Automating API security testing with a DevSecOps approach

There has been a lot of recent focus of shifting testing left, but a part of that which doesn’t get much attention is API testing.

Akshay Aggarwal, CEO of PeachTech and founder and COO of Deja Vu Security, believes that companies can better manage API testing by approaching it in a DevSecOps way. It needs to be integrated around teams’ current workflow in order to be effective, according to him.

Aggarwal believes there are seven fundamentals to API testing in a DevSecOps setting. The first is that testing needs to be specific to APIs. He says that teams need to test against vulnerability lists, such as the OWASP Top 10.

The second point is that test cases need to be automatically generated. “Unless you can automate, you’re at least two orders of magnitude behind in terms of the amount of time and effort spent looking for issues,” Aggarwal said.

Aggarwal recommends that teams configure their testing in a way that allows them to convert their current unit tests into security tests.

Third, security tests should be built into the existing developer workflows using normal tools. This allows vulnerable code to be sent back to development and prevented from entering into production. Using tools that developers are already familiar with prevents them from having to learn new tools, which saves time and money. Similarly, data should populate into the normal databases so that they don’t have to use a specific tool to view results, Aggarwal explained.

The fourth fundamental is a term known as fuzzing, which is when teams mutate valid messages to find additional vulnerabilities that were not discovered during automated OWASP testing. Fuzzing reduces the number of zero-day vulnerabilities present in code.

Creating testing profiles that accommodate business needs is also important. For example, creating a profile that bypasses certain tests for projects with tight deadlines.

Sixth, the test results should include information that developers will need in order to fix issues quickly. Finally, configuring how faults are managed is important because it ensures that false positives don’t slow down development.

“Essentially what happens is that the tests transform as time goes on, but the fundamentals of that sound security remain constant,” said Aggarwal.

According to Aggarwal, organizations are not always clear on whose responsibility API testing is. When asked as part of a survey who is responsible for API testing, 49 percent said it was the development team and 51 percent said it was the security team, said Aggarwal.

“If you dug down deeper into who was answering, it depended on the role that they had,” said Aggarwal. “Developers overwhelmingly said it was the security team’s responsibility and security teams overwhelmingly said it was the developer’s responsibility.”

This mismatch is one of three challenges to scaling API security. Because API security depends on the consumer to provide security, not knowing who is providing that security can have negative effects.

Another challenge he lists is that APIs have increasingly complex actions. This makes it difficult to use tradition tooling, such as security vulnerability scanners, because those tools cannot “detect bugs that they can’t see.”

The third challenge to scaling API security is that manual API testing is too expensive. But when companies don’t find bugs until code is in production, it is too late to prevent losses from those bugs.

By overcoming these challenges and following the fundamentals needed to approach testing in a DevSecOps way, companies can realize the full benefits of API testing.