Microsoft Defender for Cloud Extends Support to Enable Increased API Security Testing Visibility

Expanded API Security Testing Collaboration and Environment Support 

At Microsoft Ignite 2023, Microsoft for Cloud announced the support of API security testing integration, enabling for Cloud to provide full lifecycle API protection from code to cloud, which makes Microsoft the only cloud provider that enables organizations to assess risk and address API threats across the entire cloud application lifecycle. Today, we're happy to announce this support has been extended to two additional API security testing solutions and is currently in public preview. Additionally, we're thrilled to share that support of Azure environments is in public preview.

Customers can now choose from a variety of API security testing solutions in the Azure Marketplace and integrate the solutions within their pipelines, allowing security teams to have centralized visibility of the assessed API security posture within for Cloud. Supported solutions now include 42Crunch, Bright Security, and StackHawk. Supported environments includes both GitHub and Azure DevOps, allowing customers to upload their scan results from both environments into Defender for Cloud.

Embracing a ‘shift-left' security approach is crucial for modern organizations. By integrating API security measures earlier in the software development lifecycle, developers can proactively identify and mitigate API vulnerabilities that might otherwise go undetected, ensuring robust protection against top OWASP API related risks, business logic abuse, and more.

By empowering developers to code and configure APIs securely early in the development lifecycle, Defender for Cloud helps organizations deliver cloud applications that are secure-by-design from the start of development to continuous security throughout production. Security teams can leverage the rich reporting capabilities of Defender for Cloud to gain unified visibility into the health of their API estate during development time, ensuring insecure applications do not make it to production.

The support for API security testing via these solutions complements the existing runtime security capabilities from Defender for APIs. By enabling Defender for APIs alongside the API testing solutions, Defender for Cloud customers gain a robust security governance framework and clear visibility into their APIs throughout the entire lifecycle, from design to runtime. Microservices-based application architectures, and multi-cloud application footprints have amplified the magnitude of APIs drastically, which further adds complexity to API security. There is rarely a single access point at which API security can be enforced. This approach ensures that APIs are secure and monitored at every stage.

GitHub Recommendation.png

Visibility of API security testing scan results within Defender for Cloud recommendation

cloudsecurityquery.png

Ability to query for source code repositories with unhealthy API security testing results within the Cloud Security Explorer

Meet the API security testing solutions

42Crunch:

42Crunch enables a standardized approach to securing APIs that automates the enforcement of API security compliance across distributed development and security teams. Unlike traditional DAST tools that are used to scan web and mobile applications, 42Crunch runs a set of tests that are precisely crafted and targeted against each API based on their specific design. As a result, 42Crunch provides complete coverage for the top OWASP API risks while eliminating false positives.

Jacques Declas, CEO of 42Crunch, welcomed the announcement saying, “This partnership between Microsoft and 42Crunch validates our common vision of providing customers globally with a true DevSecOps solution to protect their digital assets from an ever-growing array of attacks.” “It is well recognized that an effective API security strategy must start early in the software development lifecycle. This partnership between 42Crunch and Microsoft will enable customers to define, implement, and enforce API security compliance and governance across their API estate at scale,” added Declas.

Bright Security:

Bright Security's dev-centric DAST platform empowers both developers and AppSec professionals with enterprise grade security testing capabilities for web applications, APIs, and GenAI and LLM applications. Bright knows deliver the right tests, at the right time in the SDLC, in developers and AppSec tools and stacks of choice with minimal false positives and alert fatigue.

Gadi Bashvitz, CEO of Bright Security said, “Collaborating with Microsoft to bring together Bright's DAST security testing capabilities for APIs with Microsoft Defender for Cloud is a game changer for enterprises aiming to accelerate their SDLC without compromising on security because Bright scans applications and APIs from the outside-in, mimicking how hackers could attack and compromise their business. With Bright, enterprises get verified attack vectors, not guesses. This relationship is in the forefront of collaboration between AppSec and CNAPP providers to improve security for enterprises”. 

StackHawk

StackHawk is making API and application security testing part of software delivery. The StackHawk platform offers engineering teams the ability to find and fix application bugs at any stage of software development and gives Security teams insight into the security posture of applications and APIs being developed. Built by a strong founding team with deep experience in security and DevOps, and funded by some of the best venture investors in the business, StackHawk is leading the shift left movement by putting API and application security testing into the hands of engineers the moment they build code.

“StackHawk's integration with Microsoft Defender for Cloud Microsoft Defender for APIs extends the ability to assess the API security posture of an application beyond what's happening in production,” said Joni Klippert, CEO and co-founder at StackHawk. “The StackHawk platform is designed to support teams in identifying and fixing API security vulnerabilities earlier in the development process while delivering secure code prior to production. This collaboration with Microsoft will enable customers to seamlessly pinpoint API security risks across their entire API ecosystem, strengthening their security posture.”

How to get started

To learn more and view steps to onboard, see: Partner applications in Microsoft Defender for Cloud for API security testing (preview)

 

This article was originally published by Microsoft's Defender for Cloud Blog. You can find the original article here.