API DAST Testing Basics with Shawn Simpson of CyberRes Fortify

by in Security

Whenever I have questions about APIs or Dynamic Application Security Testing (DAST), I’ve found that Shawn Simpson usually has all the answers. My most recent interaction with Shawn was no different as he shared with me several answers to common questions about API DAST Testing. Here’s what he had to say... 

Shawn Simpson of FortifyQuestion: Shawn, what is API DAST testing and why is it important?

Answer: APIs are a common tool used by teams when building applications and providing services.  However, they have their own security risks. Because APIs are meant for application to application communication there is not always the level of testing provided to them, and in many cases, APIs are built as an internal testing or development tool and forgotten. 

Q: What is Forty WebInspect capable of?

A:1. SOAP scanning, 3 options

  • Use a WSDL which is a schema definition of a SOAP scan
  • Use the Service Test Designer
  • Use a proxy connected to another tool such as SoapUI
  1. REST scanning
  • Use a Swagger or OpenAPI definition
  • Use a Postman collection
  • Use a proxy capture of a functional test that exercises the API 
  1. WebInspect can scan any API where a schema can be provided, a functional test can be used to exercise the API or a Postman Collection is available. 
  1. Postman is an industry standard for defining API definitions and creating API tests, WI can use Postman for security testing.

Q: Where is WebInspect going?

A: The DAST team has had API security as a major focus over the last couple of years and some of the coming features will include:

  • Native support for GraphQL including GraphQL schemas natively, and Discovery of GraphQL endpoints with and without the use of Introspection.
  • Support for GRPC
  • Discovery of APIs during a scan initially of Schemas detected, but expanding into discovery and automated authentication of any API.

Q: What are some of the frameworks we currently support?


  • All traditional SOAP and REST APIs.
  • Soap WSDL
  • Swagger 1 and 2 and OpenAPI 3 schemas
  • Through Postman: GraphQL, RAML
  • Oauth and Oauth 2

Q: What are the facets of API Discovery?

API DAST Testing Basics with Shawn SimpsonA: There are two distinct areas facets of API Discovery.  Discovery of API Endpoints during a Scan and Discoveryof APIs within an environment.  For SAST and DAST scanning the focus is on Discovery during a scan.  A lot of applications are built in pieces, and it is APIs that connect them. Some applications are published APIs meant to be consumed by other users and applications. Both use cases need to be secured. When a schema is available scanning is easy. When an API doesn’t have a schema the need for Discovery grows. Discovery during a scan is the fining of APIs through inferring their existence from network traffic, investigation of and paring of the apps code to find clues to an APIs existence. Then the discovery of how an API allows authentication is needed to incorporate that API into the larger scan. 

Thanks for the great information, Shawn! 

About Fortify 

Micro Focus Fortify has been named a leader in the Gartner Magic Quadrant for Application Security Testing for the 8th consecutive year. 

Fortify offers an end-to-end application security solution that secures and protects code throughout the entire development lifecycle of any type of software—from development to testing, release to production and every iteration in between. Fortify static, dynamic, interactive, and runtime security testing technologies are available on premise or on demand, offering organizations the flexibility needed to build an end-to-end software security assurance program. 

Join our Fortify Community. Have technical questions about Application Security products? Visit the Fortify discussion forum.  Keep up with the latest Tips & Info about Application Security. We’d love to hear your thoughts on this blog. Log in or register to comment below.


Application security