Imagine that the world around you is connected together by a network of data and software. Your location, your financial information, your family photos, your musingsare all floating out there up in the cloud. Now imagine that the pipes connecting all of your personal data are leaking and you have no way to patch them because it’s not your house and you’re not a plumber.
Unsafe is the state of the internet and web APIs right now. There is nothing inherently secure about any of the infrastructure built around the modern web, only what is purposefully and consciously designed. The old colors of browser security and plain text credentials are still dominating the modern internet and cloud-to-cloud infrastructure. Even modernization of these paradigms in updates like SSL 3 and OAuth fail to make us safer, introducing new untested exploits of their own into the mix.
Why is there such failure in security? The thinking that technology choices alone will protect data is proven wrong every time there is a major security breach. People are ultimately responsible for security and control the technology that implements our best and most thought through practices. Teams that are conscious of good security patterns will produce far safer systems that minimize risk and vulnerability. Human responsibility is the only solution to the turbulent forefront of digital safety.
Teams are not all the same, sometimes made up of all developers or all testers, and some a mix of developers, designers, testers, and operations people. Today however, a majority of these teams lack dedicated security personnel, and those that are fortunate to have such compliancy officers often don’t have enough time to do thorough security testing against their APIs. “Design, build, ship” is the modern agile motto; but where is the testing and security approval in this attitude?
Security testing is often complicated and time consuming without the right tools and context. The last thing you want to add to your three week sprints is an additional compliancy check if it takes longer than a day to run. And who is going to run it, for those who don’t have a security expert on hand?
Ready! API by SmartBear provides a platform of tools to test the security, performance, and function of your APIs from the early design phase all the way through to the final QC approval before release. Secure Pro is a powerful new API-specific security testing tool that empowers all members of your existing teams to quickly assess potential vulnerabilities in your APIs during the development, testing, and deployment phases of the delivery lifecycle.
Secure Pro includes security checks against REST and SOAP services like boundary, cross-site scripting, SQL and XPath injection, and fuzzing scans. With increasing adoption of RESTful patterns, Secure Pro also includes REST-specific scans like HTTP method fuzzing. The process of creating security tests and reviewing results has been designed with a non-security experts in mind, so that developers and testers can ensure the highest quality and safety in their APIs with the skills they already have.
Also included in Secure are important security considerations around API test data management. The new Weak Authentication scan check your data for credentials that do not meet minimum conformance guidelines, ensuring that your testing process matches expectations over production credentials.
Sensitive File Exposure is also a new way to check for the “dirty fingerprints” of poor security practices on the servers that host your APIs. You can scan for open directories, commonly used files that should not be visible to external clients, or provide your own custom patterns. This makes sure that the systems you deploy code to are truly worthy of your API.
Finally, if your requirements go beyond the out-of-box security tests, you can build your own with a small bit of Groovy script. This helps with custom authentication scenarios and with zero-day exploits, where you may need to do something no one has thought of before, but still all in line with your standard API security scans to make a comprehensive and unified strategy for testing your APIs security.
Deep and affordable API security testing is now available to everyone; developers, testers, security specialists, small and large organizations can now build security back in to their continuous delivery process to deliver accurate, fast, and safe APIs on time with Secure Pro, part of the Ready! API family of tools.