AttackForge Enterprise

Authentication

Overview

Easily automate workflows using our Self-Service API (SSAPI). It is perfect for customisations and integrations into your enterprise ecosystem.

You can use the Self-Service API to:

  • Retrieve data from AttackForge regarding vulnerabilities, projects, assets, groups, and more - to create your own custom dashboards & analytics; or integrate data into risk management tools such as RSA Archer, MetricStream GRC, Logic Manager, Riskonnect, SAP GRC, and others;

  • Create new projects or project requests in the system through third-party platforms, scripts or tools;

  • Migrate your own custom Vulnerability Library & Test Suites into AttackForge from other systems;

  • Extract audit logs on users, projects or system;

  • Manage users permissions; and

  • Administer data in AttackForge through automated workflows.

Access to the Self-Service API is controlled using an Authorization token / API key. If you do not already have an existing Self-Service API key, you can generate one within the application.

In order to access the Self-Service API, you must meet the following conditions:

  • You must have a valid Self-Service API key;

  • You must be provided with access to API methods by the Administrators; and

  • Your API Key is supplied in the Header X-SSAPI-KEY for each request to the API endpoint

Your key is static and does not expire. You can request a new key at any time within the application.

All requests to the API must be made over HTTPS. Calls made over plain HTTP will fail. You must authenticate all requests.

Access to the SSAPI, including scope of data available, is restricted to the users' data within the application. This means that Administrators' API key cannot access all data in the system,

By default, every user in the system has no access to any of the API methods/endpoints. This must be provided explicitly by an Administrator, and in controlled on an individual method/endpoint basis.

A user can see their access to the SSAPI by viewing the My API section within the SSAPI module in the application.

An Administrator can provide access to the SSAPI for a user by accessing the Users module.