| tl;dr we released openapi.security, an online tool that performs a dozen of security tests on any given openapi/swagger-based API, with no signup or email required. You can try it here: https://openapi.security My team at Escape (YC W23) is mainly focused on securing GraphQL APIs. For this, we developed a new approach called Feedback driven API Exploration. Basically, we infer the right security tests cases to run using the specification and a carefully crafted in house graph traversal algorithm. (It's a bit long to describe here but we published a more in depth explanation of how this algorithm works in our blog!) We recently wondered if this Feedback Driven Exploration approach could be efficiently applied to good old REST APIs as well. From our experience, well designed GraphQL and REST APIs are quite equivalent: both have an organized data structure and explicit relationships between objects. So why wouldn't it work? We often organise internal hackathons. So this time, we focused on this experiment, adapting our algorithm to REST and ending up creating our last side project: OpenAPI.security. It is a very simple tool: anybody can enter an OpenAPI / Swagger spec, and openapi.security will run a bunch of security tests on it and give back a report. It's designed to be fast and smart in the way it analyzes input specs. |