/
Exposure Tests

Exposure Tests

Owned by Thomas Sileo
Jan 22, 2025
3 min read

System of Records

Exposure tests requires SOR (System Of Record) data.

We have an API exposing the endpoint to get and replace the system of records data.

  1. You will need to create an API key in DevSecOps (Data Theorem ) with the API Security Results API scope.

    1.  

      image-20250122-133451.png

       

  2. Possible values for api_type: protected, public, private

  3. Possible values for auth_type: BasicAuth, OAuth

  4. POST data to this new endpoint:

    1. POST https://api.securetheorem.com/apis/api_security/results/v1beta1/system_of_records {   "apis": [     {       "api_type": "protected",       "base_url": "https://domain.tld",       "auth_type": "BasicAuth",       "virtual_path": "/virtual_path",       "asset_id": "internal-id"     }   ] }

  5. Optionally GET the SOR

    1. GET https://api.securetheorem.com/apis/api_security/results/v1beta1/system_of_records {"system_of_record_entries": [{"uuid": "9e6fb101-76fa-4140-a03a-8c77f4af1629", "base_url": "https://xafhrc63ec.execute-api.us-east-2.amazonaws.com", "api_type": "private", "auth_type": "BasicAuth", "base_path": "/prod/pets", "date_created": "2025-01-22T14:22:50.021087+00:00", "date_updated": "2025-01-22T14:23:05.318166+00:00", "external_asset_id": "private-pets"}, {"uuid": "96159dd0-03f3-4a65-83ea-8a138af9e639", "base_url": "https://8k8lexlnde.execute-api.us-east-1.amazonaws.com", "api_type": "private", "auth_type": "BasicAuth", "base_path": "/prod/pets", "date_created": "2025-01-22T14:22:50.016563+00:00", "date_updated": "2025-01-22T14:23:05.318158+00:00", "external_asset_id": "private-but-public-pets"}]

Exposure issue in the portal

We automatically check for internet accessibility for all the inventory, and if an API tagged as private in the SOR is found internet accessible, a policy violation will be opened.

It tracks:

  • When it was found internet accessible

  • It show the HTTP response as a proof that it was internet accessible

  • It will be automatically resolved when the API goes back to not being internet accessible

image-20250122-151936.png

Reporting

Asset tags are automatically added on the API assets matching the SOR data, allowing to combine “is internet accessible filter” with “SOR” (or “api_type: private”) tags

APIs related to SOR entries

APIs that are flagged as private in the SOR

 

 

APIs that failed the exposure tests

APIs that failed the exposure testing can be shown in the inventory by combining “is internet accessible” with “api_type: private”.

 

 

APIs that passed the exposure tests

APIs that failed the exposure testing can be shown in the inventory by combining “is internet accessible” with “api_type: private”.

 

 

Related content

API Scanning: CI/CD Integration
API Scanning: CI/CD Integration
Public Knowledge Base
More like this
Data Theorem API Secure CI/CD for Buildkite
Data Theorem API Secure CI/CD for Buildkite
Public Knowledge Base
More like this
On-boarding AWS environments via Data Theorem's API
On-boarding AWS environments via Data Theorem's API
Public Knowledge Base
More like this
API Secure: AWS Read-Only Access
API Secure: AWS Read-Only Access
Public Knowledge Base
More like this