Skip to content

Latest commit

 

History

History
527 lines (373 loc) · 25.8 KB

File metadata and controls

527 lines (373 loc) · 25.8 KB

🛡️ API Security Platform — Full‑Lifecycle API Security

Enterprise‑grade API discovery, security testing, and runtime protection enhanced by Generative AI


564707944-8faee856-708c-4574-b10a-cb5eced85a6c

API Security Platform, a part of ZeroShield

Table of Contents


Trial License & Security

Trial License Limits

  • Trial accounts include a limited number of scans per license period.
  • Upgrade to a full license for unlimited scanning, runtime protection, and advanced integrations.
  • Sign up for a trial account

Security Measures & Data Protection

The API Security Platform implements enterprise‑grade security measures to protect your data and ensure the highest level of application security:

Application Security

  • OWASP API Security Top 10 alignment — targets are tested against the OWASP Top 10 for API Security categories.
  • Two‑Factor Authentication (2FA) — login is protected with an email OTP verification step.
  • Captcha‑protected login to deter automated attacks.
  • Secure authentication with token‑based sessions and encrypted session management.
  • Input validation and sanitization across all user inputs to prevent injection attacks.

Data Privacy & Protection

  • Encrypted credential storage — customer cloud and source‑control credentials (AWS / Azure / GCP / GitLab / Bitbucket) are encrypted at rest.
  • Minimal data retention — only the metadata required for scan tracking and reporting is retained.
  • Signed, verified webhooks for inbound source‑control events (GitHub / GitLab / Bitbucket).
  • Encrypted data transmission using TLS for all communications.

Additional Security Features

  • Role‑based access control — Super Admin, Organization Admin, and Org User roles.
  • Account‑activation email confirmation before first sign‑in.
  • Automated security monitoring with real‑time alerting.

Paid Access

To learn more about our paid plans and pricing options, please contact our team:

📧 Email: support@zeroshield.ai

Our team will work with you to find the right plan for your organization's needs.

Get started with a trial account to experience the API Security Platform today!


About the API Security Platform

The API Security Platform is a full‑lifecycle API security solution within the ZeroShield platform. It helps organizations discover their APIs, test them for vulnerabilities, monitor them at runtime, and deliver findings into the tools their teams already use.

There are two complementary ways to bring your APIs into the platform:

In the product Use it to… Where you find it
Scans Run on‑demand or scheduled security assessments against an API you describe (REST collection, WSDL, GraphQL endpoint, or a crawlable base URL). No code or infrastructure changes required. Top navigation → Scans
Integrations Connect your own infrastructure and toolchain — cloud platforms, SDKs, agents, CI/CD pipelines, source control, and result/notification tools — so the platform protects and observes APIs in place. Top navigation → Integrations

Findings produced by integrations are surfaced under Advanced Protection, where runtime protection and analytics turn telemetry into actionable security. Every finding is mapped to OWASP, CWE, CVSS, and major compliance frameworks, with AI‑generated explanations and remediation.


Core Mission

Empower teams to rapidly discover, test, and protect every API across their estate — automating vulnerability detection, runtime monitoring, and compliance mapping. The API Security Platform bridges security, development, and compliance, enabling secure digital innovation across REST, SOAP, GraphQL, cloud, and CI/CD.


Key Capabilities

  • Agentless REST / SOAP / GraphQL vulnerability scanning (collection, WSDL, introspection, or auto‑discovery)
  • Deep endpoint auto‑discovery and inventory cataloging
  • AI‑powered remediation and finding enrichment
  • Cloud connectors for AWS, Azure, and GCP API surfaces
  • SDK + TCP Agent / Docker proxy for real‑time traffic capture
  • CI/CD scan gates and source‑control webhooks (GitHub / GitLab / Bitbucket)
  • Runtime protection — API blocking rules, secrets/PII leak detection, coverage analytics, forensic evidence
  • Real‑time scan progress and live dashboards
  • OWASP Top 10 for API Security & multi‑framework compliance mapping
  • PDF / CSV audit‑ready reporting
  • Result integrations with Slack, Teams, Jira, and more

Platform Architecture

The API Security Platform brings two complementary approaches — agentless Scans and live Integrations — into one unified engine. Both feed a shared analysis pipeline that enriches every finding with OWASP, CWE, CVSS, and compliance context, then surfaces results across the dashboard, reports, and runtime protection.

