API security
Invicti API Security
Invicti API Security is an add-on to the Invicti dynamic web application security testing platform that provides API discovery capabilities.
Invicti Security is an American company which provides web security products that have proven themselves for organizations from various industries, including Fortune 500 leaders.
Request for free Invicti API Security Trial
Average number of APIs per web application in most companies
%
of organizations do not maintain an accurate inventory of their APIs
%
of enterprises have experienced a security incident due to APIs
%
of developers deploy APIs to production weekly or monthly
%
of enterprises make changes to APIs daily or weekly
%
of web traffic is API requests
Key features
What challenges does Invicti API Security solve?
Undocumented APIs
Such “shadow” application programming interfaces are part of the attack surface, which is not controlled at all, and that creates a significant threat to the security of the organization. Invicti API Security finds such APIs to reduce risks.
Out-of-date versions of API specifications
This is a common problem in environments where APIs change frequently, and communication between developers and the security team cannot keep up with this pace. To overcome these difficulties, Invicti API Security regularly synchronizes specifications to the platform console, providing the team with full visibility.
Problems with inventorying
When the organization has many APIs, their inventorying is a headache, and it is important not to miss a single resource. To simplify this process, Invicti API Security places the detected application program interfaces in one consolidated list for the convenience of specialists.
Lack of tool consolidation
A large number of tools can create confusion for teams working with them. Therefore, Invicti combines API discovery and scanning, as well as testing and searching for websites available on the Internet, on one platform.
Invicti API Security technologies
Zero-Configuration API Discovery
Scans existing targets in the console, that are exposed over HTTP/HTTPS, for open ports and accessible paths to identify and retrieve Swagger2 and OpenAPI3 specifications (every 48h).
Agentless API Discovery
Automatically generates traffic during scanning, from which API specifications are reconstructed, works externally and does not require an agent to be installed.
Invicti Network Traffic Analyzer
Observes the traffic on the network to identify REST API calls and then reconstruct them into OpenAPI3 specifications after finding three or more API endpoints.
API Management Integration
Automatically syncs known API specification files (Swagger2, OpenAPI3) from API management systems in Invicti console every 24 hours.