A Portuguese start-up with the mission to make software security accessible to everyone, offers automated security testing without requiring configuration or security expertise, delivering swift reporting to help companies quickly detect and fix vulnerabilities as well as instill a security mindset. The company is looking for partners developing directly or outsourcing software that relies on APIs and would be interested in deploying this solution in the context of a services agreement.
The security testing offered by the company is fully automated, requires no prior security knowledge from the user, has no additional configuration, and offers swift reporting to help companies quickly fix vulnerabilities as well as instill a security mindset. This technology can be deployed at any company that develops or buys software that relies on REST (Representational State Transfer) APIs (Application Programming Interfaces). The companies that develop API’s can integrate the generated reports in the development life cycle of their products to detect vulnerabilities painlessly, and as often and early as possible, therefore reducing costs and preventing security issues from reaching production. Companies that outsource their development can use these tests to ensure the security of the software delivered by the suppliers without the need to have dedicated security teams or employing external teams. The solution is a black-box testing service built on top of complex fuzzers. It monitors communication, validates pay loads and detects anomalies. In addition, it can be installed on premise or used as a cloud service. This is done in three steps: 1- User submits the API specification. 2- The solution automatically attack the API looking for vulnerabilities, the same way a hacker would. 3- It generates high level dashboards and technical reports, for easy auditing and remediation. In this service agreement the startup offers a web platform to configure and identify security vulnerabilities in APIs, as well as work with the partners to customize the offering in order to accommodate specific needs and requirements. The start-up was co-founded by two engineers a Portuguese and a Polish, with experience in the banking and telecommunications sectors that have published research on automated vulnerability detection. Acronyms: REST (Representational State Transfer) is an architecture style for designing networked applications. It virtually always relies on the HTTP protocol. For more info, see: http://rest.elkstein.org/ API (Application programming interfaces) is a set of routines that are often used to exchange information or functionality between software components using predefined signatures. For more information, see https://en.wikipedia.org/wiki/Application_programming_interface
Innovations and advantages
REST is an architectural style and an approach to communications that is often used in the development of Web services. REST is a popular building style for cloud-based APIs. When Web services use REST architecture, they are called RESTful APIs (Application Programming Interfaces) or REST APIs. Security testing is an arduous and expensive process. In particular, API security testing is done wrong for several reasons: it's largely based on manual work, follows the waterfall methodology instead of agile methodology and often does not cover all aspects of testing due to time constraints. Furthermore, security tests are typically performed by 3rd parties be it in the form of consultants, security experts, penetration testers and others. Several companies have also identified these problems and are trying to fix them. However the solutions they provide are primarily targeted at security experts, they are trying to solve the aforementioned issues by increasing the efficiency of the security teams by providing more automation. The main flaw with this approach is that security testing continues to be opaque to everyone other than the security teams. An inclusive approach that adapts to the role of each member is bound to have better results as it makes the security process transparent and thus better understood. The Company shares the latter view by providing automatic security testing that requires no prior knowledge, zero configuration, and offers great reporting to help clients quickly fix vulnerabilities as well as instill a security mindset. The service is built for users that understand very little about security, that don't have time or will to configure new tests and procedures to prevent attacks. Furthermore, by leveraging API specification languages to configure all the tests required it does not require any setup. This is a unique feature that provides major time and cost savings.
Current stage of development
The company is looking for partners to trial the solution, and to adapt it to their specific requirements.
01003006 Computer Software
01003009 Data Protection, Storage, Cryptography, Security
01003014 Internet Technologies/Communication (Wireless, Bluetooth)
01003018 User Interfaces, Usability
01006005 Network Technology, Network Security
Market application codes
02007015 Integrated software
02007022 Software services
Intellectual property rights
Area of partner's activity
Looking for partners interested in improving the security of any software that relies on REST APIs for trials. Due to the nature of the service there are no restrictions for the industry or size of the partner. The service has two main requirements. First, the specification of the API and credentials to invoke it. Second, access to the environment (Production, Development, etc.) where the API is deployed from the cloud or from the internal network. The specification of the API defines all the information required to use the API, including endpoints, parameters, etc. A standardized format such as Swagger is recommended. Any credentials that might be necessary should also be provided.