High-Level Architecture

flowchart TB
    subgraph Sources["🔌 Your APIs & Infrastructure"]
        A1["REST / SOAP / GraphQL APIs"]
        A2["Cloud APIs<br/>AWS · Azure · GCP"]
        A3["Live App Traffic<br/>SDK · TCP Agent / Docker"]
        A4["CI/CD & Source Control<br/>GitHub · GitLab · Bitbucket"]
    end

    subgraph Platform["🛡️ API Security Platform"]
        direction TB
        B1["Scans<br/>(Agentless Assessments)"]
        B2["Integrations<br/>(Connectors & Agents)"]
        C["Security Analysis Engine<br/>Discovery · Vulnerability Testing"]
        D["AI Enrichment & Compliance Mapping<br/>OWASP · CWE · CVSS · ISO/PCI/SOC2/NIST/GDPR"]
        E[("Secure Data Store<br/>Encrypted Credentials")]
    end

    subgraph Outcomes["📊 Outcomes"]
        F1["Dashboard & Security Analytics"]
        F2["Scan Reports<br/>PDF / CSV"]
        F3["Advanced Protection<br/>Runtime Modules"]
        F4["Compliance Monitoring"]
        F5["Result Integrations<br/>Slack · Teams · Jira"]
    end

    A1 --> B1
    A2 --> B2
    A3 --> B2
    A4 --> B2
    B1 --> C
    B2 --> C
    C --> D
    D --> E
    D --> F1
    D --> F2
    D --> F3
    D --> F4
    D --> F5
Loading

Manual Scan Flow

How an agentless REST / SOAP / GraphQL scan moves from setup to an audit‑ready report.

flowchart LR
    U(["👤 User"]) --> N["New Scan<br/>Name + Project"]
    N --> T{"API Type?"}
    T -->|REST| R["Collection URL / Upload<br/>or Auto‑Discover"]
    T -->|SOAP| S["WSDL / Endpoint"]
    T -->|GraphQL| G["Endpoint / Schema"]
    R --> CFG["Scan Configuration<br/>Parameters + Depth + Auth"]
    S --> CFG
    G --> CFG
    CFG --> SC["Security Analysis Engine<br/>Endpoint Discovery + Testing"]
    SC --> EN["AI Enrichment<br/>OWASP · CWE · CVSS · Remediation"]
    EN --> REP["Scan Report<br/>Evidence · Cost of Breach · Fixes"]
    REP --> EX["Export PDF / CSV<br/>Create Tickets"]
Loading

Integrations & Runtime Protection Flow

How live traffic and connected infrastructure power continuous, real‑traffic security under Advanced Protection.

flowchart LR
    subgraph Inputs["Traffic & Connectors"]
        I1["SDK in your app"]
        I2["TCP Agent / Docker proxy"]
        I3["Cloud connectors<br/>AWS · Azure · GCP"]
        I4["CI/CD gates & SCM webhooks"]
    end

    I1 --> ING["Traffic & Event Ingest<br/>(API Key authenticated)"]
    I2 --> ING
    I3 --> ING
    I4 --> ING
    ING --> ANALYZE["Analysis Engine<br/>+ AI Enrichment"]

    subgraph AP["🧩 Advanced Protection Modules"]
        M1["API Blocking Rules"]
        M2["Coverage Analytics"]
        M3["Secrets & Token Leak Controls"]
        M4["Data Minimization & Privacy"]
        M5["Automated Evidence & Explainability"]
    end

    ANALYZE --> M1
    ANALYZE --> M2
    ANALYZE --> M3
    ANALYZE --> M4
    ANALYZE --> M5
    AP --> OUT["Per‑Project Results<br/>Dashboards · Compliance · Alerts"]
Loading

AI-Powered Finding Enrichment

Every raw finding — from a scan or a live integration — is enriched before it reaches you.

