Integrating with Azure API Management

This feature is available with Invicti API Security Standalone or Bundle

Integrating Azure API Management with Acunetix 360 allows you to fetch Swagger2 and OpenAPI3 specification files from Azure API Management and provide them as inputs to our DAST scanners. The imported specification files are used to build an inventory of API endpoints that can be scanned for vulnerabilities.

PREREQUISITES: To integrate Azure API Management with Acunetix 360, you need a Microsoft Azure account with the right to set up credentials/permissions.

How to integrate Acunetix 360 with Azure API Management

Before setting up the Azure API Management integration in Acunetix 360, you need to register Acunetix 360 as an app in Microsoft Azure and add permissions and secrets. Follow the steps below in each section to prepare your Azure app for integration with Acunetix 360.

NOTE: Only Swagger2 and OpenAPI3 specification files will be imported.

Step 1: Register your Acunetix 360 app in Azure API Management

  1. In Microsoft Azure, select App registrations.

  1. Select New registration.

  1. Enter a Name for the application. In the Supported account types section, select your preferred option for who can see this application or access this API.

  1. Click Register to complete the registration.

You have now registered your application. The next step is to add it as a member and assign a role.

Step 2: Add your application as a member and assign a role

  1. After app registration is completed, go to the home page and select API Management services.

  1. Select one item from the list of API Management services.

  1. In the new window, select Access control (IAM).

  1. Select the Role assignments tab.

  1. Use the Add button to add a new role assignment.

  1. In the Members tab, click Select members.

  1. Search for the application you created earlier, click on it to select it, then click Select at the bottom of the page.

  1. On the Role tab, use the search field to search for API Management Service Reader Role Read-only access to service and APIs.

  1. Select the Job function role of API Management Service Reader Role/Read-only access to service and APIs, and click Review + assign.

  1. You are taken to the Review + assign tab, click the Review + assign button.

The application has been added to your API Management Service. Continue with the steps in the next section to set permissions.

Step 3: Add permissions

  1. Return to the home page and select App registrations. Click the All applications tab, then select the app you created earlier.

  1. Select Manage > API permissions from the left-side menu.

  1. Click Add a permission and select Azure Service Management.

  1. Under Permissions, select the user_impersonation checkbox, then click Add permissions.

After adding the permissions, you need to create a secret for the app to prove its identity. Continue with the steps listed in the following section.

Step 4: Add a client secret

  1. Staying within the same application you created earlier (App registrations > All applications > click on your app), select Manage > Certificates & secrets from the left-side menu.

  1. Select New client secret.

  1. Enter a description and expiry date, then click Add.

  1. Use the copy buttons to copy both the Value and the Secret ID of the client secret. Paste the information in a location where you can access them later as you will need them in step 5 when configuring the import source in Acunetix 360. Copying this information now is important as it can only be viewed at this step.

TIP: The Application (client) ID and Directory (tenant) ID can later be found under App registrations > All applications tab > select your app > Overview.

You now have the necessary information to set up the API integration in Acunetix 360. Continue with the instructions in the next section.

Step 5: Configure the API import source in Acunetix 360

  1. Log in to Acunetix 360.
  2. Select APIs > Sources from the left-side menu.
  3. Click Add new source.

  1. Enter a Name for the API integration and select Azure as the source type.
  2. The Client Id, Client Secret, and Tenant Id can be found in Azure Service Management in App registrations > Overview.

  1. Click Authenticate and Save.

Your Azure API Management integration is now displayed on the APIs > Sources page.

Step 6: Synchronize the API import

  1. On the APIs > Sources page in Acunetix 360, click the sync icon to start importing your API specification files from Azure API Management into your Acunetix 360 API Inventory.

  1. When the sync is complete, your API specification files will be displayed on the API Inventory page in Acunetix 360. From this page, you can link your API specification files to targets so they can be scanned for vulnerabilities. For more information, refer to Linking and unlinking discovered APIs to targets.

Azure is now integrated with Acunetix 360. After the initial synchronization, the integration will automatically sync your API specifications once every 24 hours.

NOTE: To synchronize API specifications on demand, click the sync icon on the APIs > Sources page. To disable automatic synchronization, click the toggle in the Sync Automatically column on the APIs > Sources page.

« Back to the Acunetix Support Page