Explore StackHawk
Watch a Demo
Getting Started
StackHawk API
Integrations
Authentication
Maturity Model
Blog
API Security Testing: Types, Best Practices & Tools
As APIs have grown in use and abundance, so has the number of attacks and breaches that stem from said APIs. The OWASP API Security Project and the OWASP API Security Top 10 have helped highlight the types of vulnerabilities that developers should be aware of and defend against.
APIs are not only the backbone of modern application architecture, but they are also vital for maintaining security. Typically, a company’s most valuable and sensitive data all lives behind an API. Delivering secure applications relies on ensuring that the backing APIs do not have any security vulnerabilities.
Delivering secure APIs, however, is easier said than done. APIs sit at the intersection of teams and typically see rapid iteration as software is built and improved. Ensuring API security raises questions such as:
- Which team is responsible for maintaining API security?
- How can we ensure that updates to our APIs do not introduce new vulnerabilities?
- Does our team have API security testing?
Modern software development teams are solving this problem by automating developer-centric API security testing in CI/CD. The rest of this post provides more information on what API security testing is, how it works, and what to look for when selecting a vendor. Read on to learn more.
Introduction to API Security
API security refers to the practices and protocols designed to protect Application Programming Interfaces (APIs) from various security threats and vulnerabilities. With APIs becoming one of the most critical technologies within modern applications, they are a prime target for malicious actors seeking to exploit vulnerabilities and gain unauthorized access to sensitive data. This means that ensuring your approach to API security is comprehensive, including facets such as regular security testing, implementing strong authentication and authorization mechanisms, and continuously monitoring for potential security risks. By prioritizing API security, organizations can make sure that the APIs within their portfolio are reliable and secure.
Understanding API Security Risks
So, what risks exist out there? APIs are exposed to a wide range of security risks, including injection attacks, cross-site scripting (XSS), cross-site request forgery (CSRF), and unauthorized access to sensitive data. These risks can be exacerbated by poor authentication and authorization controls, inadequate input validation, and insufficient security testing. Vulnerabilities within insecure APIs can quickly escalate and cause significant disruptions, depending on how they are exploited by attackers. Gaining access to sensitive business flows and data is only one of the angles that attackers may exploit. Another angle is when APIs are vulnerable to denial-of-service (DoS) attacks, which can disrupt service and impact user experience.
Understanding these risks is essential for developing effective API security strategies and implementing holistic security measures to protect against these potential threats. By identifying and addressing these vulnerabilities, organizations can significantly reduce the likelihood of security breaches and ensure the safe operation of their APIs. But how do you comprehensively identify such issues? This is where API security testing comes in to help!
What is API Security Testing?
API security testing work involves checking for vulnerabilities in your APIs, ultimately surfacing any potential security gaps for the engineering team to fix. Historically, this was done through penetration testing or manual scanning of the APIs by an enterprise security team. Currently, however, teams are shifting to running API security tests as part of the DevOps pipeline, ensuring that security issues are caught early in the development lifecycle.
What makes API security testing important is that it is key to identifying vulnerabilities that attackers could exploit proactively. The types of API security testing that could be performed to identify said vulnerabilities are vast. Some are more manual, like API penetration testing, while others are more automated. When uncovering a potential API vulnerability, specific methods may be more applicable than others. For instance, if there are API security issues that only occur at runtime, you will need an API security testing tool that can assess the running application, such as a dynamic application security testing (DAST) tool. Other vulnerabilities may be identified statically by running a static vulnerability scanner within the code base, such as a static application security testing (SAST) tool. With this in mind, let’s look further at the types of API security testing tools out there.
How API Security Testing Works
As we will cover in the next section in more detail, various forms of API security testing exist. That being said, the basic premise of API security testing is to either actively attempt to exploit a vulnerability in the running application or to identify potential vulnerabilities by scanning source code for known vulnerability patterns.
When it comes to deploying the tests, some developers will run tests locally as they develop features. After running the tests, the subsequent reports can be acted upon, and defects can be fixed before the code is even submitted to source control. Additionally, some tools can also be run within CI/CD, so when a build is triggered or code is pushed into a pull request, it can be tested or scanned. This is part of the shift-left movement where testing (and other generally late-stage processes) are moved earlier into the development cycle.
In general, API security testing involves the process of detecting potential vulnerabilities, triaging them by severity, fixing the issues, and retesting to ensure resolution. Next, let’s examine the various types of testing that can be incorporated into these cycles.
Types of API Security Tests
There are several types of API security tests, each designed to identify different kinds of vulnerabilities. Static analysis security testing (SAST) involves analyzing the source code to detect potential security issues before the code is executed. Dynamic Application Security Testing (DAST) simulates real-world attacks by sending requests to the API and analyzing the responses to identify vulnerabilities. Software composition analysis (SCA) examines the dependencies and components used in API development to identify known security risks. Additionally, penetration testing involves simulating attacks to find weaknesses, while fuzz testing sends random data to the API to identify unexpected behavior. Parameter tampering tests the API’s ability to handle manipulated input data. By employing a combination of these tests, organizations can comprehensively assess and enhance their API security.
Dynamic API Security Tests
While some static analysis security testing (SAST) and software composition analysis (SCA) tools have coverage for APIs, the best form of API security testing is running active (dynamic) tests against your API endpoints. This active testing is technically a form of dynamic application security testing (DAST), but be cautious of legacy DAST tools that are not explicitly designed for APIs.
Dynamic API security testing is crucial for protecting active API assets, as it simulates real-world attacks to identify vulnerabilities. When you run a dynamic API security test, you simulate an actual API-based attack and surface vulnerabilities introduced by both open-source dependencies and the code your team has written. Of course, if you’re looking to build the most robust form of API security testing, combining dynamic testing with SAST and SCA would be ideal. However, if you’re looking for the best first step to secure your APIs, dynamic testing is the way to go.
Static API Security Tests
Static analysis security testing tools look at the source code of the application to identify potential API vulnerabilities. This form of testing identifies potential security concerns by examining patterns in the code. These tools are language-dependent, meaning you must use a static tool that matches the language in which your API is written. Another aspect to be aware of is that just because a pattern is matched, it doesn’t mean it can be exploited in the running code, which can lead to a higher number of false positives. This is why it’s best to combine it with DAST testing as well to show that the vulnerability can be exploited and its location/cause within the code.
Software Composition Analysis
Software Composition Analysis (SCA) tools look at the dependency tree of your application and match this against a database of known vulnerabilities in software components in your project. Using these tools, you would be alerted if your application or API uses a library or framework with a known vulnerability. With the ever-increasing use of open source in API development, these tools are essential to include in security testing. The limitations of SCA tools are that (1) they generally do not surface if the vulnerability is exploitable within your API, and (2) they only capture open-source vulnerabilities, not security bugs your team may have introduced.
What to Look for in API Security Testing Vendors
When evaluating tools to run security tests against your APIs, numerous options are available. It can be challenging to understand what tools are most effective for your particular team and use case. When evaluating API security testing vendors, it is crucial to ensure that they offer the necessary security controls to protect your APIs. Below are some criteria that you can use to evaluate API security testing vendors:
Deployment Method: Does it run in a CI/CD pipeline?
One of the most essential aspects of API security testing is where the automated tests will be run. This determines how closely the testing aligns with the development process. There are several ways to deploy API security tests. Still, typically, the preferred method is a tool that can automate testing in CI/CD and run locally for testing and debugging. This allows a developer to be alerted quickly (on commit or PR) if they have introduced a new vulnerability, and to remediate it promptly while still within the context of the code they are working on.
Other deployment methods include external scans of production environments or agents that run in staging environments. While these may be satisfactory for some organizations, most companies today see the value of testing in CI/CD.
Configuration: Explicit API Routes vs. Crawling for Discovery
Next, it is essential to understand how the tool finds the API routes for testing. Legacy tooling on the market relies on an HTML spider of the application to surface API routes. While this approach may sometimes work, it often results in missed API routes and is not ideal for use with single-page applications.
Other legacy tools attempt to find API routes by proxying production traffic or relying on functional tests written in QA. For example, WhiteHat’s new API testing tool, Intelligence Directed DAST, only runs security tests on the API routes that have custom tests built in Postman.
Modern tooling is configured directly for API scanning, leveraging technologies such as OpenAPI Specification or a GraphQL introspection endpoint to ensure adherence to published API specifications. This gives the security tool the information it needs to test the API for security vulnerabilities thoroughly.
API Types Supported: REST, GraphQL, gRPC, and SOAP
Across an organization, tools can expect to encounter different API calls backing applications that run on various technologies, new and old. It is not uncommon to have a company where its API landscape combines REST APIs, GraphQL, gRPC, and SOAP APIs.
When selecting a tool, it is crucial to ensure that it supports the types of APIs you currently use internally, as well as those you may use in the future.
Performance: Data-Driven Nodes
When running API security tests, especially in CI/CD environments, performance is critical, making efficient API security testing crucial. Security testing of APIs should add seconds or minutes to the build pipeline, not hours like many traditional tools.
One key functionality for performance is testing the underlying API route vs. every iteration of this route. This functionality is known as Data Driven Nodes. For example, if an online clothing retailer has an API path such as /pants/{pantsBrand}/list. Many traditional tools will iterate through testing of every variation of {pantsBrand}, which adds significant inefficient time to scans. Modern tools should understand Data Driven Nodes and only test the underlying route.
Scan Quality: Technology-Specific Scanning
Many tools in the API and application security space run the same security scans, regardless of the API being tested. This approach is not always the most effective. Be sure to select a vendor or tool that has technology-specific scanning, including the ability to customize scans. For example, REST and GraphQL APIs should only receive JSON-based requests, and SOAP APIs should receive XML-based requests.
Technology-specific scanning yields several benefits for teams conducting API security tests. When a testing tool is sending the right kind of API requests to an API, scans are both fast and accurate.
Accuracy: Minimize False Positives
When it comes to security tests, accuracy is essential. False positives create unnecessary work for engineering and security teams, ultimately eroding trust in security testing. Many companies have started down a path of security testing, only to abandon the tool due to a poor signal-to-noise ratio resulting from numerous false positives.
When selecting a vendor, it is essential to ensure that your security testing vendor is built for modern application architecture and API security testing. This often appears as automatic recognition of whether the tool is testing an API or an HTML application, and applying the correct tests for each path. Without this differentiation, being too generic means that false positives are likely to be more abundant, leading the team to spend more time triaging and cutting through the noise.
Custom Testing: Find Business Logic Vulnerabilities
Some vulnerabilities cannot be detected or tested using automated tools. Custom business logic or certain application-specific features will require custom security testing. Custom business logic or certain application-specific features will require manual testing to identify vulnerabilities. The ideal API security testing vendor will enable this sort of testing and tie the results in with the out-of-the-box testing.
Developer Experience: Developer-First API Security
With automated API security testing in CI/CD, developers are inherently brought into the security process to perform security testing. Application security has shifted left, meaning that scheduled scans of production environments are no longer sufficient. Today’s engineering teams run security tests in CI/CD, alerting the developer who is working on the code if they have introduced a new vulnerability.
When selecting a vendor, ensure you choose a developer-first security tool that is easy for developers to use and integrate with their existing flow. For API security testing, this includes features such as cURL command generation to recreate findings, simple CI/CD automation, config as code, the ability to run tests locally, and integrations with the existing engineering workflow.
API-First Application Security
Since virtually every application is built on top of APIs, ensuring that APIs are secure is the only way to deliver secure applications confidently. While application security is critically important for any business today, many application security tools on the market were built for a previous era of software development. By combining the latest application security testing tools with other cutting-edge API technologies, such as an API gateway or API management tool (which can make easy work of adding authorization and authentication mechanisms), you can guarantee a much higher level of security within your APIs.
Another critical point is that API-first development requires API-first application security testing. Since the API-first approach involves building APIs first and then integrating them with other parts of the application, it requires tools that can test APIs as they are being developed. Two effective methods for achieving this, as mentioned earlier in the article, are to utilize DAST and SAST to scan and test the APIs, ensuring they are ready for integration.
In this guide, we examined several evaluation criteria for selecting API security tools. Here at StackHawk, we’ve built the best-in-class tool for API security testing, offering a best-in-class experience for implementing a DAST solution and covering the OWASP API Security Top 10. To get started with StackHawk, you can test it for free by signing up for an account or scheduling a time to chat with our team of API security experts if you’d like to learn more.