Uses a custom API security assessment engine built specifically from the ground up to discover vulnerabilities specific to API deployments.
Consumes openAPI/ swagger /GraphQL files to map out the entire API which is designed to ensure the entire API gets a rigorous assessment. As your development team change the API over time, Edgescan detects the change and maintains security coverage.
Can deliver on-demand, continuous and scheduled API security testing.
All discovered vulnerabilities are validated and prioritized to make life easier for you and your development team.
Can consume API descriptor files (Swagger, JSON, WSDL, YAML) and automatically test documented methods.
Edgescan ASM delivers API discovery profiling to help you maintain an asset register of APIs live on your estate.
Discover APIs across your IP/CIDR ranges using our multi-layer API discovery technology – Find rogue or unknown APIs across your estate and alert you to new discoveries.
What's the API security Challenge?
Attack
2022: API Abuse will be the most-frequent attack vector – GARTNER
Vulnerability
In 2022 Edgescan has seen a 320% rise in vulnerable API’s deployed
breaches
66% of Cloud breaches are due to misconfigured API’s – IBM Security
Scanners
Web Application scanner tools do not suit API security properly.
Yools
API Security Testing can be difficult due to many tools simply not being built to test API security.
We handle it
We provide continuous security testing for the ever-growing world of APIs which are becoming ever more popular given the explosive growth in mobile apps and the fintech sector.
We are accustomed to providing rigorous testing of APIs in all their shapes and forms. This can include but is not limited to SOAP/XML, RESTful and other Web Services.
Our team built an API testing: Traditional web scanning tools simply don’t scan APIs with any rigor. Edgescan’s custom API technology maps an APIs method calls via ingestion of descriptor (swagger/opanAPI/GraphQL) files and also provide rigorous assessment coupled with intelligent expert validation.
Specific API vulnerabilities
discovered by Edgescan:
Broken Object-Level Authorization
APIs often expose endpoints handling object identifiers. Any function that accepts a user input and uses it to access a data source can create a Level Access Control issue, widening the attack surface. You should carry out object-level authorization checks for all such functions.
Broken User Authentication
Attackers often take advantage of incorrectly applied authentication mechanisms. They may compromise an authentication token or exploit flaws in implementation to pose as another user, on a one-time basis or permanently. If the system’s ability to identify the client/user is compromised, so is the overall API’s security.
Excessive Data Exposure
Developers often rely on the client side to filter the data before displaying it to the user. This can create serious security issues—data must always be filtered at the server side, and only the relevant information should be delivered to the client side.
Lack of Resources and Rate Limiting
APIs often don’t restrict the number or size of resources that the client/user can request. This can impact the performance of the API server, resulting in Denial of Service (DoS), and exposing authentication vulnerabilities, enabling brute force attack
Broken Function-Level Authorization
Authorization flaws often result from overly complex access control policies, or if there is no clear separation between regular and administrative functions. Attackers can exploit these vulnerabilities to gain access to a user’s resources or perform administrative functions.
Mass Assignment
Mass assignment typically results from the binding of client-provided data (i.e. JSON) to a data model based on an allowlist, without proper filtering of properties. Attackers can modify object properties in a number of ways—they can explore API endpoints, read the documentation, guess object properties, or provide additional properties through request payloads.
Security Misconfiguration
Security misconfiguration often results from inadequate default configurations, ad-hoc or incomplete configurations, misconfigured HTTP headers or inappropriate HTTP methods, insufficiently restrictive Cross-Origin Resource Sharing (CORS), open cloud storage, or error messages that contain sensitive information.
Injection
Injection flaws (including SQL injection, NoSQL injection, and command injection) involve data that is sent to an interpreter from an untrusted source via a command or query. Attackers can send malicious data to trick the interpreter into executing dangerous commands, or allow the attacker to access data without the necessary authorization.
The Benefits
of API Security Testing
All API paths and endpoints are mapped in the Edgescan portal to help you see level of testing coverage
vulnerabilities using our custom API security technology and expert validation
with the API as it changes. As the API changes so do your security tests.
Headless API deployments, Not all API endpoints are accessible through a web UI or tested during a web app Pentest.
hidden and shadow API’s using our Discovery ASM Feature. Catalogue API’s across your global estate by supplying Edgescan with IP and FQDN lists.
Our Solution
No Limits:
Scan on demand as much as you need. Scans can be invoked via API for DevOps environments and via the Edgescan portal.
Edgescan API Security Testing:
combines technical and logical security testing, all of which is validated & supported by experts.
Coverage and Depth:
Edgescan technology uses bespoke scanning engines in order to provide optimal coverage of the API. API vulnerabilities can be different from typical web application issues.
Intelligent Assessment:
Edgescan API assessments also assess logical controls associated with the API; items such as authorization, request flooding, parameter manipulation and attribute injection are assessed to help ensure you have a strong security posture.
5 reasons why
choose Edgescan
Best Security
Edgescan is designed to take the best of automated security scanning coupled with human expertise where required.
Details
Edgescan detects and provides detailed vulnerability information across the full stack to aid understanding and rapid remediation.
Support
Edgescan provides client support to help move security posture in the right direction.
Reduce Spend
Edgescan can improve resilience whilst reduce cyber security spend compared to traditional tool/consultant based approaches.
One Plataform
Edgescan combines Penetration testing (PTaaS), ASM (Attack Surface Management), Web Application Security and Device/Host Security in a single platform.
Edgescan
Prioritizes Risks
Understand vulnerability criticality based on what's important to your business.
Our platform discovers, validates and prioritizes your organization's most critical risks, making it easy for your security and IT teams to know where to focus first.
Edgescan maps all validated vulnerabilities to the Cyber and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV). As exposures are discovered you can prioritize based on if they are being used by cyber criminals in the wild.
Our unique validation and prioritization approach helps you focus on which vulnerabilities to focus on to make the most positive impacts to your business' security posture.
As vulnerabilities are discovered which are known to be exploited, automatically alert your teams to act quickly. Once the fix is applied retest on demand, no problem.
Platform's automatic risk prioritization is based on:
-
Attackers' priorities - Business context
- Likelihood
- Remediation complexity
- Ease of exploitation
Request a Demo
FAQ
This is the first item's accordion body. It is shown by default, until the collapse plugin adds the appropriate classes that we use to style each element. These classes control the overall appearance, as well as the showing and hiding via CSS transitions. You can modify any of this with custom CSS or overriding our default variables. It's also worth noting that just about any HTML can go within the .accordion-body, though the transition does limit overflow.
This is the second item's accordion body. It is hidden by default, until the collapse plugin adds the appropriate classes that we use to style each element. These classes control the overall appearance, as well as the showing and hiding via CSS transitions. You can modify any of this with custom CSS or overriding our default variables. It's also worth noting that just about any HTML can go within the .accordion-body, though the transition does limit overflow.
This is the third item's accordion body. It is hidden by default, until the collapse plugin adds the appropriate classes that we use to style each element. These classes control the overall appearance, as well as the showing and hiding via CSS transitions. You can modify any of this with custom CSS or overriding our default variables. It's also worth noting that just about any HTML can go within the .accordion-body, though the transition does limit overflow.
This is the third item's accordion body. It is hidden by default, until the collapse plugin adds the appropriate classes that we use to style each element. These classes control the overall appearance, as well as the showing and hiding via CSS transitions. You can modify any of this with custom CSS or overriding our default variables. It's also worth noting that just about any HTML can go within the .accordion-body, though the transition does limit overflow.
Never Compromise threat protection:
Request Demo