42Crunch

42Crunch is a developer of an application programming interface (API) security platform intended to automatically generate the appropriate security policies for enterprises. The company's enterprise-grade, end-to-end API security platform offers confidentiality, integrity, availability, generation of the security configuration for API orchestrations, management of API Keys, passwords, and other sensitive data, and protection of API Infrastructure.

The 42Crunch platform is intended to provide users a set of automated tools to help secure an API infrastructure by describing security in the API contract, enforcing policies through an entire lifecycle, and delivering security as code to enable a better DevSecOps experience. Part of this security is to perform over 300 security security checks against an API contract to provide detailed security scoring for prioritization and remediation advice for developing the best contract possible. Part of this auditing and reporting offers developers actionable reports, available from developer's IDE to allow developers without need for specific tools, and give visibility into API security status.

The platform includes security scans intended to detect misconfigurations and vulnerabilities at testing. This testing is done, according to 42Crunch, once the API has reached a satisfactory audit score, and is intended to test the live API endpoints to detect any potential vulnerabilities or discrepancies of implementation against the API's contract. As well, the 42Crunch platform can be used to protect APIs using a micro API firewall.

42Crunch's API Security Audit feature offers an automated static analysis on an API's definitions. The API is audited against OpenAPI 3.0 or Swagger 2.0 specifications to check adherence to definitions and catch a variety of security issues:

• Mass assignment issues due to loose request schemas
• Data and exception leakage issues due to loose response schemas
• Weak authentication schemes
• Injection vulnerabilities due to loose parameter and request payloads definitions
• Lack of resources control

Example of a 42Crunch API security audit.

The API Security Audit performs over 300 security checks, which can range from checks on the API's contract structure and semantics structure to its security and input and output data definitions. This is done on three levels: the first checks if the API is valid and well-formed OpenAPI file and whether it follows best practices of the OpenAPI Specification; the second checks the security definitions of the API and whether the authentication and authorization methods are designed and if the protocol is secure enough; and the final check includes validating the data definition quality of an API and what data the API accepts as inputs or can include in the output it produces.

These checks result in a report and calculation for an audit score, which is intended to reflect the risk associated with exposing the APIs, both internally and externally. The resulting report is intended to offer development teams a quick path for fixing any problems, containing information about each issues, its potential risk, and how to address that risk.

The 42Crunch Conformance Scan is intended to offer a dynamic runtime testing of an API in order to ensure the implementation of an API matches the contract definitions of the API, especially in the case of bad requests. This could be thought of as a second layer of the initial audit, which performs a static analysis, while the conformance scan offers dynamic and variable testing in order to better simulate real API traffic and test the API's behavior. The scan report works to flag responses which are unknown, of the wrong type, or not matching the JSON schemas described in the specification. This is done by sending traffic to the API to detect vulnerabilities triggered by the following:

• Wrong verbs
• Wrong paths
• Wrong content-type
• Wrong data format
• Outside of API constraints
• Data injection

Example of 42Crunch's API conformance scan report.

Similar to the audit scan, the conformance scan provides a report with information intended to help developers understand how an API conforms to its API definitions, summarizing a scan and how the scan performed, and offering further details such as the attack the scan performed, the URL the scan called, and the response time of the API.

42Crunch also offers an API security platform in order to help protect APIs throughout their lifecycle with protection. Part of the development of the API firewall is the development of many API attacks being able to be avoided with proper data validation for inbound and outbound messages. The API Protection uses a positive security model based on strict conformity to the API contract of the protected API and works to block unwanted requests, such as from bots, and prevent hackers from sending unexpected edge-case requests to APIs for information.

Example of 42Crunch's API firewall dashboard.

Part of this is done through the API Protection creating an allowlist of the valid operations and input data based on the definitions of the API contract. The firewall enforces the configuration to all transactions for incoming and outgoing responses and blocks any transactions that do not conform to the API definition. The firewall is developed to offer automatic deployment and protection, with automatic reconfiguration based on any changes to the API in order to make the API firewall easy for users.

As well, the API firewall is designed to not interfere in an API's functionality and to not introduce any further latency on an API. The firewall is written in C and intended to be optimized to less than 1 millisecond of latency to a whole transaction. As well, the firewall is developed to be compatible with different API architectures, including gateways, microservices, and service meshes. It is developed to be deployed at scale on container orchestrators such as Kubernetes, Amazon ECS, or Red Hat OpenShift.