flowchart LR
    RAW["Raw Finding<br/>(Scan / Traffic)"] --> AI{{"AI Enrichment Engine"}}
    AI --> O1["OWASP API Top 10 Category"]
    AI --> O2["CWE Classification"]
    AI --> O3["CVSS Severity Score"]
    AI --> O4["Compliance Mapping<br/>ISO · PCI · SOC2 · NIST · GDPR · HIPAA…"]
    AI --> O5["Plain‑Language Explanation<br/>+ Remediation Steps"]
    O1 --> RES["Enriched, Actionable Finding"]
    O2 --> RES
    O3 --> RES
    O4 --> RES
    O5 --> RES
Loading

Note: These diagrams are conceptual overviews of how the platform works for customers. They render automatically on GitHub and other Mermaid‑compatible viewers.


Security Frameworks & Standards

The API Security Platform aligns findings to industry‑standard frameworks for comprehensive, audit‑ready coverage:

OWASP API Security Top 10

Every finding is mapped to the relevant OWASP Top 10 for API Security category (e.g. API1:2023 Broken Object Level Authorization, API2:2023 Broken Authentication), giving you a recognized reference for triage and reporting.

CVSS Risk Scoring

Each vulnerability receives a CVSS score (out of 10) for quantitative severity, visualized in the scan report as severity distribution and CVSS score charts.

CWE Classification

Findings carry their associated CWE (Common Weakness Enumeration) identifiers, linking each issue to a well‑known weakness class for developers.

Broad Compliance Coverage

Findings are automatically mapped to a wide range of frameworks, including ISO 27001, PCI DSS, SOC 2, NIST CSF, NIST 800‑53, GDPR, HIPAA, MITRE ATT&CK, OWASP ASVS, CMMC, CCPA, FIPS, FISMA, and RBI CSF — with per‑finding and summary‑level compliance impact.


Target Users

Security Engineers

Automate API vulnerability discovery, testing, and compliance.

Real World Scenario: Sarah, a Senior Security Engineer at a fintech startup, must assess a new payment‑processing API before a PCI audit. She creates a REST scan from a Postman collection, selects the security parameters she wants to test, and launches. Within the hour she has a full report — findings mapped to OWASP API categories with CVSS scores and CWE identifiers, plus AI‑generated remediation. She exports a report mapped to PCI DSS controls and passes the audit on the first try.

Developers & DevOps

Shift API security left into CI/CD.

Real World Scenario: Mike, a DevOps Lead, connects the platform to his pipeline so every pull request triggers an API scan that gates the build on his chosen severity threshold. When a service ships a broken authorization check, the gate fails the merge and the finding appears under Scans with an AI‑generated remediation — preventing the issue from reaching production.

Platform & SRE Teams

Observe and protect APIs in place at runtime.

Real World Scenario: Elena deploys the TCP Agent in front of a legacy service she can't modify, and embeds the SDK in her newer apps. Captured traffic flows into Advanced Protection, where Coverage Analytics reveals blind spots and Secrets & Token Leak Controls flags a JWT leaking in a response — caught before it became an incident.

Compliance & Audit Teams

Map vulnerabilities to compliance frameworks and track remediation.

Real World Scenario: Robert, a Compliance Manager, prepares for an ISO 27001 audit covering 8 APIs. Instead of manual review, he uses Compliance Monitoring to map findings to ISO 27001, NIST, and PCI DSS controls automatically, exporting audit‑ready reports that demonstrate strong control coverage.

Cloud & Solution Architects

Secure cloud‑hosted API surfaces across providers.

Real World Scenario: A cloud architect links AWS API Gateway, Azure API Management, and GCP Apigee connections, runs "Discover services," and scans each surface on demand. The Advanced Protection cloud rows summarize endpoints and severity per service, giving a unified, multi‑cloud view of API risk.


Feature Overview

1. Manual Scans (REST / SOAP / GraphQL)

Screenshot 2026-07-01 122642

Description: Run security scans on APIs without installing agents by providing API definitions or endpoints directly. The Scans page lists all scans that have run, with their status and findings, and a guided New Scan flow.

