42CRUNCH BLOG


Questions Answered: REST API Security by Design with Azure Pipelines


You had questions, and we’ve got answers!

Thank you for all the questions submitted on our “REST API Security by Design with Azure Pipelines” webinar. Below are all the answers to the questions that were asked. If you’d like more information please feel free to contact us.

REST API Security for 
Microsoft Azure Pipelines

Watch Webinar

REST API Security for Microsoft 
Azure Pipelines Slide Deck

Download

 

I know this API Security Audit requires a Token to call it from VS Code, is there any limitation on the # of calls or licensing associated?

Neither the VS Code plugin nor the Azure DevOps extension have limits on the number of security audits run. However, there is a rate limit of 3 calls per minute from the same IP. 

There is a difference in behavior of these two extensions though. The VS Code extension is a personal developer tool, so the report is only shown to the individual developer using it and not stored anywhere.

The Azure DevOps extension is publishing the reports to the central 42Crunch platform so your whole team can get access to them. Thus, the licensing limits of the 42Crunch subscription starts playing a role here. 42Crunch has a free tier up to 3 APIs and monthly subscription options beyond that: https://42crunch.com/pricing. The number of updates to these APIs or the number of times you call the platform for security testing is not limited.

 

Is there any software that can generate an API file for a code written in any programming language?

Yes, OpenAPI standard has a broad industry support. You can find most tools supporting it at https://openapi.tools/ as well as https://github.com/swagger-api/swagger-core

 

How is the 42Crunch Platform connected to Azure DevOps?

Azure DevOps is connecting to the 42Crunch platform via API and pushing OpenAPI files to be tested to it. The Azure DevOps extension then collects the security testing results, displays them in the pipeline, and makes the success or failure decision based on the criteria that you set.

 

Will there be support for other Cloud vendors in the roadmap?

42Crunch API Security platform can work with APIs developed and hosted in any cloud. It is not dependent on Azure in any way. In this particular webinar, we have been demonstrating our extension for Azure DevOps CI/CD pipeline. 

We have a few internal plugins for other CI/CD platforms so if you are using something else please fill out the Contact Us form on our website to request access.

 

It’s a cloud service. How about privacy? How will my data be handled?

42Crunch is indeed a multi-tenant cloud service. Please see our Terms & Conditions for details: https://platform.42crunch.com/terms-and-conditions

 

This is a real cool plugin. Is there one available for java developers (like IntelliJ, Eclipse)?

Non VS Code plugins are in the works. Please fill out the Contact Us form on our website so we can notify you when we are ready to start our private beta for them.

 

Do you have plans to make an on-prem version of your platform, or at least the audit service?

On-prem version of 42Crunch platform is available for large enterprise customers. If you are interested, please fill out the Contact Us form on our website.

 

What about integration with Stoplight.io? Stoplight is a powerful design first platform. 42Crunch integration will be a great add.

Stoplight.io does not have a model of 3rd-party extensions. We are hoping to find a way to work with Stoplight to plug our tests into their platform.

 

42Crunch REST API Static Security Testing Extension for Azure Pipelines

 

 

Try our security audit for free. If you want to see the whole platform in action, request a demo now!