API Security

Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated

API Security refers to the measures taken to secure and protect web Application Programming Interfaces (APIs) from unauthorized access, misuse, and attacks. APIs are a crucial component of modern application development as they allow applications to interact with each other and exchange data. However, this also makes them attractive to attackers and vulnerable to security threats if not properly secured. In this section, we discuss GitLab features that can be used to ensure the security of web APIs in your application. Some of the features discussed are specific to web APIs and others are more general solutions that are also used with web API applications.

  • SAST identified vulnerabilities by analyzing the application’s codebase.
  • Dependency Scanning reviews a project 3rd party dependencies for known vulnerabilities (for example CVEs).
  • Container Scanning analyzes container images to identify known OS package vulnerabilities and installed language dependencies.
  • API Discovery examines an application containing a REST API and intuits an OpenAPI specification for that API. OpenAPI specification documents are used by other GitLab security tools.
  • DAST API performs dynamic analysis security testing of web APIs. It can identify various security vulnerabilities in your application, including the OWASP Top 10.
  • API Fuzzing performs fuzz testing of a web API. Fuzz testing looks for issues in an application that are not previously known and don’t map to classic vulnerability types such as SQL Injection.