What Users See & How It Works

  • Scan history & New Scan: A central table of all scans with status and severity, plus summary cards (Total Scans, Completed, In Progress, Critical Findings). Start a new scan by choosing the API type.
  • REST API Scan: Name the scan and select the project it belongs to. Add the API configuration and authentication — paste an API Collection URL or upload a collection (OpenAPI / Swagger / Postman). Complete the Scan Configuration (select the parameters you want to scan) and start the scan.
  • SOAP API Scan: Name the scan and select a project, provide the WSDL / endpoint and options, complete the Scan Configuration, and start.
  • GraphQL Scan: Name the scan and select a project, provide the endpoint / schema URL, start the scan, then view the GraphQL Scan Report.
  • Scan Report: Lists vulnerabilities with severity, OWASP, CWE, CVSS, request/response evidence, Cost of Breach analysis, and AI‑Powered Remediation. Reports can be exported as PDF and findings as CSV.

Why It Matters

  • Build an inventory of REST, SOAP, and GraphQL APIs and run ongoing security testing — without agents.
  • Catch protocol‑specific issues (e.g. SOAP XML injection / action spoofing, GraphQL introspection risks) in a guided workflow.

2. Integrations

Screenshot 2026-07-01 123011

Description: Gain continuous security visibility using traffic from your apps (agents or integrations) instead of relying only on on‑demand scans. The Integrations hub explains how to implement each integration step by step.

What Users See & How It Works

  • Integration overview: A hub of available connectors (SDK, AWS, and more) with implementation steps for each.
  • SDK & Agents: Embed a lightweight SDK in your application — available for Node.js, JavaScript, Python, PHP, Java, .NET, and Golang — or route traffic through the TCP Agent / Docker proxy to capture API traffic without code changes.
  • CI/CD pipelines: Add a security‑scan step that gates the build when findings exceed your threshold (Jenkins, CircleCI, Azure DevOps, Travis CI, TeamCity).
  • Source‑control webhooks: Connect GitHub, GitLab, or Bitbucket to trigger scans on pull requests and pushes, with status reported back to commits.
  • Cloud services: Link AWS (API Gateway, EKS, Fargate, Elastic Beanstalk, ECS), Azure (API Management, App Service, AKS, OpenShift, Container Apps, Functions), and GCP (Apigee, Cloud Run, Cloud Run Functions, GKE) to discover and scan cloud‑hosted APIs.
  • Result integrations: Deliver findings to Slack, Microsoft Teams, Discord, Jira, Trello, Asana, and Azure Boards.

Why It Matters

  • Continuous API security based on real traffic, not just one‑off scans.
  • Protect and observe APIs in place, wherever they run.

3. Advanced Protection

Screenshot 2026-07-01 122956

Description: Manage integration results in one place for all the API traffic the engine analyzes. Once an integration is configured, its scans and results appear here.

What Users See & How It Works

  • Results per source: Integration result rows for AWS, GCP, Azure, SDK, Virtual Machines (TCP Agent / Docker), and CI/CD, each summarizing discovered endpoints, scans, and severity counts.
  • Runtime & analytics modules:
Module What it does
API Blocking Rules Block, throttle, or challenge suspicious API requests in real time.
Coverage Analytics Identify blind spots and gaps in monitoring coverage per endpoint.
Automated Evidence & Explainability Assemble SOC‑ready "attack stories" grouped by client IP, with forensic export.
Secrets & Token Leak Controls Detect API keys, JWTs, and credential leaks in live traffic.
Data Minimization & Privacy Guardrails Monitor field‑level PII exposure (cards, SSNs, emails) in responses.

Key distinction: The Scans list shows only manually‑created scans. Everything produced by an integration source is surfaced here on Advanced Protection.

Why It Matters

  • Define which applications or environments send traffic to the engine, and view vulnerabilities per project in a single pane of glass.

4. Compliance Monitoring

Screenshot 2026-07-01 122936

Description: Map API security findings to compliance frameworks and standards across your whole organization.

What Users See & How It Works

  • API Compliance tab shows OWASP API Security categories (e.g. API1:2023 Broken Object Level Authorization, API2:2023 Broken Authentication) and their mapping to CWE, ISO 27001, NIST CSF, NIST 800‑53, GDPR, PCI DSS, HIPAA, MITRE ATT&CK, OWASP ASVS, CMMC, CCPA, FIPS, FISMA, RBI CSF, and more.

