Web API automatic scan workflow

Provides a simple workflow of an automatic scan of a web API.

AppScan provides a comprehensive assessment of your web APIs. It runs thousands of tests based on all levels of typical user techniques as well as unauthorized access and code injections.

When you run a scan on your application, the tests are sent by AppScan to your web API. The results of the tests are provided by AppScan's site-smart engine and result in expansive reports and fix recommendations, available for enhanced review and manipulation.

AppScan is an interactive tool: you decide on the configuration of the scan and determine what is to be done with the results.

Web API automatic scanning workflow

Workflow description

  1. Scan Configuration: Configure the scan, taking into account details of your site, your environment, and other requirements through Configuration > API Essentials:
    1. Upload Postman Collection Path:
      1. Upload Postman Collection: Import the Postman collection.
      2. Review Test Policy: Modify testing policies if necessary.
    2. Upload OpenAPI Description File Path:
      1. Upload OpenAPI Description File: Upload the API's OpenAPI description file.
      2. Configure API Key: Set up the API key for authentication.
      3. (Optional) Review Test Policy: Adjust the test policy settings.

  2. Start Full Scan: Initiate a full scan.

  3. Automatic scanning consists of the Explore and Test stages.
    1. Explore Stage: AppScan crawls your web API by going through all the requests and parameters and records them. It creates a hierarchy of these requests and parameters, that it finds on your web API. This list is displayed in the Application Tree (see Application tree).
      Note: The Explore stage can be done automatically, manually, or as a combination of both. You can also import an Explore Data File (see Exporting Manual Explore data), which consists of a previously recorded manual explore sequence. AppScan then analyzes the data it has collected from the site, and based on it, creates tests for the API. These tests are designed to reveal weaknesses both in infrastructure (such as security weaknesses in commercial, 3rd Party products or Internet systems), and the application itself.

    2. Test Stage: During the Test stage, AppScan tests your application, based on the responses it received during the Explore stage, to reveal vulnerabilities and assess their severity.

      An up-to-date list of all tests included in your current version of AppScan can be seen in the Scan Configuration dialog box (see Test policy and optimization).

      You can also create user-defined tests in addition to the tests that AppScan automatically creates and runs (see User-Defined Tests). Your tests can supplement those generated by AppScan and can verify the results that it found.

      Test results are displayed in the Result List, from where you can view and modify them. Full details of the results are displayed in the Detail Pane.

  4. Post-Scan Activities:

    1. Review Results: Analyze the scan findings and adjust the scan configuration, if necessary based on your review of the results, and scan again.

    2. Review Fix Recommendations: Assess and apply suggested fixes to address identified vulnerabilities.
    3. Explore Request Manually: Manually check any request that require further investigation.
    4. Generate Reports: Create detailed reports based on the scan results.
Note: AppScan supports both manual exploration and importing recorded traffic together with its automatic scanning capabilities, providing a comprehensive approach to security assessment.