Introducing business logic security testing for REST APIs

Introducing business logic security testing for REST APIs

After one year and a half of approaching API security through the lenses of GraphQL, we are proud to introduce full support for REST API Security Testing in Escape, in addition to GraphQL 🚀

You like us on GraphQL. You will love us on REST.

It's been a ride since Escape's public release of our GraphQL security platform last September.

To enrich this core capability, we have been shipping many new features since our public release: API Inventory, Posture Management, CI/CD Integrations, SSO, and Role Based Access Control, among others.

Check out our recent enterprise features release

But we are also aware that our community barely uses GraphQL alone. Most users have REST API endpoints along with their GraphQL APIs.

So, we decided to adapt our feedback-driven API exploration technology and support REST API business logic security testing directly inside Escape.

With REST Security testing, you will have

  • Proactive monitoring of the security and compliance of all your APIs
  • Support for OWASP Top 10 2023
  • Advanced business logic issues like sensitive data leaks
  • Integration within your CI/CD pipeline for easy detection and remediation

If you liked us for GraphQL, you will love us on REST!

The REST of the features

We think that REST Security testing is currently broken: most security testing tools for REST use OpenAPI/Swagger documentation or Postman collections to generate their tests.

But this leaves behind organizations that have neither. So, we decided to support specification-less REST API scanning. Soon, any organization using any language to build REST APIs will be able to integrate security into its development process with the click of a button.

Escape is now supporting testing from Java Springboot, Express.js, Django languages, and frameworks.

REST APIs automated discovery is coming soon as well 

Why we won't stop there: a glimpse at the Future

We won't stop at REST and GraphQL. At Escape, we believe that all APIs technologies have pros and cons and will continue to exist in the future, be it REST, GraphQL, gRPC, tRPC, or even SOAP.

Right now, these technologies are available for our customers on-demand basis.

We understand that those APIs aim to provide developers and applications with a simple way to interact with online services for specific business purposes.

The specific business purpose part is essential, as web and public APIs are not equivalent to directly exposing a database. They are productive interfaces and implement complex access control and business logic rules.

Helping developers and security teams find and fix security flaws in the business logic of applications at scale is precisely the objective we had in mind when creating our feedback-driven API exploration technology.

To adapt it from GraphQL to other kinds of APIs, we created a meta-model of API that focuses on the underlying business logic instead of the implementation details.

This model has proven to be very effective at manipulating REST and GraphQL APIs, and will allow us to quickly add support for new standards (tRPC, SOAP, gRPC) in the future.

Wrapping up

To wrap it up, we're excited to share that we've broadened our support to include REST API Security Testing alongside our existing GraphQL features.

It is now possible to test the security of any REST API, without the need for having an OpenAPI or Swagger file. In just a few weeks, you'll also have access to REST API discovery and will be able to build a complete API catalog and achieve full observability for both REST & GraphQL APIs.

With a commitment to providing robust security solutions, we look forward to enhancing API security for various technologies, including REST, GraphQL, gRPC, tRPC, SOAP, and more.