How AI is revolutionizing "shift left" testing in API security

Catching coding errors in API preproduction, before they are spun up and go live is critical in preventing exploitable vulnerabilities.
For developers who are not security experts, fixing code or knowing business logic abuse possibilities can be time-consuming, while security testers find it frustrating that code is not scrutinized enough.
It's for these reasons that automating testing is necessary, and adding generative artificial intelligence into the mix could also make it easier.
Automated API security testing predominantly uses tools from two application security methodologies: static application security testing and dynamic application security testing.
In contrast, DAST is a security testing method that sees a vulnerability scanner tool used to probe an actively running application in a production or non-production environment, but has no access to the source code.
SAST and DAST are well-established web application tools that can be used for API testing.
The complex workflows associated with APIs can result in an incomplete analysis by SAST. At the same time, DAST cannot provide an accurate assessment of the vulnerability of an API without more context on how the API is expected to function correctly, nor can it interpret what constitutes a successful business logic attack.
We've seen API-specific test tooling gain ground, enabling things like continuous validation of API specifications.
API security testing is increasingly being integrated into the API security offering, translating into much more efficient processes, such as automatically associating appropriate APIs with suitable test cases.
A major challenge with any application security test plan is generating test cases tailored explicitly for the apps being tested before release.
In an API context, this might involve checking to see if the API is returning the correct data when called, an issue that if it goes wrong, could easily see application data being compromised.
API security testing poses a more complex problem because APIs are based on various technologies, business functions, and other factors.
Many organizations create test plans manually, which can lead to errors and require developers to have knowledge of security test cases to associate with their APIs.
API security testing adoption can be expedited by automating the manual associate test cases for API endpoints.
This would enable application developers to identify the necessary security tests they need to perform before deploying the code from development to higher environments.
It can be used to automatically produce API security test plans and significantly reduce barriers to obtaining the results.
Such a test plan would then cue an automatic inspection of payment API endpoints and the payload characteristics and associate the appropriate test cases to test those endpoints for compliance with the PCI DSS. In the event of a test failure, the remediation workflow can then be exported to third-party systems for remediation, with details into the cause provided by GenAI, and the test results can also be integrated into the CI/CD pipeline.
It's still too early to determine the full impact that GenAI will have on API development and security testing.
Early evidence indicates that it has the power to reduce the time taken to generate test cases significantly and harmonize testing across development and security teams.
Crucially, it builds upon recent advances in integrating of API security testing within API security tools, meaning the sector no longer needs to rely purely on SAST/DAST tooling.


This Cyber News was published on www.helpnetsecurity.com. Publication date: Tue, 05 Dec 2023 06:13:05 +0000


Cyber News related to How AI is revolutionizing "shift left" testing in API security

