About Imvision

The only automated NLP-based API security platform that protects enterprise applications at scale

Learn More »

Special thanks to Corey Ball, Cybersecurity Consulting Manager and author of the upcoming book “Hacking APIs” (No Starch Press), for his contribution to this article

Application programming interfaces (APIs) remain an increasingly attractive target for attackers. Enterprises today are using more and more APIs, causing the attack surface to grow and introducing the added complexity of managing a large number of APIs. Security professionals recognize these challenges as they work to find appropriate tooling and security testing techniques that fit both their development and meet business objectives. 

Concerns over API security aren’t new, of course. A 2017 Gartner report predicted API abuse would become a top concern for security teams by 2022.

But APIs aren’t applications, and they require a different approach. API security testing is very hard to do using standard application testing methods and tools, which frequently results in false negatives. These false negatives create undue confidence in an API’s security. And unsecured APIs remain vulnerable to abuse and attack once deployed in production.

As API attacks become more frequent and sophisticated, protecting against business logic attacks before APIs are deployed is as important as building secure applications.

Why rethink current security testing methods?

Business logic vulnerabilities can lead to unexpected and devastating results if they’re not addressed. Unlike other types of security vulnerabilities, business logic vulnerabilities enable legitimate process flows to introduce negative actions and may facilitate data theft or fraud. What’s worse, such vulnerabilities aren’t covered by security scanning tools, since legitimate processes are used to create a negative outcome for a business. 

Unfortunately, this makes it easy for attackers to find and exploit these vulnerabilities without any specialized tools or knowledge, since they utilize expected processes within the system as designed. But finding and fixing these business logic vulnerabilities tends to be more difficult for development teams, as the flaws are essentially hidden unless you’re specifically looking for them. 

Business logic vulnerabilities are introduced when developers make assumptions about user interactions with an application. A deep understanding of the entire application and user experience can help developers build with these vulnerabilities in mind. However, this alone isn’t enough to secure both applications and APIs.

Security testing helps surface vulnerabilities, including business logic vulnerabilities, before they’re deployed in production. However, not all security testing programs are created equal. Understanding your current security testing processes is an important step in determining how best to improve application and API security. Reviewing your current security testing program will help reveal gaps in your tools and testing methods.

False negatives, false confidence

In 2018, the United States Postal Service learned a valuable lesson in API security testing when the Office of Inspector General performed a vulnerability assessment of the USPS Informed Visibility system. Informed Visibility is a mass mail tracking system the USPS uses to ensure mail and packages traverse through the postal system while providing real-time tracking data to consumers. The initial security tests revealed some areas for improvement and the system overall passed the tests designed to verify compliance with USPS security standards. 

 An image of USPS truck

The report was published October 12, 2018. On November 21, 2021, Krebs on Security published a story detailing the data exposure of 60 million USPS users along with the USPS remediation of the flaw. At the heart of the now-fixed data exposure flaw was the platform’s API. Testing tools and methods used by the Office of Inspector General hadn’t adequately assessed API security for the Informed Delivery system.

Security testing for APIs differs from other software testing methods. Automated scanning tools can test for a variety of application security vulnerabilities but aren’t purpose built to find vulnerabilities within APIs. A satisfactory report from an automated security test scan can mean the application meets the intended standards, though the API itself is never tested in the process. Thus vulnerabilities within the API can’t be detected by automated scan tools.

Security testing tools determine the application meets standards. This results in a false negative, giving the developer team a false sense of security. Automated security scanning tools aren’t designed to expose vulnerabilities embedded in APIs. Moreover, they may have configuration issues. Undetected vulnerabilities are therefore still a threat to the organization, even when you’re unaware they exist.

 

Image of bad news good news

Comprehensive API security testing can become a costly budgetary item for application development. One of the first steps in moving toward a more robust API security testing solution involves examining your current methods and how they’re performing. Consider comparing costs and benefits of deploying more comprehensive test coverage methods versus the tools and methods you currently use.

A new approach to business logic API security testing

Since standard application security testing methods aren’t designed for APIs, you must approach API security in a different way. 

Begin by evaluating your current approach to vulnerability management. Know what you’re working with before you make changes to your current security testing process. Inventory the tools you’re using and their results. Do these tools detect vulnerabilities in your APIs? If the answer is no, test your tools against one of several intentionally vulnerable APIs. 

These APIs are designed to contain vulnerabilities a good security testing tool could surface:

  • OWASP crAPI is a completely ridiculous API designed to help developers learn and understand the top 10 most critical security vulnerabilities affecting APIs.
  • VAmPI was designed to help developers and security teams evaluate security testing tools and includes the OWASP Top 10 critical security vulnerabilities. 
  • OWASP Juice Shop is a sophisticated insecure web application designed for security training and security tool testing alike. Juice Shop includes the OWASP Top 10 critical security vulnerabilities as well as other flaws typically found in the wild.
  • Pixi is no longer supported, but the API remains just as vulnerable as its final release version.

API security testing should include more than just tools. Use a layered approach for the best coverage. Include human-powered testing methods to surface vulnerabilities tools alone might miss. Use penetration testing and bug bounty programs to extend your security testing process.

  • Penetration testing: A point in time—as opposed to continuous—adversarial test for your web applications and APIs. Penetration testing can reveal valuable proof-of-concept attack methods that can be used against your applications and APIs. Penetration testing can also be used to simulate specific attack types.
  • Bug bounty programs: Can be used as a continuous test of your web applications and APIs. Bug bounty communities include hackers at every skill level. They give you the opportunity to invite API hackers to target your APIs for monetary reward.

Proactive security

The development lifecycle should include security from the beginning, even with APIs, rather than left until the end while launch dates loom. Baking security in from the project outset means each new phase will include appropriate security measures. The prevalence of APIs requires specific attention to security through a comprehensive API security program that includes an effective testing strategy that goes beyond typical automated scans or other oft-used tools and methods.

Gain visibility and insights into the business logic behind your APIs. Automate your API security testing and accelerate remediation with Imvision.

 

It’s time to bullet-proof your APIs from potential attacks