Find API Security Vulnerabilities With Parasoft Continuous Quality Version 2021.2
By Jeff Peeples
October 14, 2021
4 min read
Jump to Section
The latest release of the Parasoft Continuous Quality solution is now available with updated versions of Parasoft SOAtest, Virtualize, CTP, and DTP. This release focuses on three primary areas.
- API security testing. Parasoft SOAtest now features the ability to closely integrate dynamic application security testing (DAST) for APIs into your functional test suites, and DAST also integrates seamlessly with Parasoft CTP and Parasoft Virtualize.
- Enhanced reporting across all three applications including updates to test execution, API coverage, and API security reports, all of which publish directly to Parasoft DTP to optimize testing and sprint planning.
- Ease of usability improvements for adding SOAtest and Virtualize servers in CTP, right-click menu upgrades, installation and integration enhancements, and more.
A Focus on API Security, Reporting, & Customer Usability
Following the success of the 2021.1 release’s focus on delivering quality at speed, Parasoft’s 2021.2 release centralizes on you, the customer, specifically.
How can this latest release help you optimize and maximize delivering quality at speed?
Through feature updates and usability improvements, you can access the right information at the right time and ensure your applications are tested to harden them against cyberattacks.
API Security Enhancements
In addition to Parasoft SOAtest’s existing extension for BurpSuite, there’s a new capability that augments SOAtest through seamless integration with OWASP ZAP. Now developers and testers can simply add penetration testing to their functional test suites and launch a battery of pen testing cyberattack simulations for the entire suite or specific tests. As these tests have already been created for the functional side, reusing these same tests saves substantial time and rework effort, and most of all, these tests can be run as part of a CI/CD pipeline without manual intervention.
In order to execute certain APIs, some may require setup, such as prepping the database or calling other APIs. When starting with functional tests that are already proven to work correctly, the setup is done.
Typical penetration testing tools are able to report vulnerabilities, but they fall short when giving any context about the use case and/or requirement to which the vulnerability is connected. Using SOAtest to execute the test cases, the API vulnerabilities are reported in the context of a use case. When scenarios have been associated with requirements, developers and testers get additional business context about the impact of the security errors to the application. With SOAtest plus DAST, you now have the ability to run pen testing scenarios within the CI/CD pipeline, turning functional tests into security regression tests.
Additionally, this enhancement includes HTTP verb fuzzing, which parses and validates your OpenAPI or RAML formatted specification, then tests for accessible HTTP methods not defined in the service definition that may or may not have been considered, essentially testing your OpenAPI for what’s “not there”. The results of all these API security tests can be viewed in a user friendly HTML report format that’s easy to understand, and all the results and information flow smoothly into DTP in order to plan your current and upcoming sprint strategy.
Coverage & Reporting Enhancements
Usability improvements were made to Parasoft SOAtest’s ability to capture application coverage and report results. Application coverage captured by SOAtest can now be reported to DTP directly and baseline coverage reports for test impact analysis can be generated without the need for extra scripts. For further visibility, application coverage can now be captured by tests run on server-only installations of SOAtest.
Additionally, HTML reports produced by SOAtest desktop have a more modern look and feel. CTP test execution jobs have been separated from test scenarios themselves, and we’ve added the ability to create custom reports for test execution jobs. You can also configure your CTP jobs to send results to DTP. Meanwhile, test scenarios can now be accessed directly via URL and feature syntax coloring of JSON and XML event messages to improve readability.
We’ve made many exciting usability enhancements to the products included in this release. Please see full details in our 2021.2 release notes for SOAtest, Virtualize, and CTP and DTP. Here are a few teasers to whet your appetite. You can:
- Add and configure SOAtest and Virtualize servers from within CTP.
- Create parameterized responders from service definitions, without the use of recorded traffic.
- Get better visibility for traceability with Azure DevOps integration and test granularity with external requirement management systems in DTP.
- Access new right-click action menus on Test Scenario and Virtual Asset trees in CTP.
- Receive email notifications of results upon completion of your tests.
- Get support for GitLab and compliance to ADA 508/WCAG 2.1 AA through CTP.
Plus so much more!
Parasoft’s 2021.2 release of the Continuous Quality solution also takes a giant step forward by making each of our enterprise products available as Docker images on DockerHub. Watch for these in the coming weeks, which will make installation and setup substantially easier for our customers.
The 2021.2 release of Parasoft SOAtest, Virtualize, CTP, and DTP marks a new level of visibility into API security, adding seamless integration with OWASP ZAP to our existing BurpSuite compatibility.
We also focused on usability, coverage, and reporting enhancements, as well as substantially simplifying installation/setup via DockerHub, to improve the user experience and increase productivity. There are more exciting enhancements that have been added to the products that you can read about in the release notes for SOAtest, Virtualize, CTP, and DTP.