You've Got the Swagger, We've Got the SaaS

API security scanning changes today. Tinfoil Security is launching our new patent-pending API Scanner! After astounding feedback from developers leveraging our scanner and rigorous testing, we are proud to offer our scanner to the public. We are giving developers and companies the ability to scan and secure APIs with two different methods of deployment: on-premise and SaaS. We are very excited to invite you to see the API Scanner in action. 

As a clarification, we’re talking about web-based APIs such as REST APIs, web services, mobile-backend APIs, and the APIs that power IoT devices. We are not targeting lower-level APIs like libraries or application binary interfaces - a crucial distinction to make. The sorts of security vulnerabilities that affect web-based APIs are going to mirror the same categories of vulnerabilities we’ve spent the past eight years defending against with our web application scanner.

We’ve built a security scanner that understands how APIs work from the ground up, how they’re used, and most importantly, how they’re attacked. Existing solutions use a web application scanner to scan APIs, but that approach does not take into account the unique nature of APIs. Just as web applications can be vulnerable to issues like Cross-Site Scripting (XSS) or SQL injection, APIs can also fall prey to similar attacks. It isn’t quite that simple, though, and the nuances of how these vulnerabilities are detected and exploited can vary drastically between the two types of applications. In the case of XSS, for example, the difference between a vulnerable API and a secure API depends not only on the presence of attacker-controlled sinks in an HTTP response, but also on the content-types of the responses in question, how a client consumes those responses, and whether sufficient content-type sniffing mitigations have been enforced.

APIs also aren’t discoverable. Unless you’re one of the dozen companies in the world with a HATEOAS-based API, it isn’t possible for a security scanner to load up your API, follow all of the links, and automatically discover all of the endpoints in that API. The parameters expected by those endpoints, and any constraints required by them, are even harder to discover. Without some way of programmatically acquiring this information, API security scanning simply can’t be automated in the same way that web scanning has been.

To deal with these discoverability issues in APIs, we looked at standards like Swagger, RAML, and API Blueprint. We’ve found that Swagger (now known as the OpenAPI Specification), in particular, is winning out as the standard for API documentation. In response, we’ve designed our API scanner to ingest Swagger documents and use them to build a map of an API for scanning. Doing so solves the issue of being unable to crawl an API. It also allows us to scan APIs with a higher level of intelligence than black-box dynamic web application scanning has ever been able to.

We have addressed authentication issues using something we call authenticators. We’ve distilled API authentication down to its foundations; whether that’s as simple as adding a header or parameter to a request, or as complex as performing an entire OAuth2 handshake and storing the received bearer token for later use. We’re then able to chain together all of the authenticators, incrementally transforming unauthenticated requests into authenticated ones. Having such a nuanced understanding of all the steps of an authentication workflow lets us detect when any of those steps have failed, and when the server isn't honoring any of them. This allows us to fuzz the individual steps of an authentication flow, providing a powerful tool for determining authorization and authentication bypasses.

Some features that will get any developer excited: 

  • Intelligent payload generation
  • A powerful REST API to control the scanner and its reports
  • First-class support for API authentication workflows. 

What we mean by intelligent payload generation is parameter fuzzing that takes into account the schemas of the parameters, e.g. types of parameters, constraints, whether the parameter is required, and valid inhabitations to name a few.

In addition to vulnerability scanning, our scanner also performs correctness checking and looks for bugs to reduce an API’s attack surface. With full integration into your existing CI/CD pipeline, we create and track issues and vulnerabilities easily, allowing your teams to focus on what’s most important to your organization.

You can, for the first time, secure your APIs with a scanner that was built specifically for APIs. We’re not just pointing our web application scanner at your API and calling it good. Our API scanning is intelligent and thorough. By using your API’s specification as an outline, we focus on security vulnerabilities as they manifest themselves within APIs. This means fewer false positives, a higher degree of coverage, and a better understanding of the risk posture posed by your APIs.

There is every reason to give our unrivaled API Scanner a test drive, and you can do it right now. For a more detailed feature breakdown, please refer to this post

Nicholas Bates

Nicholas is The Writing Writer, or Tinfoil Security's new Technical Content Writer. He has a background in network security where he worked as an engineer for 7 years before joining the Tinfoil team. As a father of his 3-year-old daughter, when he is not writing you can find him hiking with his family, or practicing Jiu-Jitsu.

Tags: Free Scan Launch DevSec DevOps

Democratizing Security

Every now and again it’s good to take a step back and assess what you’re working on. It’s been a little over a year since my co-founder Borski and I took a step back at our former jobs in the defense and intelligence community -- he doing offensive software security, and I doing security consulting. What we realized then, and what is still true now, is there are more security issues affecting our world than the ones we encountered in our work. Every day, each of us is affected by the lack of good security products as we give away our personal, credit, and other sensitive information to insecure websites. But why?

The security market is broken. We’re stuck in a rut between services that are cheap but provide poor security (if they actually provide security at all), and services that are expensive, but outdated. It’s too simple for a service to spit out unactionable results, forcing you to hire an expensive security consultant, or to acquire a security product, roll it as their own, and call it good for years afterward without a single useful update.

I’m tired of falling in love with a service but having to avoid it because of its security flaws. There is no reason we can’t have a great security option for the small and medium-sized companies at a fraction of the cost, a solution that stays up-to-date on the latest hacks and can scan remotely, on a schedule, with five-minute setup: automated, proactive, integrated and affordable. Security needs to be democratized – accessible to and understandable by the masses.

Today marks our initial product release: a release we hope will be the first step of many in securing your information. We at Tinfoil Security are “ex-offense,” now playing defense. 93% of the hundreds of companies we’ve scanned have had at least one vulnerability. We help them get to zero. In addition to the heavy security experience brought by our team of MIT engineers, ease of use and actionability are our top priority. We respect your time.

Your data is one of your greatest assets. It’s time you have a partner that helps you protect your data, and cares about your security as if it were their own. We’re taking a new leap into the security market, making it efficient and agile.

I hope you join us.

Start a free scan now at


Co-founder & CEO

“To safeguard a public-facing website against external threats, a business needs two things: a team whose job is keeping up to date on the latest hacks and exploits and the ability to run safety scans randomly, periodically, and from an external location. This is the combination that Tinfoil offers as a service – a strong and growing team of security experts ready to run your site through the security gauntlet. To me, this is ‘peace of mind as a service,’” says Kirill Sheynkman, Senior Managing Director of RTP Ventures. “Much the way most heavy-trafficked global sites didn’t think of going live without first reading their ‘Gomez Report’, no company that opens its web application to the world should ever do so without continuous, external monitoring and safety provided by Tinfoil.”

Ainsley Braun

Ainsley Braun is the co-founder and CEO of Tinfoil Security. She's consistently looking for interesting, innovative ways to improve the way security is currently implemented. She spends a lot of her time thinking about the usability and pain points of security, and loves talking with Tinfoil's users. She also loves rowing, flying kites, and paragliding.

Tags: Free Scan Launch Public Beta Redesign United