/
Exposure Tests

Exposure Tests

Owned by Thomas Sileo
Jan 22, 2025
3 min read

System of Records

Exposure tests requires SOR (System Of Record) data.

We have an API exposing the endpoint to get and replace the system of records data.

  1. You will need to create an API key in DevSecOps (Data Theorem ) with the API Security Results API scope.

    1.  

      image-20250122-133451.png

       

  2. Possible values for api_type: protected, public, private

  3. Possible values for auth_type: BasicAuth, OAuth

  4. POST data to this new endpoint:

    1. POST https://api.securetheorem.com/apis/api_security/results/v1beta1/system_of_records {   "apis": [     {       "api_type": "protected",       "base_url": "https://domain.tld",       "auth_type": "BasicAuth",       "virtual_path": "/virtual_path",       "asset_id": "internal-id"     }   ] }

  5. Optionally GET the SOR

    1. GET https://api.securetheorem.com/apis/api_security/results/v1beta1/system_of_records {"system_of_record_entries": [{"uuid": "9e6fb101-76fa-4140-a03a-8c77f4af1629", "base_url": "https://xafhrc63ec.execute-api.us-east-2.amazonaws.com", "api_type": "private", "auth_type": "BasicAuth", "base_path": "/prod/pets", "date_created": "2025-01-22T14:22:50.021087+00:00", "date_updated": "2025-01-22T14:23:05.318166+00:00", "external_asset_id": "private-pets"}, {"uuid": "96159dd0-03f3-4a65-83ea-8a138af9e639", "base_url": "https://8k8lexlnde.execute-api.us-east-1.amazonaws.com", "api_type": "private", "auth_type": "BasicAuth", "base_path": "/prod/pets", "date_created": "2025-01-22T14:22:50.016563+00:00", "date_updated": "2025-01-22T14:23:05.318158+00:00", "external_asset_id": "private-but-public-pets"}]

Exposure issue in the portal

We automatically check for internet accessibility for all the inventory, and if an API tagged as private in the SOR is found internet accessible, a policy violation will be opened.

It tracks:

  • When it was found internet accessible

  • It show the HTTP response as a proof that it was internet accessible

  • It will be automatically resolved when the API goes back to not being internet accessible

image-20250122-151936.png

Reporting

Asset tags are automatically added on the API assets matching the SOR data, allowing to combine “is internet accessible filter” with “SOR” (or “api_type: private”) tags

APIs related to SOR entries

image-20250122-152155.png

APIs that are flagged as private in the SOR

 

image-20250122-152447.png

 

APIs that failed the exposure tests

APIs that failed the exposure testing can be shown in the inventory by combining “is internet accessible” with “api_type: private”.

 

image-20250122-152715.png

 

image-20250122-152706.png

APIs that passed the exposure tests

APIs that failed the exposure testing can be shown in the inventory by combining “is internet accessible” with “api_type: private”.

 

image-20250122-152841.png