Cyber Security Services

API Scanning

API Scanning Services

What Is It:

Representational State Transfer (REST) APIs (Application Programming Interfaces) are extremely common on the internet we use today. However, testing APIs introduce some unique behaviors that make traditional web application scanning tools difficult to use. Since billions, if not trillions of API calls are used on a daily basis, security measures should be in place to ensure that your API architecture is correct and secure. That is where we come in.

How We Do It:

Through a deep partnership with one of the leading security scanning companies, along with highly educated certified ethical hackers, we leverage both manual and automatic scanning techniques to ensure there aren’t any holes in your API call. We start by obtaining a Swagger 2.0 (now known as OpenAPI) YAML file with all the API calls you want to be tested. Once the technical information is obtained, Compass IT Compliance imports this information into our scanner which checks for open holes in each one of your API calls. When a swagger file is not supported, we can also leverage a more granular approach by sending individual API calls via cURL and capturing the response in a proxy. Regardless of either approach, an analyst will review, and if needed, test necessary vulnerabilities to ensure you get accurate results.

What Is Required To Get Started:

All that is needed is a quick conversation with one of Compass IT Compliance’s experienced Account Managers. Once a statement of work (SOW) is signed, the following will make the process run smoothly and expedite your report:

  • Swagger 2.0. If you’re leveraging Java with JSON formatting, Swagger 2.0 isn’t supported
  • If Swagger 2.0 isn’t an option, a cURL command for each API call
  • Legitimate testing credentials. Since the scanner and our testers can run multiple calls a second, if your APIs have threshold limits that will lock a user out, disabling or having a person to routinely unlock the user credentials is greatly beneficial
  • Valid API key (if required)

What You Will Receive:

  • Web application penetration test report tailored for API's
  • Executive summary
  • Supporting evidence

So what are you waiting for? Contact us today to put your team to the test and see how they hold up against industry leading API scanning!

Penetration Testing Blog Posts


Contact Us