What is API Security?

APIs (Application Programming Interfaces) are a key part of digital transformation strategies, and securing those APIs is a top challenge. APIs are a rapidly growing attack surface that isn't widely understood and can be overlooked by developers and application security managers.

Let’s let OWASP API Security Project take this: “APIs are a critical part of modern mobile, SaaS and web applications and can be found in customer-facing, partner-facing and internal applications. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.”

How API Based Apps are Different?

Again, from OWASP: The server is used more as a proxy for data The rendering component is the client, not the server Clients consume raw data APIs expose the underlying implementation of the app The user’s state is usually maintained and monitored by the client More parameters are sent in each HTTP request (object IDs, filters)

How is API security different from general application security?

API Security focuses on strategies to mitigate the unique security risks of APIs. Traditional vulnerabilities are less common in API-based apps: SQLi – Increasing use of ORMs CSRF – Authorization headers instead of cookies Path Manipulations – Cloud-based storage Classic IT Security Issues - SaaS

Why is API security important?

API security is important because businesses use APIs to connect services and to transfer data, so a hacked API can lead to a data breach. According to Gartner, 90% of web-enabled applications will have more attack surface area in exposed APIs rather than in the user interface . API Usage Continues to Rise According to Forrester, from December 2020 to June 2021, the percentage of API traffic that was malicious grew 85%. . In December 2021, Cloudflare reported that API calls accounted for 54% of total requests and increased 21% from February to December 2021. Attackers have taken notice and increased their focus on APIs. API security testing is part of the core capabilities in the Gartner MQ for Application Security Testing. APIs have become an essential part of modern applications (e.g., single-page or mobile applications), but traditional AST toolsets may not fully test them, leading to the requirement for specialized tools and capabilities. The ability to discover APIs in both development and production environments and test API source code, as well as the ability to ingest recorded traffic or API definitions to support the testing of a running API, are typical functions.

What is the OWASP API Security Top 10?

OWASP recently announced the API Security Top 10 Release Candidate. Read more about the OWASP API Security Project (and check out presentation deck in the Quick Links section). Here is the top 10: API1 - Broken Object Level Authorization API2- Broken User Authentication API3 - Excessive Data Exposure API4 - Lack of Resources & Rate Limiting API5 - Broken Function Level Authorization API6 - Mass AssignmentAPI7 Security Misconfiguration API8 - Injection API9 - Improper Assets Management API10 - Insufficient Logging & Monitoring

How does Fortify helps with API Security?

API Security with Fortify: Attack Surface Coverage – Discover new and shadow API endpoints automatically during testing and identify the breadth of endpoints with OpenAPI, Swagger, Odata, or WSDL schemas. API Authentication – API authentication is varied and complex. Fortify supports virtually all types of bearer tokens and implementations. Vulnerability Detection – Ever-expanding coverage of API-specific vulnerabilities affecting areas such as bearer tokens or GraphQL introspection. Scan Automation – Scale API testing with enterprise-grade orchestration delivered via SaaS, hosted, or on premise.

What is Application Security?

Why Application Security?

As validated by multiple studies, the majority of successful breaches target exploitable vulnerabilities residing in the application layer, indicating the need for enterprise IT departments to be extra vigilant about application security. To further compound the problem, the number and complexity of applications is growing. Ten years ago, the software security challenge was about protecting desktop applications and static websites that were fairly innocuous and easy to scope and protect. Now, the software supply chain is much more complicated considering the outsourced development, the number of legacy applications, coupled with in-house development that takes advantage of 3rd party, open source and commercial, off-the-shelf software components.

Organizations need application security solutions that cover all of their applications, from those used internally to popular external apps used on customers’ mobile phones. These solutions must cover the entire development stage and offer testing after an application is put into use to monitor for potential problems. Application security solutions must be capable of testing web applications for potential and exploitable vulnerabilities, have the ability to analyze code, help manage the security and development management processes by coordinating efforts and enabling collaboration between the various stakeholders. Solutions also must offer application security testing that is easy to use and deploy.

What is SAST, DAST, and SCA?

What is SAST?

Static Application Security Testing (SAST)(SAST) scans the application source files, accurately identifies the root cause, and helps remediate the underlying security flaws.

Benefits of Static Application Security Testing:

Identify and eliminate vulnerabilities in source, binary, or byte code.
Review static analysis scan results in real-time with access to recommendations, line-of-code navigation to find vulnerabilities faster, and collaborative auditing.
Fully integrated with the Integrated Developer Environment (IDE).

What is DAST?

Dynamic Application Security Testing (DAST) simulates controlled attacks on a running web application or service to identify exploitable vulnerabilities in a running environment.

