The Secure Code Warrior Direct Linking API is a RESTful JSON service that allows our partners to retrieve application security training material. The material available includes links to explainer videos and training exercises in over 50 languages and frameworks, all designed to provide developers with contextually relevant microlearning opportunities from within partner products.
The API is designed to be consumed by a partner product, and provides access to application security training material that can then be linked to, or embedded within the product. It supports a range of industry standard vulnerability references such as CWE and OWASP, and also allows the partner product to specify the language and framework of exercise content.
The Direct Linking API is to be used in accordance with our [Terms of Service].
In order to invoked the API you will need a Partner ID, which will be provided to you by a member of our partnerships team. Please contact us if you have not received one.
You will also need to map your vulnerability categories to ours. The simplest approach to mapping categories is to use an industry standard such as CWE or OWASP references - if you already map your vulnerability categories to these there is no need to create a custom mapping. Valid mappings can be retrieved from the API itself [here]. However, if you prefer a customised and more precise mapping please contact our partnerships team and they can help you get started.
Lastly, you will need to map your development languages and frameworks to ours. Valid language and framework keys for the Direct Linking API can be retrieved from the API itself [here]. Once you map your languages and frameworks to the corresponding LanguageKeys you will have completed the required configuration.
The Direct Linking API endpoint is located at:
It can be called via HTTP GET with the following parameters:
- Id - Your Partner ID
- MappingList - The custom mapping or vulnerability reference scheme to use
- MappingKey - The mapping or reference key to retrieve training material for
- LanguageKey - The language and framework to retrieve training exercises in
For example, the following API call will return JSON containing training material on SQL injection (MappingList CWE and MappingKey 89) in Java using the Spring framework (LanguageKey java:spring):
The API will respond with JSON containing the following properties that can be embedded into the partner product or can be added as a link:
- url - A link to training exercises on the Secure Code Warrior platform in the specified language and framework where available
- name - The display name of the vulnerability
- description - A high level description of the vulnerability
- videos - An array of links to relevant explainer videos on the vulnerability topic
If the MappingKey does not have a valid mapping to training material, a 404 not found error will be returned, allowing the partner product to handle this case and suppress the display of any training material.
To access the Direct Linking API Center to view full reference documentation and access the interactive API explorer, please click [here].
Browser Client Library
A simple browser client library is available for use with any web frontend, and as an example implementation of how to call the Direct Linking API:
The following screenshot shows an example report from a fictional static analysis security scanner. The sections highlighted in blue have been dynamically populated from the Direct Linking API based on the CWE reference in order to embed the explainer video, text description and contextual training button directly into the report generated by the scanner. View the live example report [here].
Article is closed for comments.