I have spent the last 20 years building enterprise software in different sectors, also taking part in presales and technical due dilligence activities during M&A processes both on the buyer and the seller side.
Observing the landscape of application security tools and practices across multiple companies I have noticed a recurring pattern.
The application security sector appears primarily focused on two objectives: a) Independent researchers and boutique firms working hard to uncover new vulnerabilities and provide best practices. b) Large corporations producing web security tools that, to me, seem somewhat outdated. These tools often approach web applications as if they're server-side rendering apps or front-end applications tightly coupled with their back-end being developed by the same team. Basically, these tools identify potential user actions in your web application and attempt to target the corresponding endpoints with malicious content.
This would be fine, however modern applications are typically written with a single back-end serving multiple front-ends (think: web, mobile, thirt-party integrations) and there are even REST API applications out there with no front-end at all.
To my understanding, most popular web security tools struggle to detect endpoints not explicitly utilized by the web front-end. This includes service endpoints intended to remain private. Ensuring the security of such endpoints often requires, for example, submitting a Swagger definition upfront (that can be outdated itself).
There are tools which try to do something similar like kiterunner (last updated two years ago) but these are not packaged and complete solutions.
Is it possible there are no modern REST API security scanners which could validate e.g. mobile apps REST API back-ends without providing a Swagger file or intercepting the network traffic?
How do you reliably test the security of your REST API apps?
Is there a market for such security tool dedicated to REST API testing, e.g. targeting mobile app developers?
I would be super thankful for your input on how do you approach this subject, whether I am blind or is there really a gap that you see as well and would like to be filled.
As you say, the boutique shops aren't going to be relying on automated scans, they're going to have engineers who'll use their experience, knowledge and personal tooling (metasploit modules etc.)
I don't really have any skin in the space, but IMHO it'd be kind of surprising to see a successful new REST API security startup.
1. https://www.invicti.com/support/scanning-restful-api-web-ser...
2. https://security.stackexchange.com/questions/51010/api-secur...
3. https://security.stackexchange.com/questions/126936/how-do-y...