API Penetration Testing

Know Your APIs are Secure

APIs are now an important part of almost every application development project, including web applications and mobile apps. But due to the increased usage of APIs, especially from third-party sources (Google Maps API, Facebook Graph API, LinkedIn REST API, etc.), it’s often challenging for developers to prove their APIs and overall web applications are secure.

It can also be difficult and time-consuming to update APIs over time to patch known vulnerabilities. Further, you may not know if the APIs you’ve deployed were properly tested for security by the original developers.

As a result, APIs constitute one of the largest attack surfaces in most web applications—and also one of the harder classes of vulnerabilities to remediate.

Developers who leverage Pivot Point Security’s API Penetration Testing service can efficiently and effectively demonstrate that their APIs are secure from known/common vulnerabilities, such as Cross-Site Scripting (XSS) vulnerabilities, injection flaws, authentication weaknesses, etc. This level of testing also provides valuable guidance on how to close any security gaps.

Why Do API Penetration Testing?

The benefits of using APIs to build and operate applications are too good to pass up:

  • Cost savings
  • Reduction in development time
  • Consistent, dependable performance
  • Simplified maintenance

The goal of API penetration testing is to maximize the benefits APIs bring while identifying and remediating the significant risks they impose.

API Penetration Testing FAQs

Q: What does API penetration testing look for?

A: API penetration tests validate that the APIs that are exposed are properly secured. Dependent upon their risk and business objective they will include some combination of: automated testing manual testing, code review, code scanning, and security auditing. We believe that the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) is the best way to demonstrate to key stakeholders that a web application/API is secure. The ASVS defines three distinct levels of testing based on risk and provides guidance on 286 application security practices that an application should include.

Q: What can an API penetration test prevent?

A: When a web app is compromised, the results can include data breaches, data exfiltration, fraud, customer account takeovers, compromised control systems, embarrassing performance problems, and exposed application code or business logic. Depending on what data and/or systems are compromised, the financial and reputational damage could be massive, especially in relation to the cost of the testing.

Q: At what point in the development cycle should we test our APIs?

A: You can test APIs at any time, and the sooner the better. Unlike a “final” application penetration test intended to verify the overall security of a web application prior to launch, the sooner you know about defects in your APIs the sooner you can rectify them. It’s also important to update and retest your APIs on a regular basis (e.g., once per quarter) so that you don’t end up with a growing “snowball” of expensive-to-fix vulnerabilities as your APIs are updated over time.

Q: Is an API penetration test a type of simulated attack?

A: No, an API pen test is looking to test the quality of the application by examining whether the APIs it uses are secure. It is about identifying vulnerabilities in the APIs, not validating whether the overall application can withstand an attack.

Q: How can I know that a tester/vendor is qualified to test my APIs?

A: API penetration testing and web application penetration testing in general are “part art, part engineering,” which can make it hard to know what to expect and whether you got what you paid for. Some questions to ask testers/vendors include: how long have you been performing API pen tests and how many have you done? Have you done any with clients in my industry and/or with similar applications? What testing standards do you use as a foundation (e.g., OWASP Top 10, OWASP ASVS)? What classes of vulnerabilities will you test for? What is the experience level of the tester(s) you will use? What is your step-by-step methodology? You can also

What’s Next?

Are you concerned that your APIs are putting your application’s security at risk? If so, reach out! Pivot Point Security has helped many organizations prove their applications are secure and bring peace of mind to developers that they are building secure applications.