Skip to content
NightVision Docs

FAQ - API Discovery

Does NightVision require access to our source code? Does NightVision upload any code?

Section titled “Does NightVision require access to our source code? Does NightVision upload any code?”

When using our API discovery product, we upload metadata about the code, such as whether there’s an endpoint for a REST API. This metadata is used in static analysis within the Golang binary and never leaves your environment, and your code never leaves your environment. The metadata includes the code origin in which an endpoint is declared, such as a PostMapping or GetMapping in Java Spring, along with the declaration’s file path and line number. We don’t upload any business logic or actual code.

How is NightVision’s Source code-based API discovery different from traffic-based API discovery?

Section titled “How is NightVision’s Source code-based API discovery different from traffic-based API discovery?”

Some other API security vendors (e.g., Traceable or Salt) use collected HTTP traffic for API discovery. Compared to this approach, NightVision’s source code scanning based API discovery has the following key advantages:

  1. It’s faster. NightVision can generate the OpenAPI spec within a minute. It will take hours or longer for the traffic based approach to generate OpenAPI spec since they need to collect enough representative traffic data.
  2. Its coverage is more complete. NightVision’s approach is based on the typical CS formal methods approach and is more complete. The traffic-based approach can be lacking in completeness. They will miss shallow/zombie API endpoints if there is no live traffic against these endpoints (until a catastrophic security breach occurs when someone hits these vulnerable endpoints).
  3. It’s cheaper. NightVision’s approach works similarly to a compiler and is very cost-effective. The traffic-based approach needs to ingest and process a large amount of data, which can become very expensive, especially in a cloud environment.
  4. It doesn’t raise security concerns. NightVision’s CLI based API Discovery tool executes in a customer’s local environment, so the code is never sent elsewhere, eliminating security/privacy concerns. In the traffic-based approach, the vendor will have full access to their customer HTTP traffic data, which may include PII/PCI/HIPAA data.