Automating API Security Testing: Look for these to ensure rigorous testing

August 13, 2024

Automating API Security Testing: Look for these to ensure rigorous testing

API sprawl complicates attack deflection in global enterprises due to numerous false negatives from black box tools. Even detected attacks in production incur costly, ineffective remediation.

To address this, enterprises aim to shift left with pre-production API security testing, yet 55% find it their biggest challenge. 

The vast number of APIs, with 52% of enterprises using 500 to 2500+, makes comprehensive testing difficult.

Automation can be employed to for the high number of endpoints, but it should not come at the cost of testing quality.  As high-quality testing needs a lot more to be automated than just payloads. 

Adding to our series on API  Security Testing, this blog will cover 4 core factors that underpin testing quality so you achieve the highest possible ROI on your API Security investment. 

API Visibility: Comprehensive Discovery & Documentation

We cannot emphasize enough on how important API visibility is for the success of your API Security Testing efforts. 

Without a complete and accurate API Inventory, your testing efforts are like navigating in the dark. As you can only test APIs that you are aware of. Not undertaking a complete discovery will leave you vulnerable through undiscovered and as a result untested APIs. 

A comprehensive discovery ensures that all APIs are tested, but more is needed to ensure they are tested thoroughly. Here’s where API Documentation comes in handy. 

Think of API documentation as the blueprint for understanding and interacting with your APIs. Complete and accurate documentation allows security teams to conduct thorough testing by simulating real-world scenarios. 

If an API’s documentation is incomplete, any attempt at automation or comprehensive testing is inherently flawed, as the necessary parameters needed to send API payloads like query and path parameters are unknown.

Many vendors offer standalone testing tools but place the onus on the customer to provide the API inventory and documentation. This is problematic, given that over 65% of enterprises lack comprehensive, up-to-date inventories or documentation for all their endpoints. 

This deficiency severely hampers the effectiveness of security initiatives, as untested APIs often become entry points for attackers.

When evaluating security vendors for this criteria, it's crucial to ask them these questions: 

  1. Does the tool automatically generate and maintain up-to-date documentation for all APIs, including internal, partner, third-party, and open-source?
  2. How is it instrumenting the APIs? If it is through Gateways and Load Balancers then the instrumentation process is bound to miss most non-external APIs. 
  3. How do they ensure that newer APIs (present in integrations) are continuously discovered and documented? 

Authentication Automation

Authentication serves as the gatekeeper for API access, ensuring that only verified entities interact with your services. However, APIs with different authentication schemes introduce significant complexities for testing automation.

Within a single application, there can be various authentication schemes, including:

  1. Basic authentication
  2. API keys
  3. OAuth 2.0/OpenID Connect
  4. JSON Web Tokens (JWT)
  5. mTLS
  6. HMAC

Automating API authentication involves configuring your testing tools to handle various authentication methods seamlessly:

  1. Credential Management: Securely storing and retrieving credentials like API keys, passwords, and certificates during tests.
  2. Token Handling: Automatically managing OAuth tokens, JWTs, or session tokens, including generation, renewal, and injection into requests.
  3. Session Management: Maintaining state across API calls, especially for protocols like OAuth that involve token expiration and renewal.
  4. Header and Parameter Configuration: Dynamically setting HTTP headers or URL parameters to match the authentication scheme, such as embedding API keys or Bearer tokens.
  5. Protocol Compliance: Ensuring adherence to specific security protocols like SSL/TLS for mTLS, correct signing algorithms for JWTs, and proper scope management in OAuth.

Crucially, before you can even begin to automate authentication, you need to identify which authentication scheme each endpoint employs. This information is often buried within the API documentation and inventory—if it exists and is accurate.

Without knowing the endpoint's authentication scheme, you’re essentially flying blind and unable to configure the authentication flows correctly for your automated tests.

This hampers your ability to validate security postures effectively and increases the risk of overlooking critical vulnerabilities. For example, OAuth 2.0’s token expiration handling differs significantly from API keys, where the latter remains static and the former requires dynamic management.

Failure to automate these authentication workflows precisely can lead to misleading test results. An API request might fail not due to a security vulnerability but simply because the authentication process wasn’t correctly automated. Such false negatives can obscure genuine security gaps and degrade the overall quality of your testing efforts.

When assessing security vendors, it's crucial to probe their ability to automate these varied authentication methods.

Key questions include:

  1. Can they dynamically handle token generation, renewal, and expiration across different authentication schemes?
  2. How do they identify the authentication mechanisms and ensure testing continuity as these protocols evolve?

User Context:

In API security testing, leveraging user context is critical if you want to test for real-world consumption patterns and not assumptions. 

However, without access to accurate user data, vendors can avoid soliciting specific data from each customer or relying on arbitrary values for test payloads. Both of which inevitably lead to a compromise in testing quality.

For example, when an API requires an account number to fetch a bank balance, having user-specific data ensures that the API calls are accurately emulated. This contextual understanding eliminates the need for vendors to manually collect user data or use generic placeholders, which can lead to incomplete or skewed test results.

The absence of accurate, context-specific payloads means that tests may not effectively simulate real user interactions, potentially overlooking vulnerabilities like unauthorized data access or privilege escalation. 

When assessing a security vendor, it is essential to determine whether their solution includes robust mechanisms for retrieving and utilizing user context in testing. 

  1. Can the tool automatically map API calls to specific user profiles and generate relevant payloads?
  2. Does it avoid relying on arbitrary values or requiring customers to provide user data manually?

Security Coverage: 

Established frameworks like the OWASP API Top 10, and MITRE and SANS provide foundational coverage, so ensure they are covered. 

But they should also be supplemented with new test cases to account for emerging threats. Cyber attackers are constantly finding new ways to exploit APIs, and security vendors can’t afford to just play catch-up. 

Instead, vendors should be leading the charge by innovating and continuously researching to stay ahead of emerging attack vectors. 

It’s not enough to rely on established frameworks; testing solutions need to evolve rapidly to address new threats as they arise.

This ensures that the solution can identify and address newly discovered vulnerabilities, maintaining robust protection against the latest threats. 

When assessing a security vendor, prioritize those who actively innovate and update their frameworks to stay aligned with the dynamic nature of cyber threats

Automate API Security Testing with Levo.ai:

  1. we at Levo have incorporated robust discovery and documentation capabilities into our platform. Capabilities that allow us to discover endpoints across all API types, frameworks, and languages without changing code or configuration!
  1. These endpoints can then be automatically documented through runtime traffic, logs, and code and made accessible via a centralized API portal that’s automatically kept up-to-date for you.
  1. Irrespective of what kind of authentication your APIs are using and however short the validity of your tokens is, we have automation to manage them all. 
  1. At Levo, we automatically derive accurate user context by mapping every API interaction to individual users. Thus we create precise payloads that reflect real-world scenarios without needing your team to manually configure them. 
  1. We conduct rigorous tests to minimize the risk of enumeration attacks like injection flaws, SQL injections, NoSQL injections, and other exploitable misconfigurations. 
  1. In addition to industry standards like OWASP API Top 10, and MITRE  we place a special emphasis on testing AuthN & AuthZ misconfigurations like horizontal authorization bypass, vertical authorization bypass, and even object-level permissions. 
elliptical light

Flexibility for the Modern Enterprise

  • Runtime Agnostic
  • Cloud Agnostic
  • Programming Language Agnostic

Subscribe for experts insights on application security.

Oops! Something went wrong while submitting the form.