Why It Matters

  • Streamline audits, compliance reporting, and aligning fixes with specific standards.

5. Security Analytics

Screenshot 2026-07-01 122912

Description: A central view of your organization's overall API security analytics.

What Users See & How It Works

  • Visualizations including API Traffic Over Time, Vulnerability Impact Treemap, Traffic Pattern Heatmap (Weekly), OWASP API Security Top 10, and Vulnerability Distribution.

Why It Matters

  • One place to understand trends, hotspots, and overall security posture across all integrations under the organization.

Organization & Workspace

Screenshot 2026-07-01 124611

Beyond scanning and protection, the platform provides everything you need to run security at team scale:

Area What it does
Dashboard A central view of your security posture — Recent Scans, Critical Findings, API Endpoints, and other high‑level metrics.
Projects Group APIs and applications; associate scans, tickets, and vulnerabilities with a specific app or service.
Users Manage organization members — add, edit, and remove users, with role‑based visibility.
Tickets Track remediation tasks linked to scan findings, with optional delivery to tools like Jira and ServiceNow.
SDK Setup & API Keys Create and manage the API keys used to authenticate SDK and agent integrations.

Compliance Mapping

Vulnerability / Threat Type OWASP API Top 10 ISO 27001 PCI DSS SOC 2 NIST GDPR
Broken Authentication API2
Broken Object Level Authorization (BOLA) API1
Injection (SQLi, Command, etc.) API8
Data Exposure / Leakage API3
Security Misconfiguration API8
Lack of Resources & Rate Limiting API4
Secrets / PII Exposure (runtime) API3

Each finding in the dashboard is automatically mapped to these standards using OWASP/CWE/CVSS metadata and AI enrichment. Compliance impact is shown per issue and in summary cards.


Example Workflows & User Benefits

Agentless Scan Workflow: Create a scan → supply a collection / URL / WSDL / endpoint (or auto‑discover) → select parameters and depth → launch or schedule → review findings with OWASP / CVSS / CWE mapping and AI remediation → export PDF / CSV.

CI/CD Gate Workflow: Connect your pipeline → builds trigger scans automatically → the build fails when findings exceed your threshold → developers get an AI‑generated fix right where they work.

Runtime Protection Workflow: Embed the SDK or deploy the TCP Agent → traffic is captured → Advanced Protection surfaces discovered endpoints, coverage blind spots, secret / PII leaks, and blocking rules.

Benefits:

  • Discover and test every API — manual, cloud, or pipeline‑driven — in one place.
  • Catch vulnerabilities and compliance gaps before they reach production.
  • Communicate risk clearly with audit‑ready reports and real‑time dashboards.

Use Cases

  • API security assessments for new and evolving services (REST / SOAP / GraphQL)
  • Continuous compliance (ISO 27001, PCI DSS, NIST, SOC 2, GDPR, HIPAA, and more)
  • DevSecOps integration into CI/CD with scan gates
  • Multi‑cloud API surface discovery and scanning (AWS / Azure / GCP)
  • Runtime API monitoring, secrets/PII leak detection, and blocking

Support


Value Proposition: Unified, automated, AI‑enhanced API security across the full lifecycle — discover, test, monitor, and protect. "The API Security Platform turns complex, manual API security and compliance challenges into automated, actionable insights — empowering teams to move faster, safer, and with confidence."

The API Security Platform, a part of ZeroShield, brings in‑depth, practical security to every step of your API lifecycle.


Get Involved

We welcome collaboration from the security community! Here's how you can get involved with the API Security Platform:

🚀 Get Started

Sign up for the API Security Platform to start securing your APIs today!

🤝 Engage

  • Report Issues — Found a bug or have a feature request? Reach out to our team.
  • Feedback — Share your experience using the platform in your organization.
  • Security Research — Collaborate on new API security tests and detection techniques.

📞 Contact


All rights reserved. This software and its documentation are the intellectual property of ZeroShield.