Catching coding errors in API preproduction, before they are spun up and go live is critical in preventing exploitable vulnerabilities.
For developers who are not security experts, fixing code or knowing business logic abuse possibilities can be time-consuming, while security testers find it frustrating that code is not scrutinized enough.
It's for these reasons that automating testing is necessary, and adding generative artificial intelligence into the mix could also make it easier.
Automated API security testing predominantly uses tools from two application security methodologies: static application security testing and dynamic application security testing.
In contrast, DAST is a security testing method that sees a vulnerability scanner tool used to probe an actively running application in a production or non-production environment, but has no access to the source code.
SAST and DAST are well-established web application tools that can be used for API testing.
The complex workflows associated with APIs can result in an incomplete analysis by SAST. At the same time, DAST cannot provide an accurate assessment of the vulnerability of an API without more context on how the API is expected to function correctly, nor can it interpret what constitutes a successful business logic attack.
We've seen API-specific test tooling gain ground, enabling things like continuous validation of API specifications.
API security testing is increasingly being integrated into the API security offering, translating into much more efficient processes, such as automatically associating appropriate APIs with suitable test cases.
A major challenge with any application security test plan is generating test cases tailored explicitly for the apps being tested before release.
In an API context, this might involve checking to see if the API is returning the correct data when called, an issue that if it goes wrong, could easily see application data being compromised.
API security testing poses a more complex problem because APIs are based on various technologies, business functions, and other factors.
Many organizations create test plans manually, which can lead to errors and require developers to have knowledge of security test cases to associate with their APIs.
API security testing adoption can be expedited by automating the manual associate test cases for API endpoints.
This would enable application developers to identify the necessary security tests they need to perform before deploying the code from development to higher environments.
It can be used to automatically produce API security test plans and significantly reduce barriers to obtaining the results.
Such a test plan would then cue an automatic inspection of payment API endpoints and the payload characteristics and associate the appropriate test cases to test those endpoints for compliance with the PCI DSS. In the event of a test failure, the remediation workflow can then be exported to third-party systems for remediation, with details into the cause provided by GenAI, and the test results can also be integrated into the CI/CD pipeline.
It's still too early to determine the full impact that GenAI will have on API development and security testing.
Early evidence indicates that it has the power to reduce the time taken to generate test cases significantly and harmonize testing across development and security teams.
Crucially, it builds upon recent advances in integrating of API security testing within API security tools, meaning the sector no longer needs to rely purely on SAST/DAST tooling.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Tue, 05 Dec 2023 06:13:05 +0000