Security Categories Use

Reading time 4 min

APIsec allows you to use a public or private security category(s) while running a Scan.

9.1. Public Security Categories

APIsec has 123 total up-to-date public security categories. These security categories include OWASP Top 10 along with other known API vulnerabilities.

The security categories are constantly updated. Existing ones include:

• Unsecured Endpoints
• Authentication Weakness
• Role-Based Access Controls (RBAC)
• Attribute-Based Access Controls (ABAC)
• SQL Injection
• Distributed Denial of Service

9.2. Private Security Categories

APIsec offers this unique feature to its enterprise customers to add custom security models for newly discovered vulnerability(s) of a database or a framework.

Note: Only the Enterprise admin can add or edit a security model.

To add a new security model:

1. click 'New Security Model' and select the type of mode from the drop-down menu.
   

2. 'Injection' is selected for this demo.

The basic section requires following information:

• Name: Provide a unique name for the security model.
• Injection Data: This data is the payloads that will be injected on the target API while playbook execution (Security Scanning).

The Advanced Section requires following information:

• Key: This is autofilled according to the name of the security model.
• Assertions: Provide the assertions for the security model. The rules and details are mentioned in the comment box next to 'Assertions'.
• Security Model Description: This is optional but it can be added to make it easy for others to understand the purpose of the model. It can be written in plain-text or HTML tags.
• Assertions Description: This is also an optional requirement but it can be added to explicitly define the meaning of assertion expressions.
• Remediation: Admin can add the mitigation techniques for the vulnerability(s) covered under the security model.
• Tags: The tags are for the classification of vulnerability(s). for e.g, OWASP Top#2 can be a tag for the security model that covers OWASP top 2 vulnerability.
• Vulnerability Scoring System: The default is the CVSS 3.1 but you can also define a custom scoring scale.
• Est. Time to Fix(hours): The time required for fixing the vulnerability(s).
• Est. Bounty Value: The bounty offered by different programs for such vulnerability(s).
• Auth: By default it is "Default". But, you can use the name declared in the environment variables.
• Beta Toggle: If this security model is a beta version then turn on.
• Skip Filing Vulnerability Toggle: If off then it prevents from filing the vulnerability after the scan. If the vulnerability is detected it will not be filed (recorded) in the results.
• Scope: The scope for a custom security model is private and it is visible to the enterprise user only.

3. click 'Build and Launch' to make it ready for use during the Scan.