A lot of folks don't know the difference between a bug bounty program and automated security scans. Here is a cheat sheet to quickly learn the major differences. Security Scanner Bug Bounty Program Synonyms Web application scanner Security scanner DAST Penetration Testing Pen Testing Ethical Hacking Security Testing Bug Bounty Programs Definition DAST stands for Dynamic Application Security Testing. Is the process of testing web, mobile, and API applications to find vulnerabilities and security bugs through automated tools Is the process of finding security bugs through human intelligence. A security tester might use and modify automated tools to find hard-to-find vulnerabilities. Code Access No code access is required. Most of the tools are language and technology agnostic No code access is required. Internal technology stack knowledge helps create tailored tests Live Traffic Access No access to live traffic is required No access to live traffic is required Supported Technologi
We recently launched EthicalCheck, a free and instant API security testing DAST (Dynamic Application Security Testing) web tool on GitHub. Here is the GitHub URL for the tool: https://apisec-inc.github.io/pentest/ What kind of vulnerabilities does EthicalCheck find? Most automated scanners would find vulnerabilities like SQL Injections, NoSQL Injections, XSS, etc. EthicalCheck performs different checks, including OAuth 2.0, JWT, BasicAuth, OWASP API #2, and broken authentication defects in web, mobile, and public-facing APIs. How EthicalCheck work? It requires two inputs: API (OpenAPI Spec/Swagger) documentation URL. Email address for receiving security testing report We only did a soft launch across a couple of developer forums in the past three months. We weren't hoping that we would get anywhere close to 400 tests. Here are the stats: Start Date: Feb 2022 - Apr 2022 ( 3 months ) Total APIs Tested: 400 Total APIs with Vulnerabilities: 164 Total APIs with 10+ Vulnerabilities: