API Discovery overview
This feature is available with Invicti API Security Standalone or Bundle
API Discovery helps build an actual and complete catalog of an organization's internal and external API assets by discovering existing and new APIs. Once discovered, those API specification files can be plugged into Invicti's DAST engine and scanned for vulnerabilities.
This document provides an overview of the API Discovery capability in Invicti Platform.
Access to API Discovery requires either an Administrator, Owner, Security Analyst, or Security Manager role, or a custom role with the API Discovery permission. |
What is API Discovery?
API Discovery helps AppSec leaders and development teams identify, locate, manage, and keep track of their organization's APIs, including unknown APIs. This is achieved by building an API catalog with the help of fast and easy-to-use tools that also enable you to keep up to date with the latest versions of your APIs and discover new endpoints. When combined with Invicti's powerful web asset scanning capabilities, API Discovery helps you overcome the operational challenges of API security through a single platform.
How does API Discovery work?
Invicti takes a multi-faceted approach to API discovery by offering three methods that can be combined to identify and fetch API endpoints:
- Network API Discovery: The Invicti Network Traffic Analyzer observes the traffic on your network to identify and then reconstruct REST API calls into OpenAPI3 specifications.
- API Management Integration: Acunetix integrates with API management systems to fetch and sync your known Swagger2 and OpenAPI3 specifications.
- Zero Configuration API Discovery: Scans your existing cloud targets for open ports and accessible paths to identify and retrieve Swagger2 and OpenAPI3 specifications.
Continue reading to learn more about each of these approaches to API discovery.
Network API Discovery
Network API Discovery helps you identify missing and undocumented (shadow) APIs by tapping into and analyzing your organization's available Kubernetes network interfaces. This is achieved by deploying the Invicti Network Traffic Analyzer (NTA) to your Kubernetes cluster. The NTA includes a tap plugin that identifies API-specific unencrypted web traffic, which is converted to telemetry messages and sent to the NTA for reconstruction into OpenAPI3 specs. Those reconstructed OpenAPI3 specs are then pushed to your API Catalog in Invicti Platform.
The Invicti NTA needs to find at least three endpoints on the same host in order to reconstruct and push an Open API3 specification file to your API Catalog. |
For network traffic-based discovery, refer to our definition and installation documents:
- NTA integrations overview
- NTA with Istio Mesh Service
- NTA with Tap Plugin
- Integrate NTA with Kong overview
- Integrate NTA with Kong API Gateway in Kubernetes
- Integrate NTA with Kong API Gateway in Docker
- Integrate NTA with Kong API Gateway in Linux
- Integrate NTA in Docker with NGINX in Docker
- Integrate NTA in K8s with NGINX in K8s
- Integrate NTA with F5 BIG IP iRule
- Integrate NTA with Cloudflare Worker
API Management integration
The Invicti Platform integrates with leading API management solutions—including Amazon API Gateway, Apigee API hub, Azure API Management, Kong Konnect, and MuleSoft Anypoint Exchange—to automatically retrieve and import your organization's Swagger 2.0 and OpenAPI 3.0 specifications into the Inventory > Projects. Once configured, these integrations sync every 24 hours to ensure your API Catalog reflects the latest specifications.
For information on how to set up an API Management integration, refer to the following documentation:
- Integrating with Amazon API Gateway
- Integrating with Apigee API hub
- Integrating with Azure API Management
- Integrating with Kong Konnect
- Integrating MuleSoft Anypoint Exchange
Zero-configuration Discovery
Using your existing cloud targets in Invicti, zero-configuration discovery builds your API Catalog by identifying, validating, and retrieving APIs that are exposed over HTTP(S). This is the quickest way to onboard existing APIs into your Invicti API Catalog. Currently, zero configuration discovery only checks for Swagger2 and OpenAPI3 specifications. For more information, refer to our documentation: Get started with Zero configuration API Discovery.
What is the API catalog?
The API catalog is the area within Invicti Platform Inventory that contains all your discovered and imported APIs. It is a list of all the API endpoints that can be scanned for vulnerabilities by linking the API specification files to an existing or newly created targets.
On the Inventory > API catalog page you can view the information in the following columns:
- API: The name/URL of each API.
- Source: How the API was discovered or imported (for example, via an integration, Invicti NTA, or zero-config crawling).
- Target: Whether the API is linked to a target for scanning capability.
- Vulnerabilities: The overall vulnerability count for the API (after it has been scanned) divided by the vulnerability severity.
- Last scanned: The date and time that the API was last scanned by Invicti.
Each API listed in your API catalog can be expanded to show the individual endpoints it contains and their vulnerability count.
For more information, refer to the following documentation: