Modern application architectures are built on distributed apps and services that communicate through APIs. Synopsys API Scanner™ makes it easy for developers to identify security defects in the APIs they implement.
APIs provide open, flexible interfaces that enable applications and services to talk to each other. But these characteristics can also make it difficult to build secure software—and even more difficult for traditional AppSec tools to test it.
Synopsys API Scanner’s deep analysis and contextually aware fuzzing helps development teams proactively protect their REST and GraphQL APIs and ensure that they are secure, correct, and behave to specification.
Using OpenAPI/Swagger or an HTTP Archive (HAR) export, Synopsys API Scanner builds a map of the entire API, including endpoints, parameters, type signatures, and specifications, as well as authentication and other required information to develop a deep understanding of the API and how to interact with it.
When pointed to a GraphQL endpoint, Synopsys API Scanner uses introspection (a GraphQL feature) and patent-pending graph reduction algorithms to build a traversable representation of the entire GraphQL API and a full representative set of queries used for auditing. Synopsys API Scanner is the only tool that can fully audit GraphQL APIs for vulnerabilities and correctness.
Synopsys API Scanner comprehensively tests your APIs for:
Automatically test every identified endpoint, fuzzing parameters with values generated through constraint and validation analysis to ensure the implementation doesn’t deviate from the specification.
Bypass server-side input validation to test the functionality of your APIs with payloads that are intelligently generated to test the boundaries of your validation.
Combine and test authentication methods, including OAuth2, JWT, and authorization headers, all within an easily defined workflow.
Synopsys API Scanner runs in minutes, so your DevOps/CI pipeline isn’t slowed down.
Synopsys API Scanner integrates directly with Jenkins and other CI/CD pipeline tools, so you can build API security into your DevOps pipelines.
Tailor and automate any aspect of API scanning and issue reporting using the Synopsys API. If you can do it in the UI, you can do it with the API.