Understanding the App Model
Overview: A Progressive Workflow for API Coverage
What is the App Model?
The App Model represents a structured, step-by-step workflow designed to help users progressively increase their API test coverage. Instead of scanning an API in a single step, the App Model guides users through incremental configurations, ensuring that each stage of security and functional validation is completed effectively.
This approach allows users to:
- Start with minimal setup and gradually enhance testing capabilities.
- Systematically add configurations to expand security coverage.
- Identify and resolve API security issues in a controlled, logical sequence.
How the App Model Works
The App Model breaks down API scanning into distinct phases, ensuring that each aspect of an API is tested and secured methodically.
🌍 Creating App with unreachable URL
---
🌍 Updating with reachable URL, Check Application is Reachable
- In the App Model, Check the "Recommended Action" as "Setup Application Reachability".
🌐 Unauthenticated scan execution
- To execute the Unauthenticated scan,
📖 Configure API Authentication
- To configure API authentication,
📖 Authenticated scan execution
- To execute the Authenticated scan,
📖 Adding parameter values
- Based on the your API document, you need to add parameter values.
📖 RBAC configration
- To configure RBAC from the App Model, check the tab "Recommended Action" as "Configure RBAC" tab
1. Defining the API Application
- Users start by creating an application entry, which acts as the foundation for all further testing.
- If the API has an unreachable URL, it must be updated before progressing.
2. Running an Initial Unauthenticated Scan
- The first security scan is executed without authentication, allowing users to assess publicly accessible endpoints and detect any misconfigurations in open APIs.
3. Configuring API Authentication
- Authentication credentials (such as API keys, OAuth tokens, or bearer tokens) are added to enable deeper testing of restricted API endpoints.
4. Executing an Authenticated Scan
- With authentication enabled, the system performs a comprehensive security analysis of protected endpoints, uncovering authorization flaws and privilege escalation risks.
5. Enhancing Security with RBAC Configuration
- Role-Based Access Control (RBAC) policies are validated to ensure that users can only access what they are permitted to, helping prevent excessive privilege issues.
6. Refining API Test Coverage
- Users can add missing parameter values based on their API specifications to increase coverage, improving security validation for dynamic API behaviors.
Why Use the App Model?
1. Structured Approach to API Security
- The App Model ensures that each security layer is validated before progressing to the next step, reducing the likelihood of overlooked vulnerabilities.
2. Progressive Increase in Coverage
- Users start with a basic scan and gradually incorporate authentication, role-based access, and parameter validation to maximize security visibility.
3. Improved Accuracy and Control
- Breaking API testing into manageable steps prevents misconfigurations and helps teams focus on specific areas of security improvement.
4. Adaptable to Different API Environments
- Whether working with public APIs, enterprise applications, or microservices, users can tailor the workflow to their API structure and security needs.
Next Steps
As users progress through the App Model, they gain greater visibility into API vulnerabilities, misconfigurations, and security gaps. The model provides an adaptive, methodical way to secure APIs, ensuring that every critical aspect is covered before moving to production.