Due to the fast-growing usage of REST APIs, having a way to test them for vulnerabilities in an automated, reliable way is more important than ever. Automated testing of APIs is a little trickier than for web applications. You can’t simply enter a starting URL for the scanner and click “Go”. Additional setup is required to describe the API endpoints for the scanner. The good news is that Qualys Web Application Scanning (WAS) offers multiple ways to set up a scan for your APIs.
Up to now Qualys WAS has provided two methods to set up scanning of your APIs:
- Proxy capture method
- Swagger/OpenAPI file method
Now, WAS supports a 3rd method – Postman Collections. As we’ll explain, this method can provide better vulnerability testing compared to the others.