SupportSnyk LearnAPI referenceProduct updatesSign up for free

Snyk API & Web Managed Scans Service Description

Overview

Snyk API & Web Managed Scans is an optional add-on service, designed for organizations seeking to maximize their dynamic application security testing effectiveness without the burden of extensive in-house expertise. This service empowers you to offload the complexities of API & Web management to seasoned security professionals, ensuring comprehensive vulnerability identification and remediation guidance. We handle the intricate aspects of API & Web scanning, allowing your team to focus on core development and business operations.

1. Key benefits

  • Expert API & Web Management: Leverage Snyk's deep expertise to optimize your security testing strategy.

  • Reduced Operational Overhead: Free up your internal resources by outsourcing management of API & Web scanning.

  • Enhanced Security Posture: Proactive vulnerability identification and remediation minimize your risk exposure.

  • Tailored Testing Approach: Customized scan profiles and vulnerability curation ensure accurate and relevant results.

  • Accelerated Remediation: Clear and actionable remediation guidance enables swift vulnerability resolution.

  • Continuous Security Monitoring: Maintain ongoing security vigilance with proactive scan management and coverage optimization.

2. Managed Web & API Activities

Snyk API & Web Managed Scans encompass a comprehensive suite of activities designed to ensure thorough and effective security testing:

  • Target Setup and Configuration

    • Precise addition and configuration of target applications, based on detailed customer specifications.

    • Configuration of authentication settings, including complex login flows and session management.

    • Definition of target scope and exclusions to optimize scan efficiency and accuracy.

    • Configuration of API testing within the API & Web scans.

  • Dynamic Application Scanning

    • Initiation and scheduling of API & Web scans, tailored to your application's architecture and complexity.

    • Continuous monitoring of scan progress and performance, with real-time adjustments as needed.

    • Automated and manual verification of scan results to ensure accuracy and completeness.

    • Implementation of advanced crawling techniques to find hidden endpoints.

  • Comprehensive Scan Coverage Optimization

    • Detailed analysis of scan coverage to identify and address gaps in testing.

    • Dynamic adjustment of scan settings, including crawling patterns and authentication parameters, to maximize coverage.

    • Validation of application state and behavior during scanning to ensure accurate results.

    • Testing of Single Page Applications (SPA's) and complex web applications.

  • Customized Scan Profile Development

    • Creation of tailored scan profiles to meet specific testing requirements, including maximum scan duration, user flow recording, and crawling patterns.

    • Configuration of targeted vulnerability checks, focusing on critical areas of concern.

    • Enforcement of scanning speed and resource utilization to minimize impact on application performance.

    • API scan profile creation.

  • Vulnerability Triage and Curation

    • Rigorous validation of identified vulnerabilities to eliminate false positives.

    • Contextual analysis of vulnerabilities to determine accurate severity levels.

    • Risk acceptance and vulnerability marking based on business impact and remediation feasibility.

    • Providing detailed proof of concept information for discovered vulnerabilities.

  • Detailed Scan Result Analysis and Remediation Guidance

    • Clear and concise explanation of scan results, including vulnerability descriptions and impact assessments.

    • Actionable remediation recommendations, prioritized based on severity and risk.

    • Guidance on best practices for secure coding and application hardening.

  • API Scripting and Automation

    • Development of Python scripts to automate routine API & Web tasks and bulk changes.

  • Expert Security Advisory

    • Ongoing consultation on API & Web best practices and security testing strategies.

    • Assistance with integration setup and configuration.

    • Proactive recommendations for improving application security posture.

    • If high findings are discovered, Snyk will manually validate and communicate these findings along with any recommended mitigation actions to the customer designated point-of-contact within 24 hours of validation.

    • Monthly reporting and readout call of vulnerabilities and scheduled scans.

3. Service Requests

Snyk API & Web Managed Scans are delivered through:

  • Proactive Services

    • Automated and continuous monitoring of scan coverage and vulnerability curation.

    • Proactive adjustments to scan profiles and settings to optimize testing effectiveness.

  • Customer-Initiated Requests

    • On-demand support for all activities outlined in Section 2, submitted via a private Slack channel or email. Other methods of secure communication are available.

    • Required information for each request includes: Account Name, Target Name, Target URL, and the specific service requested.

4. Plan Hours

  • Each Managed API & Web plan includes a defined number of service hours per month.

  • Service time is deducted from the monthly allowance, with a minimum charge of 30 minutes per request, rounded to the nearest 30-minute increment.

  • We prioritize efficient service delivery and group requests whenever possible to maximize your available hours.

  • A detailed quarterly time report is provided, outlining all services performed.

  • Response time for customer requested services is 1 business day.

5. Deliverables

  • Access to a private Slack channel for proactive communication with Snyk

  • Access to secure file sharing for deliverables and other files

  • High severity finding alerting within 24 business hours after manual vulnerability validation

  • Monthly report of:

    • Scans performed (completed / failed)

    • Vulnerabilities discovered by severity

    • Observations including target configuration, scan coverage, scope management and any related issues or challenges.

    • Summary of remediation recommendations

  • Monthly scheduled readout call to review the report, scheduled scans, and to provide remediation guidance

  • Quarterly report of hours, customer requests, and all activities performed.

Snyk API & Web Managed Scans are designed to be adaptable to a customer's evolving needs, offering support when and if it's needed over the term of the subscription. The monthly maximum hours allowable under the plan type is determined by the plan you purchase. The maximum hours represent the maximum number of hours per month of Snyk services performed throughout the term of the subscription and do not roll over or accumulate from month-to-month.

Key Assumptions

This section outlines the key assumptions underlying Snyk API & Web Managed Scans. These assumptions are critical for ensuring effective service delivery and client satisfaction.

Failure to meet such assumptions may necessitate additional troubleshooting, reconfiguration, or remediation work. This additional work will be charged against your monthly service hour allocation. In addition, while Snyk commits to a 1-business day response time, resolution timeframes may be extended if certain assumptions are not met.

  1. Accurate Target Information:

    • It is assumed that the customer will provide accurate and complete information about the target web applications and APIs, including URLs, authentication credentials, and relevant application architecture details.

    • Changes to the target environment must be promptly communicated to Snyk to ensure continued scan accuracy.

  2. Accessible Target Environments:

    • Snyk requires consistent and reliable access to the target web applications and APIs during scheduled scans.

    • Any downtime or accessibility issues must be communicated in a timely manner.

  3. Defined Scope and Exclusions:

    • Customers must clearly define the scope of testing, including specific URLs and API endpoints to be scanned, as well as any exclusions.

    • Ambiguity in scope definition may lead to incomplete or inaccurate scan results.

  4. Client Collaboration and Responsiveness:

    • Effective communication and collaboration between Snyk and the customer are essential.

    • Customers are expected to respond to inquiries and provide necessary information in a timely manner.

  5. Appropriate Authentication and Authorization:

    • Customers are responsible for providing appropriate authentication and authorization credentials for accessing protected areas of their web applications and APIs.

    • Snyk assumes that these credentials will be managed securely by the customer.

  6. Stable Application Behavior:

    • The application behavior is assumed to be reasonably stable during the scanning process.

    • Significant application changes during a scan can cause inaccurate results.

  7. Clear Communication of Service Requests:

    • Customer service requests are expected to contain all of the required information as described in the service request section of the service document.

    • Lack of required information will delay service request completion.

  8. Understanding of Service Limitations:

    • Customers understand that the managed service hours are limited per the purchased plan.

    • Customers understand that service requests will be completed within the stated SLA.

PreviousSnyk Declining Balance of Hours Service DescriptionNextHow does Snyk count assets

Last updated

Was this helpful?