MMS • Aditya Kulkarni
BLST Security recently released the latest version of its platform, enabling DevOps and Application Security teams to avoid API specification flaws. The BLST platform aims to help teams understand their APIs by creating an OpenAPI Specification table.
Business Logic Security Testing (BLST) Security has developed an end-point mapper that provides a graphical interface to developers. With the latest version, developers can upload any OpenAPI Specification (OAS) file and get access to the params table, end-point mapper, and misconfiguration checklists. For the developers using the platform, the aim is to make it easy to document the APIs. The online BLST mapper can help developers understand how their API works by looking at how their clients use it.
OpenAPI Specification is a standard, language-agnostic interface for describing, producing, consuming, and visualizing RESTful web services. Formerly known as Swagger Specification, when properly defined, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. After the OAS file is uploaded BLST runs a series of checks on it and provides a detailed table describing the exact problem and the location to help faster resolution.
As observed by Cloudflare Radar team, API traffic was growing the fastest among all the traffic types, up by 21% between first week of February 2021 to the first week of December 2021. A study conducted by Marsh McLennan Cyber Risk Analytics Center on 117,000 cybersecurity incidents discovered that API insecurity was responsible for annual losses between $41 – 75 billion globally.
One of the twitter users and YouTuber Kunal Kushwaha took the notice of BLST Security by tweeting, “Why is API security necessary? How to secure business logic? Let’s look at the difference between APIs a few years ago and APIs nowadays, following up with ways to find vulnerabilities your API management misses with @BLSTSecurity“.
“The industry is starting to recognize the idea that this is a really important area — that the data and services that go across APIs are critical. What we’re seeing is that API security is falling in the cracks.”
In another session at TechStrong Con, Matt Tesauro, Distinguished Engineer, Noname Labs at Noname Security stated that tools need to understand how APIs write or talk to other APIs and it’s also possible to use the recorded traffic in the HTTP archives.