By John Breeden II
Application programming interfaces (APIs) are a critical part of most modern programs and applications. In fact, both cloud deployments and mobile applications have come to rely so heavily on APIs that you can’t have either without an API managing components somewhere along the line. Many larger companies, especially those with a big online presence, have hundreds or even thousands of APIs embedded in their infrastructure. The growth of APIs will only continue to increase.
The ingenious thing about APIs is that many of them are just tiny snippets of code, and all are designed to be small and unobtrusive in terms of their network resource requirements. Yet they are also flexible and able to keep working and performing their main functions even if the program they are interfacing with or controlling changes, such as when patches are applied.
As amazing as APIs are, they also have their faults. Because they can be designed to do almost anything, from single functions repeated over and over to smartly controlling the advanced aspects of various programs or platforms, almost no standards govern their creation. Most APIs are unique, and many organizations simply create new APIs as needed. That can be a nightmare for security teams.
Another way APIs are attractive to attackers is that many are over-permissioned. Even APIs that perform only a few functions often have near administrator privileges. The thinking is that such a tiny API could not possibly do any harm. Hackers compromise APIs and then use those credentials for new purposes, such as data exfiltration or deeper penetration into a network. According to security research conducted by Akamai, nearly 75% of modern credential attacks targeted vulnerable APIs.
The problem is getting worse. According to Gartner, by 2022, vulnerabilities involving APIs will become the most frequently attacked vector across all cybersecurity categories.
Having a critical networking and program component in the crosshairs of attackers is bad enough, but with APIs the situation is even more precarious because of the lack of standards involved in their creation. Many organizations likely don’t know how many APIs they are using, what tasks they are performing, or how high a permission level they hold. Then there is the question of whether those APIs contain any vulnerabilities.
Industry and private groups have come up with API testing tools and platforms to help answer those questions. Some testing tools are designed to perform a single function, like mapping why specific Docker APIs are improperly configured. Others take a more holistic approach to an entire network, searching for APIs and then providing information about what they do and why they might be vulnerable or over-permissioned.
Several well-known commercial API testing platforms are available as well as a large pool of free or low-cost open-source tools. The commercial tools generally have more support options and may be able to be deployed remotely though the cloud or even as a service. Some open-source tools may be just as good and have the backing of the community of users who created them. Which one you select depends on your needs, the security expertise of your IT teams, and budget.
Below are some of the top commercial API testing tools on the market and their main features, followed by some open-source tools.
The APIsec platform acts like a penetration tool aimed at APIs. Whereas many tools can scan for common vulnerabilities to typical attacks like script injections, APIsec stress tests every aspect of targeted APIs to ensure that everything from the core network to the endpoints accessing it are protected from flaws in the API’s code.
One big advantage to APIsec is that it can be deployed in the development phase while APIs are being programmed. A full scan of apps that are in the process of being built takes only a couple minutes, with results comparable to old-school penetration testing operations that used to take days or weeks to complete.
AppKnox offers a lot of assistance to those who purchase and deploy their platform. Combined with its easy-to-use interface, this makes AppKnox a good choice for organizations that don’t have large security teams dedicated to their APIs. AppKnox starts with a scan to locate APIs either in the production environment, on endpoints or wherever they may be deployed. Once located, users can select which APIs they want to submit for further testing.
AppKnox tests for all the common problems that can cause an API to break or become compromised like command injection vulnerabilities in HTTP requests, cross-site tracing, and SQL injection vulnerabilities. This includes a complete analysis of web servers, databases and all components on the server that interact with the API.
After the API scan, users can submit their results for advanced analysis with a human security researcher, a process the company says normally takes between three and five days.
Data Theorem API Secure
The Data Theorem API Secure platform is designed to fit into any continuous integration and continuous delivery/deployment (CI/CD) environment to provide ongoing security to APIs in every stage of development and into the production environment. Its analyzer engine continually searches the network for new APIs and can quickly identify non-authorized ones or those that are part of the shadow IT at an organization.
