APIs are a critical part of modern mobile, SaaS and web applications and can be found in customer-facing, partner-facing and internal applications. Over 90% of developers now use APIs, and over half say that APIs help them to develop better products.  

But more APIs means more risk. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII), and as more organizations use them to increase automation and improve performance, APIs are becoming an increasingly attractive target for attackers.  

Rapid API growth means more risk

Gartner predicted that: “API attacks will become the most-frequent attack vector in 2022, causing data breaches for many enterprise web applications,” with several high-profile API breaches like Optus, T-Mobile and Experian disclosing millions of customers’ PII.

Knowing where your APIs are, understanding how attackers can exploit them, and fixing any vulnerabilities in your APIs are increasingly critical for developers and the SaaS businesses that use them.

Introducing API scanning with Intruder

Every business has some level of cybersecurity risk, but scaling companies that rely on APIs are more at risk than most. But most cybersecurity tools are built for large enterprises, can be hard to use and need some level of security expertise.  

Intruder is different. It’s easy to use and always on. It keeps track of your entire tech stack, showing where and how you’re vulnerable, while prioritizing what matters most. And now that includes vulnerabilities in your API endpoints.  

We’re really excited to add this powerful new capability to Intruder and we think you’ll love the new features. APIs need purpose-built security controls that address the unique vulnerabilities that APIs introduce. Designed by developers for developers, our API scanning will enable you to:  

• Create an inventory of all your API endpoints
• Detect common API vulnerabilities
• Proactively test your APIs before they go into production

Our approach to API vulnerability scanning

Our approach to ‘informed’ API scanning means that when you upload your API schema, we can do a comprehensive scan against every single endpoint listed in your schema. This can also help those customers who have Single Page Applications (SPAs) and who are struggling to receive meaningful results from application vulnerability scanning.

By running checks on your endpoints, apps and the infrastructure they run on, no critical vulnerability is missed. With our Dynamic Application Security Testing (DAST) scanner and informed scanning strategy, you can even integrate your security testing into your CI/CD pipeline to find issues earlier in the development lifecycle.

Our new Application licenses

API and web application security can be complex, but licensing doesn’t need to be. We understand this, so we’ve worked hard to simplify our licenses while adding API scanning. Take a look at our pricing here.  

From today, our current Authentication Licenses will have a new name and new capabilities. These ‘Application licenses’ will still scan your authenticated applications as before, but you can now add APIs to your targets.

Why not run your first API scan today. Here’s how:

• Add an API as a target by uploading your OpenAPI/Swagger schema
• Add an existing authentication or a new authentication to the API
• Get the scan results in your Scan Details page

If you need help, we’re here for you:

• Read our introduction to API security
• Need help? Check out our Help article about API scanning
• Got feedback? Chat to us in-app, we’d love to hear from you

‍