hngopher.com

       [HN Gopher] Show HN: Metlo (YC S21) - An Open Source API Securit...
       ___________________________________________________________________
        
       Show HN: Metlo (YC S21) - An Open Source API Security Tool
        
       Metlo - An Open Source API Security Tool  Hey folks! Excited to
       share what we've been working on for the last couple months. Metlo
       is a self hosted, open source first API security platform that
       inventories, tests and protects your API endpoints:  - We inventory
       your endpoints by scanning API traffic and detecting all your
       endpoints along with the sensitive data they contain.  - We
       generate information your security team may find useful like Open
       API Specs and risk scores for each endpoint.  - After this we
       discover vulnerabilities like unauthenticated endpoints returning
       sensitive data or missing HSTS headers.  - Finally Metlo detects
       any anomalous behavior on sensitive endpoints in real time so you
       can detect 0-day attacks as they're happening.  We have a demo
       environment to play around with here http://demo.metlo.com/. Also,
       Here's a demo video if you would like a quick walk through of the
       product :)
       https://www.loom.com/share/349c9e5f267741e9a0fcd2dfd1f9956f
        
       Author : ashekhawat
       Score  : 25 points
       Date   : 2022-10-13 16:59 UTC (6 hours ago)
        
 (HTM) web link (github.com)
 (TXT) w3m dump (github.com)
        
       | freeqaz wrote:
       | How do you generate an API Spec is there isn't one? (I've spent
       | time working on this problem before, so I'm curious.)
       | 
       | Also, how to prevent this tool from spamming everybody with
       | alerts? I've used various DAST tools like OWASP ZAP before and
       | ultimately they end up getting turned off because of anger
       | fatigue. (At Uber we trained an entire ML model to hide noisy
       | alerts based on us upvoting/downvoting them.)
        
         | ashekhawat wrote:
         | Hey @freeqaz! We analyze trace data that we capture from
         | production traffic to generate what the Open API Spec could be.
         | 
         | Here is an example of an auto generated spec: https://demo.metl
         | o.com/endpoint/2be9f63e-a436-4ffc-b85a-e421.... This is the
         | code in our repo: https://github.com/metlo-
         | labs/metlo/blob/master/backend/src/...
         | 
         | To avoid noisy alerts we've tried very hard to focus on areas
         | where we won't have high false positives. Also, unlike ZAP,
         | since we analyze realtime production traffic we have more data
         | to work with so we can make a more informed model. For example
         | we would catch anomalies like high usage on endpoints that
         | return sensitive data, endpoints that normally have
         | authentication that where unauthenticated requests are
         | succeeding, strange ordering of API requests by a single user,
         | etc...
        
       | NinadSinha wrote:
       | Hi HN! I'm Ninad, an engineer at Metlo.
       | 
       | Here to answer questions about Metlo, API security, or anything
       | else even tangentially related!
        
       | shrisukhani wrote:
       | Hi HN! I'm a co-founder of Metlo. So excited to finally share
       | this here.
       | 
       | @ashekhawat and I will be hanging out here for the next few hours
       | to answer any questions you have! :)
        
       ___________________________________________________________________
       (page generated 2022-10-13 23:02 UTC)