Can I scan an API which we are going to implement? If so what is the best way to do this?
We are planning to implement a java API which is a replacement for java webstart. I would like to test the API for common security vulnerabilites such as Injections and XSS. IT is on the github, what is the best way to scan this?
Re: Can I scan an API which we are going to implement? If so what is the best way to do this?
If you mean SAST, you would use Fortify SCA against the code base for that API, including all of its supporting libraries and third-party dependencies.
If you mean DAST, of the live API, you would use Fortify WebInspect. First, you would want to use the included CLI tool, WISwag.exe, to parse through the API endpoints and output a saved scan setting file (XML). This settings file will support a WebInspect Workflow-driven scan along with any necessary Custom Parameters. You would use that settings file in your WebInspect scan wizard.
Within the Guided Scan Wizard, you select the settings file on the right side, listed among the Templates. Within the Basic Scan Wizard, you use the menu found in the lower left-hand corner to load that settings file into the wizard. Or, you could open the Default Scan Settings, Load in your saved settings file as the new Defaults, and then use either scan wizard to proceed from there, but just remember to reset your Defaults after the scan begins.
FWIW - WISwag.exe is also available as an endpoint within the WebInspect API, if you plan to automate this scan process later.
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify