Defining the Stakes
The stakes are quite high when it comes to APIs. Performing functional tests isn’t enough to find vulnerabilities—you must perform tests that actually simulate the kinds of attacks that an outsider might try. This means thinking like a hacker.
Most people don’t have the time or expertise to think of all the ways that people will intrude their application boundaries. In fact, it’s really tough to think like a hacker unless you really are one. Fortunately, there are resources to guide your thinking that don’t involve much more than reading the trade press. Take the recent API vulnerabilities discovered at Cisco Systems, Shopify, Facebook, and Google Cloud as evidence. Determining how other organizations have been hacked and then devising tests that mimic those scenarios is a good starting point and can help your organization reinforce the value of security testing.
Reading the news to determine which kinds of security problems to target and test for is one source of information. Another source of information is the OWASP Top Ten Project. The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. The OWASP Top 10 is a standard awareness document for developers that represents a board consensus about the most critical security risks to web applications. Companies should adopt this document to start the process of ensuring that their web applications minimize these risks.
Fortunately ReadyAPI security scans are built on the OWASP Top 10, providing an easy starting point to shift your security testing left and add security testing to your new or existing testing process.
It’s essential to remember that creating secure software, testing it fully, and even performing mock attacks against it will only keep the average bad guy away. If someone is truly determined to break your security, they will. So, part of what you need to take away from this article is that the need for testing is constant, as is the need for vigilance. Protecting your APIs by running scans designed to mimic hacking techniques is part of the process. But truly integrating API security with automation to ensure your APIs stay secure after every code change will let you repair problems before they become front page news.
Understanding How API Security Testing Works
The essential premise of API testing is simple, but its implementation can be hard. Validating the workflow of an API is a critical component of ensuring security as well.
Here are the rules for API testing (simplified):
- For a given input, the API must provide the expected output
- Inputs must appear within a specific range for the most part, so values outside the range must be rejected
- Inputs of an incorrect type must be rejected
- Any input that is null (empty), when a null is unacceptable, must be rejected
- Inputs of an incorrect size must be rejected
Unfortunately, a lot of APIs aren’t tested to meet these criteria, which means that any API you use is a risky proposition. In short, to ensure your application behaves precisely as expected with the least risk potential to your data, you must test the workflows of any API you use to ensure that the API is safe. APIs are designed as black boxes, so you don’t need to know how the API works, but simply need to know that the API behaves in the expected manner to ensure security.
How Can a Lack of Security Testing Hurt?
It’s important to put API security testing into perspective. There is an incredible amount of hype that goes with some of the security breaches you read about. Keeping your goals in focus, implementing the best test procedures possible, and following best practices in monitoring your application will generally do everything needed.
The most important thing to consider is the actual data loss or data damage that can cause all sorts of problems for your organization. Recovering data is an expensive and error prone process that will cost more than time and money. It could cost you clientele or make it impossible for you to conduct business properly until all of the data errors are fixed. Always make sure you test every possible kind of input to your applications, but also make sure you have a backup plan in place for those times that things go wrong. Public facing organizations can ill afford the negative side-effects of API security issues. Make sure your organization is proactive in telling others what steps you take in securing their data.
Privacy is another concern. Theoretically, you could end up in jail for breaking privacy laws coupled to security breaches. The loss of customer confidence after a breach won’t do you any good either. Address any potential privacy issues immediately and perform remedial steps as needed. Of course, it’s always better to avoid the security breach in the first place.
In short, API security testing is an essential part of the application development process today. Given the number and type of recent security breaches, you can expect the public to take a dim view of anything less than your best.