API Discovery and Coverage
With IAST API Discovery and Coverage you can identify which APIs are exposed, the age of an API, and which APIs have been exercised and which have not.
API is a combination of three distinct data points: The HTTP method associated with the request, for example Get or Post, the URL of the request, and the associated API operation.
Click the APIs tab to display the API discovered on the selected scan.
Note
If the application is not running on one of the frameworks supporting IAST API Discovery, the APIs tab does not show.
The API discovery table presents all the APIs discovered by CxIAST agent. The table can be filtered by APIs that were used or not used during the scan. The API coverage presented per scan is calculated based on the used vs. the discovered APIs.
Item | Description |
|---|---|
Method | The HTTP method (GET/POST/...) used for the API. It can be multiple http methods. |
URL | The API URL, as used by clients to invoke the API. |
Operation | The operation/function being called when the API is invoked. |
Is Documented | Indicates whether an API is documented and presented in an API documentation tool (such as Swagger). Valid values:
If a documentation tool is not detected, the Is Documented column is not displayed. The SpringFox implementation for Swagger2 in Spring Boot and Spring MVC is currently supported. |
Is Authorized | Indicates whether an API requires authorization. Valid values:
An API is considered authorized if access permission was given based on some user criteria. Authentication by itself is not considered as authorization. The user must access an API at least once to allow IAST to analyze the security chain of that request. If an authorization tool is not detected, the Is Authorized column is not displayed. Spring Security, which is used by Spring Boot and Spring MVC, is currently supported. |
Usage Count | The number of API calls observed by CxIAST agent during the scan. Zero or low usage count may help to discover testing coverage issues. |
First Discovered | The date and time when the API was first discovered by CxIAST agent. Critical information, such as new APIs, may expose new vulnerabilities. |