Sift Analyzers
Analyzers are an integral part of Sift. Analyzers perform checks on operations in an API to find functional defects and security vulnerabilities in an application. Each analyzer performs a unique set of checks - see the description of an analyzer. If an operation fails the checks performed by an analyzer, then a finding is reported by Sift.
Each finding has a fault identifier that classifies the kind of fault detected by an analyzer. Fault identifiers begin with a 3-letter prefix that represents a class of faults.
| Fault Prefix | Description |
|---|---|
| CWE | Common Weakness Enumeration. The MITRE Common Weakness Enumeration (CWE) is a database containing industry standard classification of security weaknesses. Any security vulnerability is classified as one of the weaknesses in CWE. |
| SCF | Conformance Fault. When a API operation does not conform to the API definition, the defect is classified as a SCF fault. |
| SFF | Functional Fault. Functional defects are classified as a SFF fault. |
| SIF | Injection Fault. A finding reported for a user-specified injection attack vector is classified as a SIF fault. |
| SPF | Property Fault. When an API operation violates a user-specified property, the defect is classified as a SPF fault. |
List of Analyzers:
- Application-specific Property Analyzer(
PolicyEvaluator) - Broken Object Level Authoriation (
BrokenObjectLevelAuth) - Broken User Authentication (
BUA,BUAWeakPasswords,BUASessionIdExposure) - HTTP Security Headers (
SecurityHeaders) - Injection
- OpenAPI Conformance (
OpenAPIConformance) - Rate Limit Analyzer (
RateLimit) - Sensitive Data Exposure
- Server Error (
ServerError) - Server-Side Request Forgery (
SSRF) - TLS Version Analyzer (
TLSVersion)