After working with a few customers over the last couple months, we realized there was a gap in other API testing solutions; especially when it comes to writing security tests. So we decided to completely gut and revamp our testing product - sharing that with you all today!

Most Automated API Scanners only find generic vulnerabilities like misconfigured HSTS/CORS Headers and miss vulns specific to your API’s business logic. Making custom tests in tools like Postman (which we love) requires you to manually write tests for every single endpoint. This is quite tedious and time consuming if you have hundreds or thousands of endpoints.

So we decided to make the API Security testing experience much faster and more seamless:

* With Metlo testing, you can write API tests in a YAML format (https://docs.metlo.com/docs/writing-a-test).

* To make writing tests fast, Metlo supports autogenerating these tests with javascript templates (https://docs.metlo.com/docs/example-templates). Templates for common vulnerabilities in the OWASP Top 10 like BOLA, Broken Authentication, Security Misconfigurations and more come built-in to Metlo. You can also make custom templates that are specific to your API.

* Once you have the right templates you can build rules to apply these templates to many endpoints at once (https://docs.metlo.com/docs/test-rules). This makes it possible to write hundreds of tests against your API in just a few clicks :)

We have more info on our docs here: https://docs.metlo.com/docs/writing-a-test. And here's a demo video if you’d like a quick walk-through :) https://www.loom.com/share/f342f186e756489aa7a500be875a5539

We’d love to hear your thoughts!

[0] https://github.com/metlo-labs/metlo [1] https://news.ycombinator.com/item?id=33534856