enterprisesecuritymag

42Crunch Releases OpenAPI Static Security Audit in GitHub Code Scanning

By Enterprise Security Magazine | Friday, October 09, 2020

Irvine, CA - Today, the API security leader and creator of the industry’s first API Firewall, 42Crunch, announced the availability of its REST API Static Security Testing with GitHub code scanning . By adding 42Crunch to code scanning, developers can include REST API OpenAPI / Swagger definitions within static security tests.

Most of today's applications are driven by APIs. The transition to cloud-native architectures, microservices, serverless, single-page, IoT, and mobile applications lead to proliferation of APIs. What used to be components of monolithic applications communicating within a single server are now standalone APIs talking to each other over the network.

This significantly expanded the attack area and led to the rise of API attacks. In fact, there's now not a single week without new high profile API vulnerabilities reported by the popular API security news site APIsecurity.io .

Gartner estimates that by 2022 APIs will become the most common attack vector.

Having direct access to applications backend services and databases with sensitive customer data, APIs are a lucrative target. API breaches can have significant business, public image, and financial impact.

At the same time, companies now have hundreds if not thousands of APIs. These APIs are constantly changing as teams adopt agile methodologies and continuously iterate over their functionality. Old approaches of manual review and approval processes and static runtime rules can no longer serve as the foundation for securing such complex dynamic systems.

The best way to provide cost-effective security for APIs is to “shift-left” and establish security measures across the whole API lifecycle: from design, to development, testing, and run-time protection and ideally doing so automatically without human interaction

Available as a GitHub Action, REST API Static Security Testing allows users to:

● Discover REST APIs in their GitHub repositories

● Audit each API with 200+ security checks from 42Crunch covering industry best practices across authentication, authorization, transport, and data validation

● Analyze the discovered vulnerabilities by looking into the details provided for each vulnerability within GitHub code scanning alerts

● Fix the vulnerabilities by going through the prioritized alert list and fixing the issues with remediation suggestions provided for each alert

● Enforce security by setting criteria for your CI/CD workflows and automated Pull Request checks

"GitHub is the world's leading software development collaboration platform,”says Dmitry Sotnikov, Chief Product Officer at 42Crunch. “We are happy to see Static Application Security Testing (SAST) to now become a standard feature of GitHub through code scanning and happy to provide our integration to handle the API security part of it.”

"GitHub code scanning is a major step on our journey to help open source and enterprise developers build secure software,” says John Leon, VP of Business Development at GitHub. “Adding 42Crunch's security audit for REST APIs to GitHub code scanning tests will provide additional insight and security capabilities for developers.”

You can find out more by visiting the 42Crunch REST API Static Security Testing page in the GitHub Marketplace.