Checkmarx API Security identifies phantom and zombie APIs during software development
In Las Vegas, at Black Hat USA 2022, Checkmarx launched Checkmarx API Security, the “shift-left” API security solution. Building on the launch of Checkmarx Fusion, which prioritizes and correlates vulnerability data from different AppSec engines, Checkmarx API Security is delivered as part of the Checkmarx One platform.
The developer workflow-oriented solution even inventories phantom and zombie APIs as part of the inventory and remediation solution to secure the entire API lifecycle.
According to Gartner, “Every connected mobile, modern web, or cloud-hosted application uses and exposes APIs. These APIs are used to access data and invoke application functionality. APIs are easy to expose but difficult to defend. This creates a large and growing attack surface, leading to an increasing number of publicly disclosed API attacks and breaches.Traditional network and web protection tools do not protect against all the security threats faced by APIs, including many of those featured in OWASP’s Top 10 API Security.
Checkmarx API Security addresses security issues earlier in the software development life cycle (SDLC). This differentiation allows:
- Visibility of APIs: Discover ghost and zombie APIs with a view of the entire API attack surface.
- Shift-left approach: Detects APIs in application source code to identify and resolve issues earlier in the SDLC.
- Priority remediation: Enables developers and AppSec teams to focus on fixing issues first by prioritizing API vulnerabilities based on their impact and risk.
- View application risk: Scan entire applications with a single solution, eliminating the need for additional API-specific tools to reduce overhead for already strained AppSec teams.
“Modern application development increasingly depends on APIs, which are notoriously difficult to document. Often the only place documentation for a given API exists is on the developer’s laptop,” said Emmanuel Benzaquen, CEO of Checkmarx.
“Our global enterprise customers are focused on transitioning to cloud-native application development, but their tools have only been able to address part of the API challenge posed by cloud-native development. Checkmarx’s goal is to secure every component of every application in a way that keeps developers productive and streamlines processes for AppSec managers, enabling their organizations to be agile, secure, and competitive,” Benzaquen continued.
Checkmarx API Security offers:
- Automatic API discovery: Automatically identify API endpoints without requiring manual API definition or registration by AppSec teams or developers.
- Complete API inventory: The ability to discover newly created or updated APIs as source code is checked in or compiled by developers, as early as possible in the SDLC.
- Unknown API ID: Automatic comparison of an application’s full API inventory against its API documentation to identify unknown, phantom, and zombie APIs.
- API-centric fix: API-specific views that allow AppSec teams and developers to prioritize fixing API vulnerabilities and the top 10 OWASP risks.
- Full Application Coverage: A single Application Security Testing (AST) solution for the entire application, which can include both API-based and non-API-based components, providing a holistic view of security risks and a prioritization of the correction of vulnerabilities.
Gartner also reported that “attacks against applications are now focusing on APIs, and the rate of attacks is increasing. API abuses and exploits are a common category of attack that can lead to data breaches. DevSecOps teams are focusing their attention on the need to improve API testing in development. To identify the optimal approach to API testing, they turn to a combination of traditional tools (such as static AST [SAST] and dynamic AST [DAST]) and emerging solutions focused specifically on API requirements. »
Checkmarx API Security is available now.