Product updates

Our Latest Product Updates: API Lifecycle Graph and Others

In addition to our bi-directional Integration with Wiz, we have more product updates for you this month!

Alexandra Charikova

5 min read
Our Latest Product Updates: API Lifecycle Graph and Others

As we mentioned before, this week, our bi-directional Integration with Wiz was finally released! But it’s not all we’ve been shipping over the past months.

We’ve been hard at work developing features that will provide you with deeper scanning capabilities, better visibility into your application lifecycle, and will improve the efficiency of your security teams.

Below, you’ll find some of these exciting updates that can be incredibly beneficial for you as an AppSec engineer. For even more details, check out the detailed recaps of all fixes and improvements in Escape's release notes.

API Lifecycle Graph: A Comprehensive Visual Overview

We’re excited to introduce a powerful new visual tool within our Inventory: the API Lifecycle Graph. This graph provides an in-depth, visual representation of your API service, helping you understand its full lifecycle, integrations, and key details. Whether you’re troubleshooting, managing, or securing your APIs, this tool is here to help.

Escape API Lifecycle Graph

What you can view:

  • API Lifecycle: Track the entire journey and security of your API service, from creation to deployment.
  • Hosting Details: Gain insights into where your service is hosted, including the domain, cloud provider, IP address, and location.
  • Service Integrations: See how the service integrates with platforms like Wiz, GitHub, GitLab, Kubernetes, and others, and get details on how each was set up.
  • Repository Info: Quickly access repository details and URLs where your service is hosted.
  • API Schema: View the schema, information whether it was found or generated by Escape, its associated endpoints, and the methods connected to each endpoint.
  • Application Scan: Link your service to its application scan and view any associated security alerts, with color-coded severity levels for easy analysis.

How to view:

  1. Go to Inventory → All Services.
  2. Select the service you wish to inspect.
  3. The API Lifecycle Graph is located at the bottom of the Overview tab.

Why you'll love it:

  • Complete Lifecycle Visibility: Get a full picture of your API's lifecycle in one place.
  • Simplified Troubleshooting: Pinpoint potential issues and where to fix them quickly by visualizing integration and hosting details.
  • Contextual Insights: View security scans and vulnerabilities in the context of each API for faster, more informed decision-making.

Scan APIs Associated with Front-Ends More Efficiently

We’ve added a new feature that allows you to separate scanning of APIs associated with front-end applications. This means if you’re only updating the API and not touching the front-end, you can skip rescanning the front-end, saving time and resources. The scanning process will now focus solely on the API, providing a quicker and more efficient experience

Benefits:

  • Focused Scanning: Only scan the API, not the front-end, when updates are made solely to the API.
  • Faster Scans: Avoid unnecessary checks on the front-end, speeding up the scanning process and saving valuable time.

How to Set It Up:

  1. Go to the settings of the relevant app.
  2. Navigate to Scan Configuration → Expert.
  3. Under Scan, set: frontend_crawling_only: true Or use the shortcut Ctrl + Space (Windows/Linux) or Option + Esc (macOS) to select frontend_crawling_only from the list.
How to set it up with a shortcut

New Security Test: Stack Trace Disclosure Detection

We've added a new security test to detect detailed error messages and stack trace disclosures, which can expose sensitive system details such as file paths, code snippets, and internal IPs. This test is now included by default in Escape's DAST.

When you return clear technical error information in a response, attackers might use that information to identify the specific technologies you're using, making it easier for them to target known vulnerabilities in those systems.

Here you can find an example:

It's important to sanitize or hide these detailed errors and only log them internally so that you protect your application's inner workings from potential exploitation.

Learn more in our documentation.

Enhanced Private Locations: WebSocket & CLI Support

We’ve taken the Private Locations feature to the next level by adding WebSocket support for testing internal APIs. Previously unsupported, WebSocket is now fully integrated, allowing you to conduct more comprehensive testing. Additionally, Private Locations are now available through the Escape CLI, making the experience smoother and more integrated.

Key Benefits:

  1. Unified Tooling: Escape’s CLI for API interactions and Private Location management is now consolidated into a single binary, reducing complexity and simplifying deployment.
  2. Improved Stability: Enjoy more reliable health checks and enhanced stability, especially for frontend DAST.
  3. Easier Setup: No manual repeater ID creation and no need for Node.js installation.
  4. Enhanced Transparency: The Escape CLI is open-source, auditable, and includes direct log access from the Escape front-end.

Migration:

If you’re using the legacy repeater image, follow our migration guide to switch to the new CLI-based approach, which simplifies setup and ensures a smoother workflow.

Improved Playwright Authentication for Seamless Testing

Our Playwright authentication feature has been significantly improved to handle complex authentication flows, making it easier to run fully authenticated DAST scans. Instead of manually entering credentials, Escape’s proprietary AI agent detects login fields and fills them in automatically, ensuring seamless logins.

Once logged in, you can view screenshots at each step, helping you verify the authentication process or troubleshoot any issues.

Example of visualizations during Playwright authentification process

Be certain — with this internal and secure technology, credentials are never sent to any external AI provider, ensuring complete privacy.

This is an exciting step forward in making authenticated DAST scans more seamless and efficient!

Additionally, for more flexibility, we’ve added the PlaywrightUserPreset option to our advanced configuration settings. This allows you to inject optional headers during the authentication process and for authenticated requests, making it easier to handle custom authentication flows. Check out how to set it up here.

With these new updates, you should be able to secure your APIs and front-ends even more efficiently. But, of course, these are not all! For more, don't forget to check our release notes out. Try it out for yourself, and let us know what you think in our Slack community!

Go to Escape

💡 Check out more product updates below: