Swagger-based Dynamic Application Security Testing (DAST) is now fully supported by IBM Security AppScan Enterprise. AppSwag now provides IBM Security AppScan Enterprise the ability to learn how to test an API by consuming a Swagger definition (.json) file revolutionizing the way IBM Security AppScan Enterprise handles API security testing. Doing so now allows our customers for the first time, to easily scan their APIs without a lot of manual work.
AppSwag is a command line tool that can convert the Swagger API definition ex. (http://petstore.swagger.io/v2/swagger.json) into an IBM Security AppScan Enterprise Manual Explorer file, that can then be imported or uploaded to the IBM Security AppScan Enterprise server along with scan configuration options to run as a scan job. The IBM Security AppScan Enterprise Manual Explorer file contains http/https traffic for the web service generated by AppSwag from the REST API Swagger definition. Bottom line IBM Security AppScan Enterprise can now consume Swagger definitions and automatically scan RESTful services. AppScan RESTful services testing finally made easier with AppSwag.
So What’s the Big Deal
When it comes to RESTful web services, most application security scanning solutions have been stuck in the traditional web application dark ages. As APIs have proliferated, security teams have been forced to manually crawl each API call, relying on what little – if any – documentation is available and knowledge of the application. With a manual process like that, the best we could hope for was to not miss any path or verb (GET, PUT, POST, DELETE) within the API. This cumbersome, time consuming process inevitably left many APIs without coverage posing significant risk to the business.
AppScan Continuous Integration Plug-ins for Jenkins, Bamboo, TFS and TeamCity
Swagger came along and provided users the detailed information they needed about every endpoint, the authentication around it, the type of authentication, what each endpoint expects in terms of payload, (string or integer), etc. What AppSwag does is it takes that information and generates the IBM Security AppScan Enterprise Manual Explore file for you. It looks at an endpoint, understands the swagger definition and knows exactly what it needs to do. AppSwag converts the REST API information into a generated manual explore file, providing rich information about the REST service you are scanning which IBM Security AppScan Enterprise can now use to find new vulnerabilities.
- COVERAGE – Now you can scan all of your REST services using industry leading IBM Security AppScan Enterprise application security testing solution.
- QUICK – AppSwag provides a huge time savings quickly converting Swagger REST API definitions so that AppScan can perform application security testing.
- EASY- AppSwag with AppScan allows customers for the first time, to easily scan their APIs without a lot of manual work. AppSwag for AppScan is making REST API security testing even easier.
- AUTOMATION – AppSwag consumes Swagger REST API definitions to automate the scanning of APIs using AppScan.
- SCALABLE – AppSwag allows AppScan to quickly scan Swagger-enabled REST APIs allowing you to scale to address your needs whether you have tens, hundreds or even thousands of applications.