The analyzer engine keeps itself up to date about the most recent vulnerabilities discovered for APIs and continually tests protected assets. It works with both on-premises and cloud environments to make sure that no APIs can fall victim to the latest threats. To keep the CI/CD pipeline clear and flowing, Data Theorem API Secure offers to automatically fix discovered problems without requiring human intervention. That way organizations can keep their APIs secure against even the latest threats, so long as they are comfortable with a high level of automation.
While Postman certainly qualifies as a testing tool for APIs, its claim to fame is as a complete and collaborative platform for building secure APIs. It’s used by millions of developers working in Windows, Linux and iOS environments, and for good reason.
Postman provides developers with a complete set of API tools to use when designing new APIs, and it also provides a secure repository for code that organizations can build up over time. Using the secure repository can ensure that future APIs maintain tight security and organizational standards from the start.
The workspaces provided by Postman are designed to help developers organize their work. It also can provide security warnings when an app’s code starts to drift away from the organization’s established secure template or incorporates a potential vulnerability. That way the problem can be fixed long before the API makes it to the production environment.
In addition to security testing, the Smartbear ReadyAPI platform is designed to optimize their use and performance within any environment. It can execute an API security analysis with a single click, but it also supports other critical functions like seeing how well, or badly, an API can handle an unexpected load or sudden spike in usage.
You can configure ReadyAPI to generate the specific kinds of traffic that the API is expected to handle. It can also record live API traffic so that future tests will be more accurate and configured to the unique environment where it will be operating. In addition, the platform can import almost any specification or schema to test APIs using the most popular protocols. Natively, ReadyAPI supports Git, Docker, Jenkins, Azure DevOps, TeamCity and more, and can be run in any environment from development to quality assurance long before APIs go live.
Synopsis API Scanner
One reason why the Synopsis API Scanner is so powerful is because in addition to security testing, it also incorporates fuzzing as part of its suite of deep scans and tests. The fuzzing engine sends thousands of unexpected, invalid or random inputs to APIs to see how they behave or if they will break when subjected to things like very large numbers or odd commands.
It also maps out all the paths and the logic of an entire API, including all the endpoints, parameters, authentications, and specifications that apply to its use. This gives developers a clear picture of what functions they intend their APIs to perform, compared with what they actually might sometimes do. It makes it clear why an API might be subject to unexpected behavior or security vulnerabilities.
While the open-source tools generally don’t have the same support as commercial offerings, experienced developers can easily deploy them, often for free, to shore up or improve the security of their APIs. The following are some of the more popular offerings according to the open-source community.
Astra mostly concentrates on representational state transfer (REST) APIs, which can be extremely difficult because they are often constantly changing. Given that the REST architectural style emphasizes scalability in its interactions between components, it can be challenging to keep REST APIs secure over time. Astra helps by offering to integrate into the CI/CD pipeline, checking to make sure that the most common vulnerabilities don’t creep back into a supposedly safe REST API.
The crAPI tool has a terrible name, but it performs its function as an API wrapper efficiently. It’s one of the few wrappers that can connect to a target system and provide a base path with the root client’s default set of handlers. It can do it without having to create any new connections. Advanced API developers can save a lot of time with it.
Apache JMeter, which not surprisingly is written in Java, began life as a load tester for web applications but has recently expanded for use with almost any application, program or API. Its detailed suite can test performance on either static or dynamic resources. It can generate a heavy simulated load of realistic traffic so that developers can discover how their API will perform under pressure.
Taurus provides an easy way to turn standalone API testing programs into a continuous testing operation. On the surface, Taurus is simple to use. You install it, create a configuration file and let your testing tools do their work. If you poke under the hood a bit, you can discover ways to generate interactive reports, create more complex scenarios to put your APIs through, and set up failure criteria so you can immediately go in and fix discovered problems.
More on API security:
John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes.
Copyright © 2021 IDG Communications, Inc.
Copyright © 2021 IDG Communications, Inc.
By John Breeden II