Semgrep
GitHub
Snyk
AWS
Microsoft
StackHawk Platform
API Attack Surface Discovery
Runtime Application Security Testing
Application Security Oversight
Integrations
Modern DAST
Shift-Left API Security Testing
Code-Based Sensitive Data Detection
gRPC Security Testing
GraphQL Security Testing
Healthcare
FinServ
Docs
Technical Blogs
Getting Started
Watch a Demo
Blog
Shift-Left Maturity Model
All Resources
Customers
Partners
Contact
Careers
News
You have probably noticed that we love APIs at StackHawk – especially secure APIs. You may have caught our latest content on how to keep your APIs secure using vulnerability testing , or how to use your OpenAPI spec to run more thorough security testing .
At the end of March we released a TON of new API scanning capabilities in the StackHawk platform.
What are those updates? Why should you use them? And how do they make it even easier to scan your APIs for security vulnerabilities?
Let’s dive in.
New API Security Testing Features from StackHawk
So what did we do exactly?
- Our newautoPolicy
flag in thestackhawk.yml
will pull a pretuned default policy from the StackHawk platform based on your configured API technology. This feature is currently available for GraphQL APIs and APIs built to the OpenAPI spec. Stay tuned for additional API technologies. - TheautoInputType
detects the correct request type based on the API technology being tested. The scanner only sends JSON requests to REST and GraphQL APIs and XML requests to SOAP APIs. The scanner now understands REST path parameters and will not re-scan the same page with different data. If you run a website and you have the URL “www.pantsstore.com/{brand},” we won’t scan every brand page individually. The scanner now realizes that {brand} represents data and is not part of the application’s structure. ZAP calls this concept Data Driven Content .
Why We ❤️ These Features
The majority of security testing tools don’t understand the nuances of API technologies.
As a result, other scanners will bombard an API with all different request types until they can receive a response. And, many of the tests the scanner attempts to run aren’t applicable to APIs. This results in scans that run slowly and are full of false positives – resulting in a lot of user frustration.
With these new features, users get faster, more accurate scans of all APIs. The scanner now understands what technology it is scanning and can dynamically adjust its testing approach. You can have confidence that the scanner is running the most relevant tests, finding critical vulnerabilities, and providing accurate results.
Give it a Whirl
To give these new API testing capabilities a go, make sure to sign up for a free StackHawk account. If you don’t have an API to use for testing, check out our intentionally vulnerable Node Express app or GraphQL API .
If you run into problems once you get scanning, check out our webinar on API security testing with t he Node Express app , or give our customer support team a shout .
