Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
New Member.

Can I scan an API which we are going to implement? If so what is the best way to do this?

We are planning to implement a java API which is a replacement for java webstart. I would like to test the API for common security vulnerabilites such as Injections and XSS. IT is on the github, what is the best way to scan this? 

Tags (1)
1 Reply
Micro Focus Expert
Micro Focus Expert

Re: Can I scan an API which we are going to implement? If so what is the best way to do this?

If you mean SAST, you would use Fortify SCA against the code base for that API, including all of its supporting libraries and third-party dependencies.



If you mean DAST, of the live API, you would use Fortify WebInspect.  First, you would want to use the included CLI tool, WISwag.exe, to parse through the API endpoints and output a saved scan setting file (XML).  This settings file will support a WebInspect Workflow-driven scan along with any necessary Custom Parameters.  You would use that settings file in your WebInspect scan wizard.

Within the Guided Scan Wizard, you select the settings file on the right side, listed among the Templates.  Within the Basic Scan Wizard, you use the menu found in the lower left-hand corner to load that settings file into the wizard.  Or, you could open the Default Scan Settings, Load in your saved settings file as the new Defaults, and then use either scan wizard to proceed from there, but just remember to reset your Defaults after the scan begins.

FWIW - WISwag.exe is also available as an endpoint within the WebInspect API, if you plan to automate this scan process later.

-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.