DEV Community

Intesar Mohammed
Intesar Mohammed

Posted on

How to Automate REST API Security Testing

Image description

Developers and early-stage startups build REST APIs to enable mobile, web, and API applications. Most APIs are public-facing and seldom go through a proper security testing cycle.

According to Gartner, APIs have now become the most attack vector. Ahead of networks, fishing attacks, etc. Bots can scan and detect public-facing APIs, and once they discover vulnerabilities, they continuously exploit them.

Most applications fall into compliance categories like SOC 2 for technology, PCI DSS for payments, HIPAA for medical privacy, and GDPR/CCPA for consumer privacy.

If your API is in any of these compliance areas, you're required by these standards to continuously security/penetration test your APIs, report breaches, and pay punitive damages. You can no longer hide and ignore security issues. You must report within a specific time frame, and failing to comply can cost you dearly.

These standards have the same primary purpose: to protect user data and privacy and ensure your application/organizations treat security with utmost importance.

Historically, these below impedances caused developers to skip or delay security testing.
Manual Testing - DAST scanners automate basic stuff, but deeper testing requires skillful penetration testers
Expensive - Penetration testing incurs high costs
Low Quality - Most penetration test reports contain a lot of issues that developers rate as low priority and with no clear remediation instructions.

I'm going to suggest free and automated solutions for you to get started:

EthicalCheck (Recommended)
It is a free and instant API penetration testing online tool. The tests are non-intrusive and require no sign-up. The downside is the tests are limited. Point to your public-facing API and get an instant report in under 1 minute. Additionally, the generated PDF report is SOC 2 and other compliance compatible.

Stackhawk
Offers free and paid versions. It is built on top of ZAP. Sign-up and basic security understanding is required.

APIsec
Offers free and paid versions. A low code platform. Sign-up is required. Coverage API-centric issues like logic flaws, access control, OWASP, etc.

Top comments (6)

Collapse
 
abedeen1 profile image
Syed Zainul Abedeen

Any Enhancement on existing features breaks business logic. Ethical Check is mandatory before going to Production.

Manual Testing cannot check the break every time. We need a System to perform Checks.

Collapse
 
andrewbaisden profile image
Andrew Baisden

Good informational article.

Collapse
 
atefahmed profile image
atef-aa

This is informative. Thanks for your recommendations.

Collapse
 
intesar profile image
Intesar Mohammed

Thanks everyone for liking the post!

Collapse
 
fyodorio profile image
Fyodor • Edited

There’s also 42Crunch platform (42crunch.com/) which provides Community version allowing to run Conformance scans (on premise) based on OpenAPI specification (aka Swagger). Very useful tool in right hands, as it implements the positive security model, which means that there will be no false positives basically (as opposed to commonly practiced negative security model).

Collapse
 
vilce profile image
Ștefan Vîlce

Excellent information. Thank you!