API SECURITY TESTING WITH POSTMAN, GUIDED BY OWASP TOP 10
Executive Summary
The digital transformation era has ushered in a plethora of web applications, with APIs forming their bedrock. However, with increasing digital capabilities comes a heightened risk landscape. Recognizing this, the industry has widely adopted the OWASP Top 10 as a gold standard for identifying and mitigating the most critical web application vulnerabilities. This blog ventures into the nexus of API security testing, employing the comprehensive capabilities of Postman while being anchored to the benchmarks set by the OWASP Top 10.
Introduction
API Security Testing focuses on assessing the robustness, reliability, and security of Application Programming Interfaces (APIs). As APIs act as gateways, enabling applications to communicate and exchange data, they have become attractive targets for cybercriminals. Inadequately protected APIs can lead to data breaches, unauthorized access, and other malicious activities. API Security Testing delves into identifying potential vulnerabilities within these interfaces, ensuring that they process requests securely, handle data responsibly, and reject unauthorized or malicious interactions. Embracing such testing is paramount in today’s interconnected digital landscape, where the stakes of a security lapse can be colossal in terms of data integrity, trust, and financial implications.
Postman, a powerful tool designed for API development, provides capabilities for testing APIs to ensure they meet performance, reliability, and security benchmarks. The Open Web Application Security Project (OWASP) Top 10 provides a definitive ranking of the most critical web application vulnerabilities. By integrating OWASP guidelines into our API testing strategy, we can ensure that our APIs are protected against the most common and devastating attacks.
API Security Vulnerabilities
The source of vulnerabilities includes,
- Vulnerabilities and Exposures Frequently Seen (CVEs)
- DDoS (Denial of Service) attacks
- Assaults using data injection.
- Misconfigurations of security
- Data disclosure through “sniffing” attacks is made possible by a lack of encryption.
- Inadequate function-level authentication (also known as BFLAs, or Broken Function Level Authorization)
- Free access to third-party APIs
- “Backdoor” APIs that aren’t documented, or shadow APIs
- Old, obsolete APIs (sometimes known as “zombie APIs”)
RECENT API DATA BREACHES
Without further ado, here are some significant data breaches in 2022 that were caused by API security flaws, organized by the number of accounts impacted. APIs are here to stay and are progressively becoming a popular target for data breaches
SHIFT LEFT SECURITY: A STRATEGY TO PREVENT API VULNERABILITIES
Security testing was implemented after application testing at the end of the development cycle. Security testing involves more than just breaking into an application to see how secure it is; it also involves finding application flaws that an attacker could take advantage of. In the evolving landscape of software development, rapid deployment cycles have been matched with a surge in security vulnerabilities, especially in APIs. “Shift Left Security” is a proactive approach to integrate security early in the software development life cycle (SDLC), moving it from a reactionary end-phase activity to an inherent part of every stage of development. “Shifting left” denotes the transition of security practices from the right (end) of the SDLC timeline to the left (beginning). The principle emphasizes embedding security considerations and tests from the inception of a project, rather than bolting them on at the end.
Also read: Mobile App Security: The Imperative for Mobile Penetration Testing
HOW CAN SHIFT LEFT SECURITY WORK?
Adopt a DevSecOps approach, which integrates security practices within the DevOps process.
- Ensure that security is a part of the sprint planning.
- The Secure Software Development Life Cycle (SSDLC) is a framework for developing secure software.
- The SSDLC typically includes activities such as threat modeling, secure coding practices, security testing, and security reviews.
- Threat modeling allows teams to proactively identify potential security threats and vulnerabilities during the early stages of API development.
- Discuss potential security risks during feature development and b rainstorm ways to mitigate them.
- Integrate SAST tools into the IDE or the CI/CD pipeline.
- Address any vulnerabilities and Deploy the application in a staging environment. Run DAST tools to simulate various attacks and identify potential security risks.
- Security tests, both static and dynamic, run against the code and the application.
- If vulnerabilities are found, build fails. The developer to fix the vulnerabilities and recommit the code, restarting the process.
HOW SECURITY TESTING WORKS WITH API?
“Shift security left” in the context of APIs emphasizes the early integration of security practices within the API development life cycle. By introducing security measures from the outset, potential vulnerabilities can be identified and mitigated before they become major issues. An API’s security measures are examined and evaluated during API security testing to make sure they are effective in defending the API from threats, assaults, and vulnerabilities. It entails running extensive tests to find flaws in input validation, error handling, data integrity, encryption methods, authentication systems, and other security-related components of an API.
Most businesses use Postman to develop their APIs, generate collections for their APIs, and write tests and documentation for them. Dev teams want to do security scans on their API parts controlled in Postman before deployment as the shift-left mentality spreads. These tests cover a variety of contemporary attack types, including OAuth 2.0, JWT, authentication, authorization, and access control. With this method, developers can quickly enable security testing as they create and modify APIs in Postman while saving time and money.
API SECURITY TESTING TOOLS
Here are some notable tools for testing API security.
- OWASP ZAP (Zed Attack Proxy)
- BurpSuite
- Telerik Fiddler
- Pynt Library
- Taurus
- AppCheck
- Probely
A SAMPLE INTEGRATION OF PYNT WITH POSTMAN
The sophisticated engine of Pynt is built on a solid ML analysis module that converts API traffic into a usable model. Pynt’s integration allows Postman users to see actionable results from security tests in a format and platform that many are already familiar with, also its dynamic security testing covers all the OWASP Top 10
PYNT’S USAGE
- Integration of Pynt with Postman Collections: The requests in your functional test collection may be parsed by Pynt, which will then list the different endpoints, methods, and arguments that your API employs.
- Automated Test Generation: Based on prevalent flaws and their patterns, such as SǪL injection, Cross-Site Scripting (XSS), CSRF, etc., it may produce security-specific test scenarios. A new or existing test collection in your Postman workspace will then contain these produced tests.
- Execution of Security Tests: The produced security test collection may be used in Postman just like any other collection. Pynt may alter the request payloads, headers, methods, and parameters while the tests are running.
- Reporting and Feedback: After executing the tests, results will be displayed, typically indicating which requests passed or failed the security tests. Detailed feedback might be provided for any identified vulnerabilities, including potential impacts, risk ratings, and possibly remediation steps.
PYNT – TEST REPORT
CONCLUSION
In conclusion, API security testing is a critical aspect of ensuring the robustness and integrity of web applications. Knowing where your APIs are and how attackers could use them against you is more important because an API breach can have a devastating effect on the company’s finances and reputation. Here, we have brought in the idea of an open-source solution: integrating the Pynt library with Postman. Whereas, alternative API security tools or solutions can be used based on the organization’s bandwidth or security test requirements. Regular API security scans find vulnerabilities in your application so you may address them before they’re exploited, increasing application’s security. A well-executed API security testing strategy and tools are always essential to identify and mitigate these risks and make the application unbroachable.
source: https://techblog.cisco.com/blog/top-5-api-security-breaches-in-2022