In the wake of recent security breaches and outages involving major players like CrowdStrike and Disney, it's clear that our digital ecosystem is quite fragile.
Technologies like microservices, APIs, and multi-cloud infrastructures, several data centers that keep applications running smoothly and cost-effectively, also contribute to this vulnerability.
APIs play a significant role in this dynamic, linking applications while simultaneously creating potential attack vectors that can disrupt business operations. This risk is exacerbated by insufficient pre-production testing.
In 2024, the importance of pre-production API testing is widely acknowledged, with over 80% of surveyed enterprises recognizing that identifying vulnerabilities earlier in the SDLC is both cost-effective and simpler to address.
However, over 67% of these enterprises still fail to test their APIs before releasing applications. A major reason for this is the lack of specialized API security skills. As enterprises invest in security resources to bridge this gap, they must navigate the complexities of automated API security testing.
Despite what marketing narratives may imply, API security testing is a complex undertaking due to APIs' interactions with various entities, including users, applications, and backend systems.
Complexities that are often oversimplified by vendor marketing and lead to widespread misconceptions.
In this blog, we will dismantle these misconceptions so you can invest in the best possible API security tool that meets the needs of your team and APIs.
First, let’s zoom out and examine API testing to understand where security testing fits in.
After developing APIs, the initial tests conducted are typically functional tests, akin to unit tests. These involve validating API calls by providing specific inputs and verifying if the outputs match the expected results. The goal is to ensure that the API behaves correctly under standard conditions.
Next comes performance testing, where the API is subjected to high loads to assess its resilience and reliability under stress. Performance testing evaluates the API’s capacity to remain functional and maintain acceptable response times during intensive usage.
These preliminary steps are predominantly positive tests, often referred to as "happy path" tests. They involve predefined inputs and expected outcomes to confirm the API's correct functionality. However, real-world scenarios are rarely so predictable.
This is where security testing becomes essential. Unlike positive tests, security testing involves negative tests, which focus on invalid or malicious requests. The aim is to identify how well the API handles unexpected and potentially harmful inputs. These tests are crucial for assessing the API's error handling and robustness against malicious attempts.
For example, you might test the API's response to SQL injection attempts or other types of malicious payloads. The goal is to determine whether the API can effectively reject these inputs without exposing sensitive data or compromising functionality.
By conducting security testing, you simulate potential attack scenarios to identify weaknesses before malicious actors can exploit them. This proactive approach is vital in an era where reconnaissance-based attacks are increasingly common. Security testing should be a top priority during API testing to mitigate the risk of breaches.
However, only 4% of test cases currently focus on security. This percentage needs to increase significantly if enterprises want to protect themselves against the growing threat of API-induced breaches.
It's crucial to differentiate API security testing from vulnerability scanning, as they serve distinct purposes and apply to different types of applications.
Vulnerability scanning is typically used for web applications with HTML pages, where crawling or spidering is possible. These scans identify known vulnerabilities by traversing web pages and their links, providing a broad overview of security issues.
However, this approach is not feasible for APIs. Unlike web applications, APIs require specific types of inputs, and you cannot discover one API endpoint from another through crawling or spidering.
APIs demand more pointed attacks and precise security assessments tailored to the unique nature of APIs. This involves understanding the API’s endpoints, parameters, data flows, methods, and business context. Thus it relies on detailed documentation, specifications, and complete visibility into the API landscape.
API Security Testing is essential for uncovering hidden vulnerabilities and ensuring comprehensive protection against potential threats. This includes business logic testing, where the API’s operations are scrutinized for exploitable interactions that could allow attackers to manipulate sequences of API calls to bypass authentication or manipulate data
Think of a vulnerability scan as patrolling a fortress's walls for obvious breaches. In contrast, API security testing is like sending experts to find hidden tunnels, structural weak points, and ways to bypass defenses.
Vulnerability scans also rely on databases of known issues, and potentially missing novel or unique vulnerabilities. In contrast, API security testing, especially when manual or using advanced tools, can uncover these unknown threats by mimicking potential attackers.
In essence, vulnerability scans are a crucial starting point, but API security testing goes further, so do not skip testing.
We’ve seen many security vendors in the space basing the superiority of their testing tools on the fact that security testing is their only offering, unlike API security platforms that provide discovery and documentation in addition to security testing.
But instead of adding competence, a lack of discovery and discovery modules does the exact opposite. Because if you don't know what you're testing, how can you test it effectively?
Instead of instrumenting the APIs themselves, they often rely on customers to provide them with documentation and inventory. This is a difficult ask since over 75% of surveyed enterprises did not have a complete inventory and 65% of them did not have complete high-quality documentation.
Such a big gap sets up Security Testing to fail since test case generation needs API's specification or documentation, including detailed information about the available:
1. Endpoints
a. associated applications
b. authentication statuses
c. data flows
2. Parameters
3. Dataflows
4. Methods
5. A list of common use cases to capture in your test logic
6. Business and application context of each API
We have also noticed that some vendors claim to offer documentation and discovery but do not provide complete visibility. These vendors capture traffic at the application level through Gateways, which means they can only detect external APIs being accessed by users.
To effectively identify all types of APIs - internal, external, partner, third party, and open source - instrumenting only the API Gateways or load balancers isn’t enough. You need to instrument north-south and east-west traffic.
Endpoints neglected first during discovery and subsequently during testing leave numerous potential vulnerabilities undiscovered and even make these endpoints critical points of failure. As each untested endpoint represents an undetected risk, potentially leading to security breaches that could compromise the entire application ecosystem.
For instance, consider an attacker exploiting a third-party API integrated into a financial application. If this third-party API is not properly discovered and documented, it may have vulnerabilities such as improper input validation. An attacker could exploit this by sending specially crafted requests to the API, injecting SQL commands that manipulate the backend database. This can lead to unauthorized data access, data corruption, or even full system compromise with lateral movements.
The few test cases for discovered endpoints too are developed without taking into account any signals such as the location and functionality of the API, data flow, and authentication scheme. As a result, these inadequately tested endpoints can be and will be exploited by attackers to gain unauthorized access, manipulate data, or escalate privileges within the system.
Thus this lack of visibility leads to not just incomplete but also poor quality testing, while also complicating incident response and remediation efforts, as security teams struggle to trace and mitigate the exploit path within interconnected APIs.
Attacks on internal APIs are rampant and rising, yet the focus often leans heavily towards external APIs due to the misconception that internal APIs are safer since they are not accessible through the internet.
However, internal APIs are equally critical and require rigorous testing since they handle sensitive data and critical business logic. Moreover, one security misconfiguration is all it takes for internal apps to become external in today’s cloud world. An internal breach can be just as devastating as an external one, as seen in the Optus breach last year.
Testing internal APIs presents unique challenges. Unlike external APIs, internal APIs often operate behind layers of security, such as firewalls and internal networks, making them less visible. This obscurity can lead to a false sense of security, causing organizations to overlook potential vulnerabilities.
Comprehensive testing must include internal APIs to uncover hidden risks and ensure the overall security of the infrastructure.
Ideally, vendors should leverage both cloud-based and on-premises testing solutions, so they can provide a thorough evaluation of internal APIs.