Due to the fast-growing usage of REST APIs, having a way to test them for vulnerabilities in an automated, reliable way is more important than ever.  Automated testing of APIs is a little trickier than for web applications.  You can’t simply enter a starting URL for the scanner and click “Go”.  Additional setup is required to describe the API endpoints for the scanner.  The good news is that Qualys Web Application Scanning (WAS) offers multiple ways to set up a scan for your APIs.

Up to now Qualys WAS has provided two methods to set up scanning of your APIs:

1. Proxy capture method
2. Swagger/OpenAPI file method

Now, WAS supports a 3rd method – Postman Collections. As we’ll explain, this method can provide better vulnerability testing compared to the others.

Continue reading …

As 2013 comes to a close, enterprise partnerships and mergers and acquisitions in the tech sector have continued to occur at billion dollar levels. One can infer there is much to gain from adding the confidential intellectual properties of others. The true puzzle is understanding if the intellectual properties are, in fact, truly confidential. After all, what is the value in acquiring trade secrets if they are not secret?

Continue reading …