Most API Security tools/platforms are built for the Security teams that are told “here’s an API service already running – go secure it”. Thus, they take an outside-in approach of building a fence around a service and/or poking the service with a stick to see what outward reactions they can get. But even an ML-powered fence can’t stop everything. Shouldn’t we be improving the security inherent in our RESTful or GraphQL API service/microservices? Let's actually find and fix the flaws before the API is deployed. And before the developers reading this run screaming thinking this is another “shift [the extra work] left” talk, what we will advocate is a simply and scalably deployed agent that will do this work for us. It will automagically discover and ingest the API documentation (if it exists), create and run tests based on these docs, turn any other functional tests we already have into security tests, and output replayable exploits when they are found. “Agent-less” solutions don't have the visibility and controllability needed to realize the automagic of building a more secure API from the inside out.
PRO Workshop (API): Automagic API Security Testing: Pre-prod Agent-Generated Tests FTW
Steve Chappell is a technology and business leader with 20+ years of experience in software security, semiconductor, IP & EDA industries. He has excelled in a variety of software and hardware R&D, marketing and sales positions, and is fluent in several languages used by ancient and modern Geeks as well as CxO-ese. Steve has done a little bit of everything in his 9 years at Synopsys, a recognized leader in Application Security for six years running.