What is API Security Testing?
Application Programming Interfaces, or APIs, represent a major attack surface. Not only are they capable of providing access to sensitive information and critical application functions, they also often come with specific instructions on how to gain such access. They’re the only digital asset that offers malicious actors a precise, step-by-step guidebook for mounting an attack. For these reasons, and others, it is essential that SDLC programs, product teams, AppSec and/or product security, and quality assurance (QA) processes include API security tests.
API security testing is a process that involves inspecting an API to ensure its security. A distinct alternative to application security testing, API security testing looks for potential vulnerabilities and ensuring that the data sent and received via the API is secure. It may also include ensuring that external entities do not have access to the API, and that the API does not have malicious code built into it. API security testing is a very important part of software development today because software is constantly being hacked and malicious actors are looking for ways to exploit software weaknesses in order to gain access to private information. There is literally no shortage of API security issues.
Why API security testing important?
Internal teams are wise to conduct API security testing because API calls have become a frequent element in modern software applications. Indeed, it would be hard to imagine an application being developed today that didn’t have at least one call out to an API, perhaps one controlled by another corporate entity. They’re vulnerable and common, so they should be tested to make sure they are not exposing the application or its sensitive data to risk.
And, the pace of application development and releasing has accelerated significantly over time. With DevOps and continuous integration/continuous deployment (CI/CD), new code now goes into production at a tempo that would have been hard to imagine just a few years ago. It is now far easier for a security vulnerability to make its way into a production application than ever before. API security testing that’s integrated with CI/CD mitigates this risk, at least as it applies to APIs.
API security testing should ideally be matched with API functionality testing. An API has to work as intended, and this requires testing. In some cases, the two forms of testing overlap. For example, determining if an API is returning the correct data is relevant functionality, but also to security.
The risks with APIs are far from theoretical. In the last year, there have been several high-profile cyber attacks that exploited API vulnerabilities. Parler, the social media platform, had data exposed after attackers figured out that its API lacked authentication. LinkedIn suffered a major API-driven breach, with 92% of its users’ data exposed due to an API that lacked authentication. The attacker was able to scrape data from the site.
Types API security testing
The use of SAST and DAST in API security testing can help in identifying and fixing the security issues. SAST is useful in detection and remediation of programming problems and possible API vulnerabilities. SAST helps developers improve code quality and security for APIs. DAST is a method of security testing against your active API assets, using active test simulations to simulate real-life attacks to detect potential vulnerabilities. This includes implementing the correct authentication and authorization procedures to secure APIs.
Static Analysis Security Testing (SAST)
SAST, or Static Analysis Security Testing, is a software testing technique that uses static analysis to find security vulnerabilities in the source code of the software.
Static analysis is a type of computer-aided software engineering (CASE) tool that analyzes source code without executing it. It can be used to detect programming errors, design flaws, and security vulnerabilities in the source code of a program or system.
Dynamic Application Security Testing (DAST)
DAST testing, or dynamic application security testing, is different than SAST in that API testing take place in production. Testers identify problems that occur during use and then trace them back to their origins in the software design, rather than detecting issues linked to a code module.
Software Composition Analysis (SCA)
SCA, or Software composition analysis, is a software engineering technique that helps to identify the software components and their relationships. It can be used for analyzing the design of an application, identifying code smells, or finding out how much code is needed for a given task.
Authentication is the process of verifying the identity of a user or device, and it is used to access a system, service, or network. It's an important part of any application and can be done in many ways such as username and password authentication, two-factor authentication, and API authentication.
API authentication uses an API key to verify the identity of the user. This type of authentication can be used for both public and private APIs.
The API authorization is a process of checking the identity of the user and authorizing them to access the application. It’s a common practice in web applications and can be done by sending an HTTP request with the appropriate header and token in it. The API will then return a response with information about whether or not the request was successful or not.
When is the best time to perform API security testing?
So when should you conduct API security testing? The best answer is “as early as possible.” This means testing pre-production. Like other security testing done in software development, API security testing should “shift left,” meaning it should move to the earliest possible stage in the development cycle. That’s the time when developers are most likely to be familiar with the recent code they wrote rather than the code they wrote a month or 6 months ago. This way, testers can catch and remediate security issues before they go into production.
Once an application is in production, it becomes more expensive and disruptive to fix a security problem. With CI/CD, a new vulnerability can go into production every hour, so it’s really helpful to be on top of API security testing before code reaches the end of the CI/CD pipeline. A further best practice is to follow up with post-production API security testing. Security testing at this juncture catches security flaws that arise in production, but which may be difficult to detect in pre-production, such as production configuration issues.
What API security helps prevent
API security testing can cover a wide range of API related risks. The Open Web Application Security Project (OWASP) has compiled a list of the 10 most serious API vulnerabilities, which provides a useful guide to what API security testing should target with the highest priority:
- API1:2019 Broken Object Level Authorization—making sure that only authorized users can access API endpoints for which they have access privileges.
- API2:2019 Broken User Authentication—preventing hackers from compromising authentication tokens or exploiting implementation flaws so they can assume other user’s identities.
- API3:2019 Excessive Data Exposure—filtering data returned by the API before it is shared with the user—with the goal of avoiding sharing data for which the user is not entitled.
- API4:2019 Lack of Resources & Rate Limiting—mitigating the risk of Denial of Service (DoS) and brute force attacks by throttling the volume and frequency of API calls.
- API5:2019 Broken Function Level Authorization—keeping administrative and regular user authorizations separate to keep attackers from gaining access to other users’ resources and/or administrative functions.
- API6:2019 Mass Assignment—not automatically binding client-provided data (e.g., JSON) to data models, with the goal of stopping privilege escalation and data tampering.
- API7:2019 Security Misconfiguration—checking API security configurations to block improper API access and abuse.
- API8:2019 Injection—stopping the API from executing unintended commands or accessing data without proper authorization.
- API9:2019 Improper Assets Management—checking API hosts and versions to avoid exposing deprecated API versions and exposed debug endpoints to users.
- API10:2019 Insufficient Logging & Monitoring—checking logging and monitoring controls to bolster API security and enable detection of threats and attacks.
How to perform API security testing
Developers, security teams and more, can now avail themselves of a new generation of API security testing tools. As exemplified by Noname Security Active Testing, they can run numerous dynamic API security tests on an application. Active Testing offers a purpose-built API security testing solution that takes into account the user’s unique business logic. It provides comprehensive coverage of API-specific vulnerabilities, including the OWASP API Top Ten security issues. The suite can help align API security tests with business objectives and team structures. These latter two factors are important in making the “shift left” approach viable because making API security testing part of the dev cycle takes people and processes.
API security testing is critical for protecting modern web applications in this era of CI/CD. It should occur as “far to the left” as possible in the development process. API testing should entail scanning for known API vulnerabilities, such as those referenced in the OWASP list, as well as other security problems. With the right testing tools, it is possible to conduct thorough API security testing early in development—detecting and remediating problems before they go into production.
P.S. – Remember that API security testing is just one piece of the API security pie. You need a holistic platform that includes API discovery, posture management, and API runtime protection capabilities before you can take your foot off the gas. However, security testing is a great step in the right direction.