Introducing Akto Open Source: Redefining API security

How do you use it?

For Security engineer / Independent pentester

If you are a security engineer and want to use Akto to pentest your APIs, get started right away -

1. Run the setup command.

2. Add some traffic to Akto dashboard by integrating with BurpSuite, Postman, traffic mirroring.‍

3. Start testing the APIs against all of OWASP API Top 10 vulnerabilities

4. If you love it and want to elevate API security posture in your company, use the Enterprise version (for free). It automates all the 3 steps above and allows collaboration.

For Developer

If you are a developer, you can use Akto to automate API security tests as part of your CI/CD pipeline.

1. Setup Akto in your Cloud. You can use the enterprise setup from here (for free)

2. Use Traffic mirroring to auto-populate data in Akto

3. Setup triggered or daily tests and send Slack alerts.

For Contributor

If you want to contribute to Akto, we (and the security community) would be forever grateful to you. You can contribute to

1. Sensitive data types - Your nation’s identification patterns, cookie patterns, PII patterns etc.

2. Adding more tests - Add or improve existing templates.

For Dreamer

If you want to pursue your dream to create your own API security tool - feel free to get a head start using Akto. It is under MIT licence. A few good ideas -

1. Reduce it to a command line tool - strip off UI and embed in any other security tool

2. Make a self-serve tool for devs for API security

3. Make a VSCode plugin that populates and tests APIs in VSCode itself - no dashboard

4. If you need any help or suggestions, feel free to contact us at ankush@akto.io, ankita@akto.io or avneesh@akto.io.

Troubleshoot:

Ask any question on the product, request a feature and collaborate with other members to write API security tests on slack here. Our devs are working very very hard to build an awesome software for you all and will be more than happy to help you.

Open Source community edition vs Enterprise edition

It is a single-instance tool for now. It is meant for individual security engineers or pentesters who want to test their APIs extensively for vulnerabilities. By the nature of individual usage, a couple of things might not work out the best -

1. Scale - It depends on power of the instance. If you plan to feed it your production data, we suggest you to move to an Enterprise version - which is again free! It can easily handle 20M API calls per minute (5X of Google searches worldwide!) with a very low cost of infra.

2. False positives - Runtime tries to understand and infer a lot of context around the APIs. It comes from the traffic data. The number of false positives reduce drastically with good amount of data. A single user’s traffic isn’t usually enough to make a difference. You might see some false positives. We will be actively working to reduce this rate further.

3. Machine learning - Talking about inferring context around the APIs - this requires statistical analysis and machine learning models. These are data-hungry pipelines. Any app with 10K sessions is good enough to get started. Can’t expect this from a single user!

Will it never have?

To be honest, we don’t know. Our motivation of making Akto open source is to understand the technical challenges in API security by establishing a community of security engineers. We want to work with diverse people who can provide feedback or even contribute to Akto. If community benefits from opensourcing the ML modules, we will make it happen!

Plan - next 3 months

We have been transparent with our project roadmap. Here is our plan for this quarter (2 more months pending). All of it to be contributed to this open source branch.

1. 300+ tests by end of this quarter

2. Less than 10% false positive rate

3. Setup time under 60 seconds

4. Delight quotient - absolute 💯 😃

Drop us a Hi hello@akto.io. Join our community. Follow us on Twitter, LinkedIn or GitHub.