Blog

API Security Testing – Common Topics We’re Asked About

July 31, 2024 | 4 MIN READ

by Jeff Harrell

Two stylized arrows chasing each other with a honeycomb design going through them.

This article is the fourth in a series of five covering key API security topics and provides some answers to common questions we often get when talking to potential customers. The series will cover the following topics:

API security needs are specific to individual organizations and their particular market or industry, and the Cequence Unified API Protection platform was developed with that in mind – it’s highly flexible, customizable, and built to grow with your business.

This article focuses on API security testing performed in development, in production, or standalone, identifying vulnerabilities, coding errors, and other issues that could be exploited. API security testing is part of API Sentinel, a core product in the Cequence Unified API Protection platform.

The following are some common requirements that we’ve heard voiced by potential customers:

Flag API Endpoint Configurations Not Matching Industry Best Practices

Cequence identifies API endpoint configurations that deviate from industry best practices both while APIs are in development and once in production. Cequence can automatically generate API specs specific to the organization and assesses compliance with common industry frameworks such as OWASP API Security Top 10, the OWASP Automated Top 10, PCI DSS 4.0, etc.

Flag API Endpoint Configurations Not Matching Company Policies

Cequence identifies API endpoint configurations that deviate from an organization’s internal governance and best practices both while APIs are in development and in production. Cequence can automatically generate API specs specific to the organization in the event specifications don’t exist.

Zero-Config API Test Configuration

Cequence “Intelligent Mode” automates the generation of API security test plans using OpenAPI specs or Postman collections, which are then exportable and suitable for integration into the CI/CD pipeline, or for Cequence to test the API directly. For APIs that do not have any existing specifications, Cequence can dynamically generate specifications based on the runtime traffic observed for the production API. This is vastly superior to manual approaches to generate test plans, which are error-prone and require developers to be security-savvy about security test cases that they need to associate with their APIs.

API Input Testing by Generating Inputs from Known Bad Payloads

Cequence supports both OpenAPI specifications and Postman collections as sources of API collections. While the OpenAPI Specification usually does not contain bad payloads, Postman is used frequently by development and QA teams to test for functionality, regression, and exception handling. As such, Cequence does offer the ability to auto-create and configure test plans from known bad payloads. This comes in handy when testing for OWASP Top 10 risks like BOLA, BOPLA, BFLA, etc. where not only can Cequence create the test plan, but automatically create the appropriate authentication profiles (both good and bad) to ensure adequate coverage and effectiveness while simplifying the usability around API security testing.

White Box Security Testing

Cequence prides itself on not being a “black box” and providing the most open and transparent solution on the market. Cequence’s security testing capability can be utilized either in the CI/CD pipeline or in deployment.

Autonomous Test Creation

Cequence offers autonomous test creation, which generates API specs without human involvement. Users answer a series of interactive questions, and the Cequence product determines the right set of security requirements and develops tailor-made test plans specific to each API application. This approach avoids manual, error-prone processes to develop a proper security test plan that often would take weeks or more to complete.

Some of the other areas of API security testing where Cequence excels:

Test APIs for susceptibility to the OWASP API Security Top 10
Configure API tests without having OAS documentation
Integration with external defect tracking
Provide API security tests for running in CI/CD pipelines
Provide remediation guidance for developers and operations

There are certainly other facets of API security testing, but these are some of the topics we hear about most frequently. Check out the other articles in this series, or our eBook, “Ten Things Your API Security Solution Must Do.

Jeff Harrell

Author

Jeff Harrell

Director of product marketing

Jeff Harrell is the director of product marketing at Cequnce and has over 20 years of experience in the cybersecurity field. He previously held roles at McAfee, PGP, Qualys, and nCircle, and co-founded the company that created the first commercial ad blocker.

Related Articles