Application programming interfaces (APIs) are an essential part of most modern programs and applications. In fact, cloud deployments and mobile apps rely on APIs so much that you also can’t have an API handling the components somewhere along the line. Many large businesses, especially those with a strong online presence, have hundreds or even thousands of APIs built into their infrastructure. The growth of APIs will only continue to increase.
The neat thing about APIs is that a lot of them are just tiny snippets of code, and all of them are designed to be small and unobtrusive in terms of network resource requirements. Yet, they are also flexible and able to continue working and performing their primary functions even if the program they interface with or control changes, such as when patches are applied.
As amazing as APIs are, they also have their flaws. Because they can be designed to do almost anything, from simple functions repeated over and over again to intelligent control of advanced aspects of various programs or platforms, almost no standard governs their creation. Most APIs are unique, and many organizations simply create new APIs as needed. It can be a nightmare for security teams.
Another way APIs are appealing to attackers is that many are over-authorized. Even APIs that only perform a few functions often have privileges close to administrator. The idea is that such a small API couldn’t hurt. Hackers compromise APIs and then use those credentials for new purposes, such as data exfiltration or deeper penetration into a network. Almost 75% of modern ID attacks targeted vulnerable APIs, according to a security study conducted by Akamai.
The problem is getting worse. According to Gartner, by 2022, vulnerabilities involving APIs will become the most frequently attacked vector across all cybersecurity categories.
API testing tools to the rescue
Having a critical network and program component in the sights of attackers is bad enough, but with APIs it is even more precarious due to the lack of standards involved in their creation. Many organizations probably don’t know how many APIs they are using, what tasks they are performing, or what level of permissions they have. Then there is the question of whether these APIs contain vulnerabilities.
Industry and private groups have developed API testing tools and platforms to help answer these questions. Some testing tools are designed to perform a single function, such as mapping the reasons why specific Docker APIs are misconfigured. Others take a more holistic, network-wide approach, researching APIs, then providing information about what they are doing and why they might be vulnerable or over-authorized.
Several well-known commercial API testing platforms are available, as well as a wide range of free or low-cost open source tools. Commercial tools typically have more support options and can be deployed remotely through the cloud or even as a service. Some open source tools can be just as good and have the support of the user community that created them. Which one you choose depends on your needs, the security expertise of your IT teams, and your budget.
Below are some of the best commercial API testing tools on the market and their main features, followed by some open source tools.
Commercial API testing tools and platforms
The APIsec platform acts as a penetration tool for APIs. While many tools can scan for vulnerabilities common to typical attacks such as script injections, APIsec tests every aspect of targeted APIs to ensure that everything from the core network to the endpoints that access them is protected against vulnerabilities. API code.
A great advantage of APIsec is that it can be deployed in the development phase while programming APIs. A full scan of the apps being built takes just minutes, with results comparable to old-school penetration testing operations that took days or weeks.
AppKnox offers a lot of support for those who buy and deploy their platform. Combined with its easy-to-use interface, this makes AppKnox a good choice for organizations that don’t have large security teams dedicated to their APIs. AppKnox begins with a scan to locate APIs either in the production environment, on endpoints, or wherever they can be deployed. Once located, users can select which APIs they wish to submit for further testing.
AppKnox tests all common issues that can cause an API to break or be compromised, such as command injection vulnerabilities in HTTP requests, cross-site tracing, and SQL injection vulnerabilities. This includes a full scan of web servers, databases, and all server components that interact with the API.
After the API analysis, users can submit their results for advanced analysis with a human security researcher, a process that the company says normally takes three to five days.
Secure API data theorem
The Data Theorem API Secure platform is designed to adapt to any continuous integration and continuous delivery / deployment (CI / CD) environment to provide continuous security to APIs at every stage of development and in the environment. of production. Its analytics engine constantly searches the network for new APIs and can quickly identify those that are not allowed or those that are part of an organization’s shadow IT.
The scan engine keeps abreast of the most recent vulnerabilities discovered for APIs and continually tests protected assets. It works with both on-premises and cloud environments to ensure that no API can fall victim to the latest threats. To keep the CI / CD pipeline clear and fluid, Data Theorem API Secure offers to automatically resolve discovered issues without requiring human innovation. This way, companies can protect their APIs against the latest threats, as long as they are comfortable with a high level of automation.
While Postman certainly qualifies as a testing tool for APIs, its reputation is that of a comprehensive and collaborative platform for building secure APIs. It’s used by millions of developers working in Windows, Linux, and iOS environments, and for good reason.
Postman provides developers with a comprehensive set of API tools to use when designing new APIs, and it also provides a secure repository for code that organizations can create over time. Using the secure repository can ensure that future APIs maintain strict security and organizational standards from the start.
The workspaces provided by Postman are designed to help developers organize their work. It can also provide security warnings when an application’s code begins to deviate from the organization’s established secure model or incorporates a potential vulnerability. This way, the problem can be fixed long before the API reaches the production environment.
In addition to security testing, the Smartbear ReadyAPI platform is designed to optimize their use and performance in any environment. It can run API security scan with one click, but it also supports other critical functions like seeing how well an API can handle unexpected load or sudden spike in usage.
You can configure ReadyAPI to generate the specific types of traffic that the API is intended to handle. It can also record live API traffic so that future testing is more accurate and configured for the unique environment in which it will operate. Additionally, the platform can import almost any specification or schema to test APIs using the most common protocols. Natively, ReadyAPI supports Git, Docker, Jenkins, Azure DevOps, TeamCity and more, and can run in any environment, from development to QA long before APIs go live.
Synopsis API Scanner
One of the reasons Synopsis API Scanner is so powerful is that in addition to security testing, it also incorporates fuzzing as part of its extensive analysis and testing suite. The fuzzing engine sends thousands of unexpected, invalid, or random inputs to APIs to see how they behave or if they break when subjected to things like very large numbers or odd commands.
It also traces all the paths and logic of an entire API, including all endpoints, settings, authentications, and specifications that apply to its use. This gives developers a clear picture of what functions they intend their APIs to perform, versus what they might sometimes be doing. It clearly indicates why an API can be prone to unexpected behavior or security vulnerabilities.
Open source API testing tools
While open source tools typically don’t have the same support as commercial offerings, experienced developers can easily deploy them, often for free, to bolster or improve the security of their APIs. Here are some of the most popular offers according to the open source community.
Astra’s primary focus is on Representation State Transfer (REST) APIs, which can be extremely difficult as they often change all the time. Because the REST architectural style emphasizes scalability in its interactions between components, it can be difficult to secure REST APIs over time. Astra helps by offering to integrate into the CI / CD pipeline, verifying that the most common vulnerabilities do not spill over into a supposedly safe REST API.
The crAPI tool has a terrible name, but it effectively performs its function as an API wrapper. It is one of the few wrappers that can connect to a target system and provide a base path with the root client’s default handler set. It can do this without having to make new connections. Advanced API developers can save a lot of time with it.
Apache JMeter, which unsurprisingly is written in Java, started out as a load tester for web applications, but has recently expanded to be used with almost any application, program, or API. Its detailed suite can test performance on static or dynamic resources. It can generate a heavy simulated load of realistic traffic so developers can experience how their API will perform under pressure.
Taurus provides an easy way to turn stand-alone API testing programs into a continuous testing operation. On the surface, Taurus is easy to use. You install it, create a configuration file, and let your testing tools do their job. If you dig a little under the hood, you can discover ways to generate interactive reports, create more complex scenarios to push through your APIs, and set failure criteria so that you can immediately resolve any issues you discover.
Copyright © 2021 IDG Communications, Inc.