Introducing the API Security Workshop Learn More  

What is API Security Testing?

Property 1=What is API Security Testing

Application Programming Interfaces (APIs) represent a major attack surface. Not only are they capable of providing access to sensitive information and critical application functions, they also often come with specific instructions on how to gain such access. They’re the only digital asset that offers malicious actors a precise, step-by-step guidebook for mounting an attack. For these reasons, and others, it is essential that SDLC programs, product teams, AppSec and/or product security, and quality assurance (QA) processes include API security testing. 

API security testing is a process that involves inspecting an API to ensure its security. This can include looking for potential vulnerabilities and ensuring that the data sent and received via the API is secure. It may also include ensuring that external entities do not have access to the API,  and that the API does not have malicious code built into it. API security testing is a very important part of software development today because software is constantly being hacked and malicious actors are looking for ways to exploit software weaknesses in order to gain access to private information.

Why API security testing is a necessity

Internal teams are wise to conduct API security testing because API calls have become a frequent element in modern software applications. Indeed, it would be hard to imagine an application being developed today that didn’t have at least one call out to an API, perhaps one controlled by another corporate entity. They’re vulnerable and common, so they should be tested to make sure they are not exposing the application to risk.

And, the pace of application development and releasing has accelerated significantly over time. With DevOps and Continuous Integration/Continuous Deployment (CI/CD), new code now goes into production at a tempo that would have been hard to imagine just a few years ago. It is now far easier for a security vulnerability to make its way into a production application than ever before. API security testing that’s integrated with CI/CD mitigates this risk, at least as it applies to APIs. 

API security testing should ideally be matched with API functionality testing. An API has to work as intended, and this requires testing. In some cases, the two forms of testing overlap. For example, determining if an API is returning the correct data is relevant functionality, but also to security. 

The risks with APIs are far from theoretical. In the last year, there have been several high-profile cyber attacks that exploited API vulnerabilities. Parler, the social media platform, had data exposed after attackers figured out that its API lacked authentication. LinkedIn suffered a major API-driven breach, with 92% of its users’ data exposed due to an API that lacked authentication. The attacker was able to scrape data from the site.



When is the best time to perform API security testing?

So when should you conduct API security testing? The best answer is “as early as possible.” This means testing pre-production. Like other security testing done in software development, API security testing should “shift left,” meaning it should move to the earliest possible stage in the development cycle. That’s the time when developers are most likely to be familiar with the recent code they wrote rather than the code they wrote a month or 6 months ago. This way, testers can catch and remediate security issues before they go into production. 

Once an application is in production, it becomes more expensive and disruptive to fix a security problem. With CI/CD, a new vulnerability can go into production every hour, so it’s really helpful to be on top of API security testing before code reaches the end of the CI/CD pipeline. A further best practice is to follow up with post-production API security testing. This process catches security flaws that arise in production, but which may be difficult to detect in pre-production, such as production configuration issues.

What API security helps prevent

API security testing can cover a wide range of API related risks. The Open Web Application Security Project (OWASP) has compiled a list of the 10 most serious API vulnerabilities, which provides a useful guide to what API security testing should target with the highest priority:

  • API1:2019 Broken Object Level Authorization—making sure that only authorized users can access API endpoints for which they have access privileges. 
  • API2:2019 Broken User Authentication—preventing hackers from compromising authentication tokens or exploiting implementation flaws so they can assume other user’s identities.
  • API3:2019 Excessive Data Exposure—filtering data returned by the API before it is shared with the user—with the goal of avoiding sharing data for which the user is not entitled.
  • API4:2019 Lack of Resources & Rate Limiting—mitigating the risk of Denial of Service (DoS) and brute force attacks by throttling the volume and frequency of API calls. 
  • API5:2019 Broken Function Level Authorization—keeping administrative and regular user authorizations separate to keep attackers from gaining access to other users’ resources and/or administrative functions. 
  • API6:2019 Mass Assignment—not automatically binding client-provided data (e.g., JSON) to data models, with the goal of stopping privilege escalation and data tampering. 
  • API7:2019 Security Misconfiguration—checking API security configurations to block improper API access and abuse.
  • API8:2019 Injection—stopping the API from executing unintended commands or accessing data without proper authorization. 
  • API9:2019 Improper Assets Management—checking API hosts and versions to avoid exposing deprecated API versions and exposed debug endpoints to users. 
  • API10:2019 Insufficient Logging & Monitoring—checking logging and monitoring controls to bolster API security and enable detection of threats and attacks.

How to perform API security testing

Developers, security teams and more, can now avail themselves of a new generation of API security testing tools. As exemplified by Noname Security Active Testing, they can run numerous dynamic API security tests on an application. Active Testing offers a purpose-built API security testing solution that takes into account the user’s unique business logic. It provides comprehensive coverage of API-specific vulnerabilities, including the OWASP API Top Ten security issues. The suite can help align API security tests with business objectives and team structures. These latter two factors are important in making the “shift left” approach viable because making API security testing part of the dev cycle takes people and processes. 

API security testing is critical for protecting modern applications in this era of CI/CD. It should occur as “far to the left” as possible in the development process. The testing process needs to test for known API vulnerabilities, such as those referenced in the OWASP list, as well as other security problems. With the right testing tools, it is possible to conduct thorough API security testing early in development—detecting and remediating problems before they go into production.