Microservices Resilient Testing Framework - As organizations increasingly embrace the microservices approach, the need for a resilient testing framework becomes important for the reliability, scalability, and security of these distributed systems. From preemptive problem-solving to the ...
9 months ago Feeds.dzone.com
How Does Automated API Testing Differ from Manual API Testing: Unveiling the Advantages - Delve into automated versus manual API testing for efficient software delivery. See how automation speeds validation while manual testing provides human insight, ensuring comprehensive coverage for robust development. In the domain of software ...
8 months ago Hackread.com
How AI is revolutionizing "shift left" testing in API security - Catching coding errors in API preproduction, before they are spun up and go live is critical in preventing exploitable vulnerabilities. For developers who are not security experts, fixing code or knowing business logic abuse possibilities can be ...
10 months ago Helpnetsecurity.com
How to do Penetration Testing effectively - In today's digital era, penetration testing has become crucial to an organisation's cybersecurity strategy. From network penetration testing to web application and mobile app penetration testing, a comprehensive pen test covers a wide range of attack ...
4 months ago Securityboulevard.com
Defining Good: A Strategic Approach to API Risk Reduction - A good API security strategy starts with a well thought out API security posture governance program that spans from design to deployment. That standard, if communicated and enforced effectively, will not only positively affect how a developer designs ...
8 months ago Securityboulevard.com
What is App Security? SAST, DAST, IAST, and RASP. - Effective application security relies on well-defined processes and a diverse array of specialized tools to provide protection against unauthorized access and attacks. Security testing is a critical part of an application security strategy and should ...
9 months ago Feeds.dzone.com
Part 2: Smart Shift Left - In my previous blog post, we discussed the state of the union for shift left and and how many organizations are not implementing correctly. Recognizing the consequences of a poor shift left model. Many of the high friction points with a poor shift ...
6 months ago Feedpress.me
Application Security Testing Explained - That's precisely why application security is a top priority for security teams and a crucial consideration for DevOps. Application security testing is like giving your software a thorough health check to ensure it's robust and resilient against cyber ...
9 months ago Securityboulevard.com
Imperva Named an Overall Leader in the KuppingerCole Leadership Compass: API Security and Management Report - We're thrilled to share that Imperva has achieved the prestigious status of Overall Leader in the KuppingerCole Leadership Compass: API Security and Management report. A notable achievement is being recognized as one of the few non-gateway-first ...
10 months ago Imperva.com
Salt Security Delivers API Posture Governance Engine - PRESS RELEASE. PALO ALTO, Calif., Jan. 17, 2024 /PRNewswire/ - Salt Security, the leading API security company, today announced multiple advancements in discovery, posture management and AI-based threat protection to the industry leading Salt ...
8 months ago Darkreading.com
How to Use Pen Testing to Find Vulnerabilities - One effective method for conducting an information security audit is through penetration testing. The contractor would conduct thorough testing and provide detailed penetration reports, complete with recommendations for safeguarding corporate data. ...
8 months ago Feeds.dzone.com
The 9 Most Essential API Security Tools to Protect Against Cyber Threats - Understanding the importance of API security is crucial as technological advancements across various industries continue to make our lives easier. Through APIs connecting different systems and services together, automation is becoming increasingly ...
1 year ago Csoonline.com
Unified API Protection - A massive segment of organizations' digital footprint today is built around internal and external APIs. As more IT leaders realize and acknowledge the size of APIs' influence, it's become clear that new methods are needed to secure those APIs. While ...
1 year ago Cequence.ai
What do CISOs need to know about API security in 2024? - According to Postman's 2023 State of the API Report, roughly 66% of participants indicated that their APIs contribute to generating revenue. A recent ESG survey on API security showed that 92% of organisations using APIs have experienced a breach in ...
9 months ago Cybersecurity-insiders.com
API Security: The Big Picture - Given this, it is no surprise that API security is a top priority for many security teams in the coming year. Here are 10 strategic things to look for in an API security offering. Multiple Environment Capability API security isn't very helpful if it ...
9 months ago Darkreading.com
Product showcase: ImmuniWeb AI Platform - ImmuniWeb is a global application security company that currently serves over 1,000 customers from more than 50 countries. ImmuniWeb AI Platform has received numerous prestigious awards and industry recognitions for intelligent automation and ...
9 months ago Helpnetsecurity.com
Akto Launches Proactive GenAI Security Testing Solution - With the increasing reliance on GenAI models and Language Learning Models like ChatGPT, the need for robust security measures have become paramount. Akto, a leading API Security company, is proud to announce the launch of its revolutionary GenAI ...
7 months ago Darkreading.com
That time I broke into an API and became a billionaire - This included an internal API with a dependency on a third-party banking API. We'll get to the banking API later in this story. That's all thanks to developers embracing agile development, microservices, and API gateway redirection that exposed ...
9 months ago Securityboulevard.com
3 security best practices for all DevSecOps teams - It's been over 10 years since Shannon Lietz introduced the term DevSecOps, aiming to get security a seat at the table with IT developers and operators. More organizations are looking to shift-left security to ensure that security is prominent in ...
10 months ago Infoworld.com
Most API security strategies are underdeveloped. Let's unpack that. - Adaptation to Change: Strategies are not static; they evolve over time. Applying these concepts to information security and cyber security in general, we can easily see that having a strategy is a) nothing novel and b) applicable to all. Filter down ...
9 months ago Itsecurityguru.org
API Gateways and API Protection: What’s the Difference? - Security Boulevard - At the security level, API security tools and gateways provide different controls to protect APIs from various threats. API protection – or API security – refers to a comprehensive set of security capabilities designed to protect APIs from a wide ...
1 week ago Securityboulevard.com
API security in 2024: Predictions and trends - As technology continues to advance at an unprecedented pace, so does the complexity of API security. With the proliferation of APIs in modern applications and services, organizations will need to develop a better understanding of their API ...
9 months ago Helpnetsecurity.com
Optimizing API Lifecycles - In this article, we will delve into the intricacies of optimizing API lifecycles-an essential aspect for product managers navigating the dynamic landscape of digital integration. From conceptualization to retirement, understanding and implementing ...
10 months ago Feeds.dzone.com
7 Essential Practices for Secure API Development - The necessity for API security cannot be overstated. Authentication and Authorization Authentication and authorization form the cornerstone of secure API interactions. In the world of API security, managing identities accurately ensures that only ...
7 months ago Feeds.dzone.com
API Security in 2024: Navigating New Threats and Trends - As we step into 2024, the landscape of API security is at a critical juncture. The previous year witnessed a significant escalation in API-related breaches, impacting diverse organizations and bringing to light the critical vulnerabilities in API ...
7 months ago Cybersecurity-insiders.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)