This article is the fourth in a series of five covering key API security topics and provides some answers to common questions we often get when talking to potential customers. The series will cover the following topics:
- API Discovery
- API Posture Management
- Attack Protection
- API Security Testing
- Attack Detection and Threat Hunting
API security needs are specific to individual organizations and their particular market or industry, and the Cequence Unified API Protection platform was developed with that in mind – it’s highly flexible, customizable, and built to grow with your business.
This article focuses on API security testing performed in development, in production, or standalone, identifying vulnerabilities, coding errors, and other issues that could be exploited. API security testing is part of API Sentinel, a core product in the Cequence Unified API Protection platform.
The following are some common requirements that we’ve heard voiced by potential customers:
Flag API Endpoint Configurations Not Matching Industry Best Practices
Cequence identifies API endpoint configurations that deviate from industry best practices both while APIs are in development and once in production. Cequence can automatically generate API specs specific to the organization and assesses compliance with common industry frameworks such as OWASP API Security Top 10, the OWASP Automated Top 10, PCI DSS 4.0, etc.
Flag API Endpoint Configurations Not Matching Company Policies
Cequence identifies API endpoint configurations that deviate from an organization’s internal governance and best practices both while APIs are in development and in production. Cequence can automatically generate API specs specific to the organization in the event specifications don’t exist.
Zero-Config API Test Configuration
Cequence “Intelligent Mode” automates the generation of API security test plans using OpenAPI specs or Postman collections, which are then exportable and suitable for integration into the CI/CD pipeline, or for Cequence to test the API directly. For APIs that do not have any existing specifications, Cequence can dynamically generate specifications based on the runtime traffic observed for the production API. This is vastly superior to manual approaches to generate test plans, which are error-prone and require developers to be security-savvy about security test cases that they need to associate with their APIs.
API Input Testing by Generating Inputs from Known Bad Payloads
Cequence supports both OpenAPI specifications and Postman collections as sources of API collections. While the OpenAPI Specification usually does not contain bad payloads, Postman is used frequently by development and QA teams to test for functionality, regression, and exception handling. As such, Cequence does offer the ability to auto-create and configure test plans from known bad payloads. This comes in handy when testing for OWASP Top 10 risks like BOLA, BOPLA, BFLA, etc. where not only can Cequence create the test plan, but automatically create the appropriate authentication profiles (both good and bad) to ensure adequate coverage and effectiveness while simplifying the usability around API security testing.
White Box Security Testing
Cequence prides itself on not being a “black box” and providing the most open and transparent solution on the market. Cequence’s security testing capability can be utilized either in the CI/CD pipeline or in deployment.
Autonomous Test Creation
Cequence offers autonomous test creation, which generates API specs without human involvement. Users answer a series of interactive questions, and the Cequence product determines the right set of security requirements and develops tailor-made test plans specific to each API application. This approach avoids manual, error-prone processes to develop a proper security test plan that often would take weeks or more to complete.
Some of the other areas of API security testing where Cequence excels:
| Test APIs for susceptibility to the OWASP API Security Top 10 | |
| Configure API tests without having OAS documentation | |
| Integration with external defect tracking | |
| Provide API security tests for running in CI/CD pipelines | |
| Provide remediation guidance for developers and operations |
There are certainly other facets of API security testing, but these are some of the topics we hear about most frequently. Check out the other articles in this series, or our eBook, “Ten Things Your API Security Solution Must Do.”
Sign up for the latest Cequence Security news
By clicking Subscribe, I agree to the use of my personal data in accordance with Cequence Security Privacy Policy. Cequence Security will not sell, trade, lease, or rent your personal data to third parties.
