterprise server along with scan configuration options to run as a scan job. The AppSwag API Lite artifact generated from an APIs Swagger documentation contains everything that IBM AppScan Enterprise needs to thoroughly Dynamically scan an API. Bottom line IBM Security AppScan Enterprise can now consume Swagger definitions and automatically scan Microservice RESTful APIs. API security testing finally made easier with AppSwag API Lite

AppSwag for AppScan Standard

Enabling organizations to automate application security testing for CI/CD pipelines, is essential to supporting fast-paced, agile, micro-services development. Our expertise around CI/CD integration for automated security testing is critical to mitigating risk and achieving compliance.

AppSwag for AppScan Enterprise

Helping organizations to properly test and patch microservice RESTful APIs through Swagger-based Dynamic Application Security Testing and Virtual patching, critical to securing APIs. AppSwag (Standard) allows you to Test and Patch APIs

AppSwag for ASOC

Filling gaps and extending the testing, Patching, Protection and Monitoring of Microservice RESTful APIs is paramount when securing APIs that are exposed publicly. AppSwag Enterprise allows you to Test, Patch, Protect and Monitor APIs.

So What's the Big Deal

When it comes to RESTful APIs, most application security scanning solutions have been stuck in the traditional web application dark ages. As APIs have proliferated, security teams have been forced to manually crawl each API call, relying on what little – if any – documentation is available and knowledge of the application. With a manual process like that, the best we could hope for was to not miss any path or verb (GET, PUT, POST, DELETE) within the API. This cumbersome, time consuming process inevitably left many APIs without coverage posing significant risk to the business.

AppSwag API uses Swagger for AppScan

Swagger came along and provided users the detailed information they needed about every endpoint, the authentication around it, the type of authentication, what each endpoint expects in terms of payload, (string or integer), etc. What AppSwag API Lite does is it takes that information and generates the IBM Security AppScan Enterprise artifact file for you. It looks at an endpoint, understands the swagger definition and knows exactly what it needs to do. AppSwag API Lite converts the Microservice RESTFul API information into a artifact file, providing rich information about the Microservice RESTFul API you are scanning which IBM Security AppScan Enterprise can now use to find new vulnerabilities.

How Does AppSwag API Work

0

Consume Swagger
Definition

0

Analyze & Parse Swagger Definition

0

Convert Swagger Definition to Security Artifact

0

Output Security
Artifact

0

Security Test, Patch, Protect and Monitor

Domino’s Delivery of a Faster Response was No Standard Order

Security for APIs in DevOps Sucks!!!!!

So What’s the Big Deal…….

Security in todays agile microservices development lifecycle just doesn’t work, it SUCKS literally, impeding development innovation and slowing time to market. The shift of enterprise development organizations away from traditional monolithic applications to microservices has exacerbated an already bad situation, making it worse.

Traditional security tools, solutions and processes have struggled to provide meaningful value when the development organization needs security feedback early on in development where it is both cheaper and easier to correct security defects. Now with agile development of microservices in DevOps the problem is just outright grave. Tradtional security tools, solutions and processess typically need to happen in a very serial way which worked for waterfall.

Today, critical security feedback in the form of risk data is being captured too late and being fedback to the development organization in an asynchronous matter just as services are being released into production. This current security process both disrupts and frustrates development teams as they now must incorporate security remediation in upcoming sprints whereby resources are already tight as well as timelines. The bottom line is that todays security tools, solutions and processes do not work for microservices development because they can’t support it or keep pace, yielding little if any value to the development organization.

At AppCurity we’re attacking this problem by building the Next Generation of Application Security Enablement products for agile microservices development that fills the gaps previously discussed, addresses common critical pain-points, simplifies complex workflows and extends the value of trusted enterprise security solutions. We do this by first understanding the needs of agile development teams that build microservices in a DevOps ecosystem.

We identify critical gaps, such as poor security engagement in microservices development which then leads to lack of security requirements for development teams as they build microservices. The lack of automated Static & Dynamic Security Testing (SAST&DAST) of RESTFul APIs as part of the CI/CD Pipeline with Pass/Fail feedback for Development teams and lastly inadequate real- time vulnerability alerting to development teams for open source code. These critical gaps all lead to risk ridden microservices being deployed to production exposing the business to significant risk. These are just a few examples out of many where security is failing to provide value for microservices development teams in DevOps.

Traditional security tools, solutions and processes were not built or designed to support agile microservices development in DevOps. They lack the capabilities necessary to support rapid microservices development. By incorporating our security enablement products for microservices development we extend the value of traditional security tools and solutions affording them to now support key requirements necessary to support agile face-paced microservices development in DevOps. Our security enablement solutions are ushering in the Next Generation of Application Security empowering development teams and finally allowing security to yield significant value when it’s really needed early on in the development lifecycle.

IBM
AppCurity is an IBM Security Business Partner. We resell, implement / deploy, integrate and configure IBM AppScan, QRadar, Guardium, Site Protector and much more. Please give us a call today to discuss your IBM needs.

Have a query or want to discuss something?

CONTACT US
Menu