API Security Testing: How to test your API security

What does SpaceX inc have in common with Alphabet CEO Sundar Pichai? Among 200 million others, both had their data captured and sold as part of a massive data leak from social media company Twitter. Now, Twitter is subject to an inquiry from Ireland’s privacy regulator as well as being the latest case study in API security. They’re not the only ones, US Senate and House members along with 170,000 others have also been affected by the recent hack of DC Health Link. 

Despite the size of these leaks, API security issues are not uncommon, and API security testing appears to be an industry-wide weakness. Salt Security research reveals some disturbing results:

• 94% of companies have experienced API security issues in production APIs.

• 47% of companies have found vulnerabilities in production APIs.

• Malicious API attack traffic grew 117% through last year (July 2021 to July 2022) from an average of 12.22 million malicious calls per month to an average of 26.46 million.

Worse still, almost one-fifth of companies have experienced a data breach resulting from poor API security testing and practices.

Companies need to rethink API security from the basics to the best practices. In this article, we’ll walk through the fundamentals of API security and explore some of the best ways to ensure effective API security testing. Snyk's application security solution can help you test your API's with vulnerability scanning and continuous monitoring to ensure peace of mind.

What is API security?

API security describes the collection of processes, practices and products that prevent malicious attacks on, or misuse of, APIs.

In the past decade, APIs have become essential not only to modern software development but to modern software companies. Many applications make APIs central to their functionalities – consider social login, which uses an authentication API offered by the social network in question. Entire companies, such as communications service company Twilio and payments processors Stripe, are essentially providers of APIs as a service. 

APIs are compelling and increasingly ubiquitous for the same reason API security is important: APIs enable seamless access to and usage of backend data and processes. A secure API can create immense business value, just as an insecure API can risk destroying that value. 

Various attacks target insecure APIs, such as man-in-the-middle attacks, injection attacks, and distributed denial of service (DDoS) attacks. Given the number of possible attacks, API security needs to weave together a variety of security measures, but API security testing is chief among them.

In the past, API security testing was often a series of tool supported, but mostly manual processes. Security teams would perform penetration testing or scan their APIs for vulnerability by hand. Eventually, security teams would then be able to pass on any vulnerabilities they found to engineering teams, who could then fix them. The process was slow and error-prone – neither of which are defects companies should allow in a security context.

Increasingly, especially given the rise of DevSecOps, companies are integrating API security tests into the development and operations pipelines. As with other security processes, companies are looking to shift left to test for vulnerabilities earlier in the software development lifecycle and catch potential security issues earlier. The earlier companies can catch issues, the sooner they can fix them – meaning breaches are less likely and fixes are cheaper. 

API security testing consists of various tests, which we outline in the following section, but the general goal is to examine your APIs and match them against known vulnerabilities – either known insecure coding practices or dependencies with known vulnerabilities. To learn all about application security, read the Complete Guide to Application Security.

Why is API security testing important?

API security testing is important because the more often you test, and the better you test, the more likely you are to prevent API-based attacks. These kinds of attacks are especially dangerous because APIs, by their nature, grant significant levels of access to often sensitive data – access that is beneficial for legitimate users and dangerous for malicious users. 

4 risks API security testing keeps you safe from

Though even a good API security testing regimen isn’t foolproof, effective testing can prevent or at least reduce the likelihood of numerous attacks, including:

• Unauthorized access: API security testing can ensure only permitted users have access to the API. Three ways to do this are role-based access control, resource-based access control, and field-level access control.

• Data leakage: API security testing can prevent the leakage of sensitive data by ensuring malicious actors either don’t have access to an API they shouldn’t have access to or can’t use an API in an unintended way. 

• Injection vulnerabilities: API security testing can prevent numerous kinds of injection vulnerabilities, including SQL injection, OS command injection, and XML injection. Broadly, injections are performed by what appear to be user data but are actually manipulative commands. 

• Parameter tampering: API security testing can prevent parameter tampering, an attack that uses API requests to exploit backend validation errors. 

This is not an exhaustive list, so it’s worth checking out additional resources such as OWASP’s API security project.

Types of API security testing

API security testing comes in different forms, each best suited for different contexts and different types of security risks.

• Dynamic API security tests: Also called dynamic application security testing or DAST, dynamic API security tests examine running APIs for security vulnerabilities and exploitable bugs. Dynamic API security tests take an “outside-in” approach by simulating attacks that a malicious attacker would make. It does not require access to the application's source code which makes it a black box testing method.

• Static API security tests: Static application security testing or SAST, static API security tests examine source code to help developers find insecure coding patterns. 

• API fuzzing: This type of security testing automatically creates and inputs random, invalid, and otherwise unexpected data into an API so developers can see how and if the API crashes or if bugs emerge. 

• Pen testing: By simulating attacks on an API from internal or external sources and trying to exploit any vulnerabilities, security teams can identify and mitigate potential vulnerabilities in the API.

• API performance testing: Performance testing involves measuring how the API works under different load and stress conditions to find out how it handles scalability, concurrency, and availability issues. This helps security teams ensure that the API will still be secure enough to cope with peak traffic and meet specified performance requirements.

• RASP: Runtime application self-protection (RASP) is not a testing tool, but can help to monitor the API when it’s running to detect attacks in real-time by analyzing the behavior of the API, and blocking suspicious requests.

• WAF: A web application firewall is another tool that can help API security by blocking malicious web traffic before it reaches the API server.

Many API security testing tools are available – many of them open source. A few of the best open source tools include Apache JMeter, which developers can use for load testing and performance testing, Astra, which developers can use to create API tests easily, and Karate, which developers can use to script calls to API endpoints. 

Six things to keep in mind when performing API security tests

As with other security methods, the difference between API security testing done superficially and done effectively can be significant. If you keep the following six things in mind, you can better ensure your API security tests will be as effective as possible:

1. Deployment: How are you deploying your tests? Are they running in your CI/CD pipelines?

2. Configuration: Are your tests relying on HTML spiders? Or are your tests crawling your application to identify API routes? 

3. Support: Are the APIs you run supported by the test suite you’ve adopted?

4. Accuracy: Are your tests finding actual vulnerabilities? Are your tests minimizing false positives?

5. Customization: Can your tests be customized to suit specific use cases and situations that emerge over time?

6. Developer experience: Are your tests easy to use? Do they fit well into already existing developer workflows?

With these guiding questions, you can ensure your API security testing process is both effective and intuitive. 

How Snyk can help with API security testing

One of the primary reasons API security flaws are on the rise, despite widespread recognition of the issue, is that many companies struggle to identify which teams are in charge of the company’s APIs. The very centrality of APIs means that they tend to sit at the intersection of numerous teams and endure rapid iteration as the ways these teams use the APIs evolve. 

The result is that APIs can remain insecure despite a company’s or a team’s best intentions. Forward-thinking companies are fighting against this tendency by empowering developers to take ownership of an application’s security. A developer-first approach – complemented by developer-first tooling and guidance – is essential to building more secure APIs. 

At Snyk, we believe in building tools that help companies empower developers and helping those developers use those tools to the greatest effect. With Snyk, developers can tune security automation functions to their specific workflows, ensuring consistency across:

• Source code via Snyk Code.

• Security configurations via Snyk IaC.

• Package security issues via the Snyk API.

To learn more about our API security product vision and the benefits of using the Snyk platform, read about extensibility and the Snyk API.