It’s hard to write good API specifications, and since most API gateways use them as IAC, they should be carefully checked for common mistakes. Writing an API that sticks to the original design is extremely difficult, and it must be validated because it differs from the original spec in some places.
When developers make APIs, they often leave them open to open redirects, injections, HTTP pollution, and other problems.
Cherrybomb helps you resolve the matter
Please visit our open-source Cherrybomb at GitHub.
Defining a secure API with Cherrybomb
When it comes to APIs, many security problems that are found (and sometimes not found) in the testing stage can be discovered by examining the specification file for the API. With Cherrybomb, you gain visibility into your API and can find potential issues as early as when the specifications are completed.
Using existing resources
You already produce a specification file for your API, whether it’s for your developers or the people who test your API. Using Cherrybomb, you can harness this existing resource to your advantage and for the betterment of your API security.
The active module
In addition to performing validation and auditing OAS files, Cherrybomb uses these OAS files to conduct informed tests of your API, testing the limits defined in the spec file and testing for common attack vectors.
Integrating Cherrybomb
Cherrybomb comes in several different flavors. These flavors include our standalone CLI tool, the official docker image, and CI/CD wizard that generates a code snippet for easy integration with Github actions and Jenkins.
Cherrybomb CI/CD integration walkthrough.
Eliminating the Human factor – for free
Many big breaches in the past happened because of human error. Cherrybomb helps catch these small errors that could become huge security gaps – and does it for free.
Cherrybomb is an open-source project developed with community efforts and given for free to anyone who can use it to secure the internet.
Source: https://www.helpnetsecurity.com/2022/09/28/cherrybomb-holy-trifecta-for-developing-a-secure-api/