OpenAPI Spec Audit
Release notes
Identify gaps in your API Security Design and remediate them to shift your API Security left.
Problem to solve
Engineering and Security teams do not have good visibility into how well their APIs have been defined and if API spec/definition files follow security best practices. As an engineer, I want to be able to understand when my OpenAPI file is ready to be used in the next stage of development. As the security team, I want to ensure that developers are properly defining their APIs using security best practices prior to developing the APIs or releasing them to production.
What is an OpenAPI (swagger) spec?
OpenAPI specs are design documents. These files are the foundation of API testing and API security testing. By maintaining well defined OpenAPI files, customers will design and build more secure APIs and be better able to identify security issues during the testing phase.
Proposal
Provide an audit score for OpenAPI files. The score provides visibility into which APIs are well defined, and which need more work before being developed. Lower scores also indicate that API testing tools will not work as well as they could because information is missing. This is a form of static analysis to analyze OpenAPI files.
Scope
Must Have
- Security score
- Data validation score
- What level of data validation is defined
- Validation gaps reduce points
- Overall score
- A combination of the points from security score + data validation score
- The higher the score, the more defined/secure the API definition file is
- Remediation Guidance
- Explanation of changes that need to be made to improve the audit score
Could Have
- IDE integration - display results in the IDE
- Dashboard for security team
Won't Have
Intended users
Personas are described at https://about.gitlab.com/handbook/product/personas/
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.