API security testing just got easier with 42Crunch's new scanner

42Crunch officially released the 42Crunch API Platform, an API security cloud platform to discover vulnerabilities in APIs and protect them from attack. The 42Crunch Platform can protect SaaS, Web, or IoT APIs, as well as microservices.

This follows the launch of the free API Contract Security Audit tool at APISecurity.io earlier this month. The tool helps API developers improve their API definitions that follow the OpenAPI Specification into proper API contracts. Now, with this latest release, customers have access to the full 42Crunch Platform.

The market has already seen a huge increase in API attacks over the past few years. API breaches include such big names as Facebook, T-Mobile, Panera Bread, Verizon, and the United States Postal Service (USPS). Gartner predicts that "by 2022, API abuse will be the most frequent attack vector resulting in data breaches for enterprise web applications".

42Crunch Platform offers a set of integrated services that can be leveraged as part of the APIs' DevSecOps cycle: 

• API Contract Security Audit: An exhaustive security audit of the OpenAPI definition, with detailed security scoring that helps developers define and strengthen their API contracts.
   
• API Contract Conformance Scan: A scan of live API endpoints that discovers potential vulnerabilities and discrepancies in your API implementation against the API contract.
   
• API Protection: A straightforward and easy way to protect APIs and apply policies that can be deployed in our lightweight, low-latency, API-native micro firewall. API Firewall automatically enforces traffic based on your API contract and applies security policies to protect API endpoints wherever they are. It can be deployed in Kubernetes and Docker, on public clouds (Amazon, Azure, Google), or on the customer's private cloud.

The traditional approach in web application security requires customers to use a combination of products — such as SAST, DAST, WAF, RASP, and API management — to address different security concerns, in different network zones, and at different stages of the application life cycle. This approach leaves gaps and is difficult to operate, consolidate, maintain, and deploy.

42Crunch Platform aims to overcome these difficulties. With the platform, enterprises can centrally enforce and monitor corporate security policies, using tools that have been designed both to be API-centric and to work together. Security teams get a 360° view of the entire API portfolio, including audit grades, usage, prevented attacks, and potential vulnerabilities.

"Our experience at 42Crunch both in the web application security and API integration space made it very clear that API security is the biggest challenge for security teams today, and that we had to change the way companies can protect their applications and data in a much more holistic, integrated, and simple way than they do today in web application security", says Jacques Declas, 42Crunch CEO and founder.

APIs are not web applications. APIs have unique logic, unique authentication and authorization mechanisms, and unique vulnerabilities. They can be consumed by humans, machines, or other APIs. Traditional security solutions only focus on known attack types and lack granular understanding of these aspects of APIs. This makes the traditional solutions incapable of detecting or preventing attacks that exploit the vulnerabilities unique to APIs.

42Crunch's approach is to start with the API contract and to offer developers tools to help them define that contract to be very strict. The API contract becomes the core of the positive security model of our API Firewall, and policies are tailored automatically to each and every API. This virtually eliminates false positives and false negatives and does not require training any AI for weeks on end to learn the model. API Contract Conformance Scan completes the loop by automating tests based on the API contract, allowing to refine both the API contract itself and the policies attached to the API.

API development is agile and fast-paced. Manual approaches to API security are doomed to fail. Instead, enterprises need to inject security checks as early as possible in the API lifecycle and continuously test and apply proper policies as existing API evolves and new APIs are built. The 42Crunch Platform works in such a way that the entire flow through the platform (Audit, Scan, Protect) can be automated and attached to the CI/CD pipeline, efficiently enabling a DevSecOps approach.