Benefits of Dynamic Application Security Testing:

Provides a comprehensive view of application security by focusing on what’s exploitable and covering all components (server, custom code, open source, services).
Can be integrated into Development, QA, and Production to offer a continuous holistic view.
Dynamic analysis enables a broader approach to manage portfolio risk (1000s of applications) and may scan legacy apps as part of risk management.
Tests the functional app, so unlike SAST, is not language constrained and runtime and environment-related issues can be discovered.

What is SCA?

Software Composition Analysis (SCA) is an automated process to help identify and track the open-source components used in applications. More robust SCA tools can analyze all open-source components for security risk, license compliance, and code quality.

Benefits of Software Composition Analysis:

Gain visibility and understanding of the open source components in your organization (provide a software bill of materials).
Policy automation for preventing security and license problems.
Remediation suggestions for vulnerabilities and license risk advice.
Analyze the health of open source projects in order to eliminate risk caused by poor or decaying communities.

On-Premise vs SaaS vs Managed Service

Application security solutions consist of the cybersecurity software (the tools) and the practices that run the process to secure applications.

On-Premise

Application security testing solutions can be run on-premise (in-house), operated and maintained by in-house teams. This approach requires organizations to provide the infrastructure and personnel, and to acquire application security solutions for their usage. On-premise assures organizations that their application data is not shared with third parties and does not leave the premises.

SaaS

Application security as a SaaS offering provides cloud-based solutions with a web-based user interface, allowing the customer to configure, perform, and manage application security. This option still requires organizations to provide the personnel and expertise required to run the various application security testing tools, but without the need to provide infrastructure, maintenance, updates, etc..

Managed Service

Application security can also be a managed service where the customer consumes services provided as a turnkey solution by the application security provider. This approach doesn’t require any of the prerequisites of the on-premise approach, but it does require relying partially or completely on the SaaS vendor and in most cases, allow the application data to be shared with the vendor. Application security as a managed service provides an easy way to get started and can offer scalability and speed. Hybrid implementations (using on-premise, SaaS, and managed services together in different projects and practices) aim to provide the best of both worlds by providing flexibility, scalability, and cost optimization.

What is the OWASP Top 10

OWASP Top 10

The Open Web Application Security Project (OWASP) is an open source application security community with the goal to improve the security of software. Its industry standard OWASP Top 10 guidelines provide a list of the most critical application security risks to help developers better secure the applications they design and deploy.

Application Security Solutions

OpenText Application Security solutions solutions offer application security testing and management on-premise, hosted, and as-a-service to help companies secure their software applications—including legacy, mobile, third-party, and open-source applications.

Fortify offerings include static code analysis, dynamic application security testing, software composition analysis (SCA), and interactive application security testing tools to provide code security for your Web Apps, APIs, Mobile Apps, Infrastructure-as-Code, Containers, and Software Supply Chain.

The solutions include:

Fortify Static Code Analyzer by OpenText™ - Static Application Security Testing (SAST) - Identifies and pinpoints security vulnerabilities in source code early in the software development lifecycle.

Fortify WebInspect by OpenText™ - Dynamic application security testing (DAST) – Simulates real-world security attacks on a running application to provide comprehensive analysis of complex web applications and services.

Fortify on Demand by OpenText™ – Security as a Service - A simple, easy and quick way to accurately test applications without having to install or manage software, or add additional resources.

Mobile Security – Mobile testing methodology that tests all three tiers including the client, network, and server.

Fortify Insight – Aggregate and analyze numerous sources of previously siloed data, visualized in an enterprise dashboard for actionable insights.

Software Security Assurance – Centralized management repository provides visibility that helps resolve security vulnerabilities.

Fortify Software Security Center by OpenText™ - Centralized management repository providing visibility to the entire application security testing program. It prioritizes, manages and track security testing activities and provides an accurate picture of software security risk across your enterprise.

Your browser is not supported

Fortify

Interset

Voltage

NetIQ

ArcSight

Fortify

Fortify

Interset

Voltage

Voltage

NetIQ

NetIQ

ArcSight

ArcSight

What is Application Security?

Overview

Application Security

Why Application Security?

What is SAST, DAST, and SCA?

Benefits of Static Application Security Testing:

Benefits of Dynamic Application Security Testing:

Benefits of Software Composition Analysis:

On-Premise vs SaaS vs Managed Service

What is the OWASP Top 10

Application Security Solutions

Resources

Assets

Related Products, Solutions, and Services

Community

Application Security Resources

OpenText Fortify Resources

Our Solutions

SAST: Fortify Static Code Analyzer

DAST: Fortify WebInspect

Fortify on Demand

Fortify Software Security Center

Get started today