Add API discovery to Secure tests
Problem Statement
We currently do not do any auto-discovery for APIs in customer applications. As a part of our Dynamic and Static Analysis we should programmatically crawl a user's API to discover all the endpoints that we should test.
Reach
Impacted Personas:
This will impact anyone who has responsibility for testing the security of the API endpoints for an application. As this is a first step to automatically testing application APIs, it will allow for that testing to happen with minimal or no configuration or input from the users.
The initial reach could be estimated at 1.5. This estimate will change as we do more discovery around the problem.
Impact
I would estimate the impact of this MVC at 0.5, right now. Once it is paired with automatically testing the security of the API, I would put the impact at 2.0. Since auto-discovery of the APIs is, in and of itself, not very impactful, this MVC will be used to set up an easy to use API security testing workflow. With auto-discovery, API testing could take place with very little to no configuration.
Confidence
I have high confidence (100%) that this is a problem for anyone who wants to test the security of their APIs. Manually defining APIs and making sure that the structure is correct can take a lot of time and needs to be re-worked any time something is changed or a new endpoint is added. By automatically discovering the API structure and scanning that before running the tests, we can significantly reduce the amount of time a user would take to set up these tests.
Effort
I am not sure what the engineering effort would be for this. If we can integrate an open source product to do the discovery, the engineering effort might be 2 weeks. I do not believe that there would need to be any design work around this MVC. I think that it would be around 1 week for a PM to define the requirements. The estimation for the effort right now is 0.75.