Skip to content

On-Premises Sanity Test Guide

1. API Registration

Reading time 11 min

Register your APIs for security test and compliance.

To get started with APIsec security coverage and scanning for your APIs, you need to first register your API.

On the Homepage, click Register API

image

Add an API name, and an API Documentation URL/File.

image

2. Scanners Deployment

Playbooks are scanned and tests are executed to uncover vulnerabilities.

click on 'Scanners' module on the home page as shown in the screenshot.

image

You can deploy Private Scanners across AWS, Azure, GCP, Kubernetes, and on-premises.
The APIsec scanner is a light-weight Docker container.

You can deploy the on-prem Scanner as a docker container on any Linux host or deploy across the above mentioned cloud regions.

  1. click on New Scanner on the Scanner module page.

image

  1. Enter Scanner name and register the cloud service.

image

  1. Click Submit to deploy the private scanner.

On-Prem Deployment

To deploy an on-prem private scanner, you need to set up the Docker/Kubernetes on the host machine.

  1. click on 'Docker/Kubernetes installer' and select cluster size.

image

  1. click 'Submit' and 'OK' to proceed.

3. Environment and Authentications Configuration

Based on security categories, the environments and authentications are configured to access APIs.

To add, edit, and delete the current API testing environment and the API user-login credentials.
When you register the API, the API environment is created. The default name is "Master" and the BaseURL is the API URL registered.

You can add or clone an environment by clicking on the ellipsis besides the scroll bar.
The 'Authentications' list contains all the 'Credentials/Tokens' previously provided while registering the API.

You can also add and edit them on this page.

It is required to have a "Default" an "Invalid_Auth" authentications in a every environment for security testing.

  1. To add Environment Click on 'Add Env', Insert Name and BaseURL.
  2. To Add an Auth Click on 'Add Auth' Insert and select 'Authentication Type'.
  3. To Test added Authentication, select Auth and click on 'Test Authentications'.

image

4. Triggering Scans

Executes generated playbooks of OWASP categories.

The key feature on the 'Project' dashboard is the 'Scan'.
You can initiate a Scan on the current Project by clicking on scan tile on the top-right of the page.

Select Profile + Select Scanner + Select Categories, you can initiate a Scan by clicking on 'Submit'.

After the Scan is completed, it displays all the results.

image

5. Detected Vulnerabilities View

Provides the vulnerability test results.

At the bottom of the 'Project' page, the list of Open Vulnerabilities appears after the Scan.
You can view the details of each vulnerability by clicking on it.

image

6. False Positives Review (FP)

Alert that incorrectly indicates that a vulnerability is present.

False positives are identified and marked by an AI Bot.

image