Introducing business logic security testing for REST APIs

Introducing business logic security testing for REST APIs
REST Security testing
tl;dr After one year and a half of approaching API security through the lenses of GraphQL, we are proud to introduce beta support for REST API Security Testing in Escape, in addition to GraphQL. You can register for the beta using this link.

You like us on GraphQL. You will love us on REST.

It's been a ride since Escape's public release of our GraphQL Security Platform last September. Without a dollar spent in marketing, more than 1000 organizations used Escape to help their developers secure their GraphQL APIs using our in-house Feedback Driven API Exploration technology.

To enrich this core capability, we have been shipping many new features since our public release: API Inventory, Posture Management, CI/CD Integrations, SSO, and Role Based Access Control, among others.

But we are also aware that our community barely uses GraphQL alone. Most users have REST API endpoints along with their GraphQL APIs.

So we decided to adapt our Feedback-Driven API Exploration technology and support REST API business logic-aware security testing directly inside Escape.

With REST Security testing, you will have out-of-the-box testing for

  • API Security Best practices
  • OWASP API Top 10 2023
  • Advanced Business Logic issues like Sensitive Data Leaks

This feature is currently in private beta. If you use REST APIs, you can register on the waiting list now using this link ➡️

If you liked us for GraphQL, you will love us on REST!

The REST of the roadmap

We think that REST Security testing is currently broken: most security testing tools for REST use OpenAPI/Swagger documentation or Postman collections to generate their tests.

But this leaves behind organizations that have neither. So we decided to support specification-less REST API scanning. Soon, any organization using any language to build REST APIs will be able to integrate security into its development process with the click of a button.

Here is how we plan to release our next features in the private beta:

  • API testing from OpenAPI/Swagger Specification
  • Testing from Postman Specification
  • Testing from Java Springboot, Express.js, Django languages and frameworks
  • REST API automated discovery

Why we won't stop there: a glimpse at the Future

We won't stop at REST and GraphQL. At Escape, we believe that all APIs technologies have pros and cons and will continue to exist in the future, be it REST, GraphQL, gRPC, tRPC, or even SOAP.

We understand that those APIs aim to provide developers and applications with a simple way to interact with online services for specific business purposes.

The specific business purpose part is essential, as web and public APIs are not equivalent to directly exposing a database. They are productivised interfaces and implement complex access control and business logic rules.

Helping developers and security teams find and fix security flaws in the business logic of applications at scale is precisely the objective we had in mind when creating our Feedback-Driven API Exploration technology.

To adapt it from GraphQL to other kinds of APIs, we created a meta-model of API that focuses on the underlying business logic instead of the implementation details.

This model has proven to be very effective at manipulating REST and GraphQL APIs, and will allow us to quickly add support for new standards (tRPC, SOAP, gRPC) in the future.

Wrapping up

We are opening the support for testing REST APIs in private beta directly in Escape. Currently, it is possible to test the security of any REST API using its OpenAPI or Swagger specification. In the future, we will release the possibility to test any API, without the need for having an OpenAPI file.

You can register for the REST beta at this link ➡️

This release is an important step for Escape in our journey to make security easy for all developers and AppSec teams. Stay tuned because more exciting news are coming along the road, following our recent $3.8M Seed Announcement