Skip to content

Security Categories Use

Reading time 4 min

APIsec allows you to use a public or private security category(s) while running a Scan.

APIsec Screenshot

9.1. Public Security Categories

APIsec has 123 total up-to-date public security categories. These security categories include OWASP Top 10 along with other known API vulnerabilities.

The security categories are constantly updated. Existing ones include:

  • Unsecured Endpoints
  • Authentication Weakness
  • Role-Based Access Controls (RBAC)
  • Attribute-Based Access Controls (ABAC)
  • SQL Injection
  • Distributed Denial of Service

APIsec Screenshot

9.2. Private Security Categories

APIsec offers this unique feature to its enterprise customers to add custom security models for newly discovered vulnerability(s) of a database or a framework.

Note: Only the Enterprise admin can add or edit a security model.

To add a new security model:

  1. click 'New Security Model' and select the type of mode from the drop-down menu.
    APIsec Screenshot

  2. 'Injection' is selected for this demo.

The basic section requires following information:

  • Name: Provide a unique name for the security model.
  • Injection Data: This data is the payloads that will be injected on the target API while playbook execution (Security Scanning).

APIsec Screenshot

The Advanced Section requires following information:

  • Key: This is autofilled according to the name of the security model.
  • Assertions: Provide the assertions for the security model. The rules and details are mentioned in the comment box next to 'Assertions'.
  • Security Model Description: This is optional but it can be added to make it easy for others to understand the purpose of the model. It can be written in plain-text or HTML tags.
  • Assertions Description: This is also an optional requirement but it can be added to explicitly define the meaning of assertion expressions.
  • Remediation: Admin can add the mitigation techniques for the vulnerability(s) covered under the security model.
  • Tags: The tags are for the classification of vulnerability(s). for e.g, OWASP Top#2 can be a tag for the security model that covers OWASP top 2 vulnerability.
  • Vulnerability Scoring System: The default is the CVSS 3.1 but you can also define a custom scoring scale.
  • Est. Time to Fix(hours): The time required for fixing the vulnerability(s).
  • Est. Bounty Value: The bounty offered by different programs for such vulnerability(s).
  • Auth: By default it is "Default". But, you can use the name declared in the environment variables.
  • Beta Toggle: If this security model is a beta version then turn on.
  • Skip Filing Vulnerability Toggle: If off then it prevents from filing the vulnerability after the scan. If the vulnerability is detected it will not be filed (recorded) in the results.
  • Scope: The scope for a custom security model is private and it is visible to the enterprise user only.

APIsec Screenshot
3. click 'Build and Launch' to make it ready for use during the Scan.

APIsec Screenshot