Skip links

Securing the Digital Frontier

Jump To Section

Securing the Digital Frontier

API SECURITY TESTING WITH POSTMAN, GUIDED BY OWASP TOP 10

Executive Summary

The digital transformation era has ushered in a plethora of web applications, with APIs forming their bedrock. However, with increasing digital capabilities comes a heightened risk landscape. Recognizing this, the industry has widely adopted the OWASP Top 10 as a gold standard for identifying and mitigating the most critical web application vulnerabilities. This blog ventures into the nexus of API security testing, employing the comprehensive capabilities of Postman while being anchored to the benchmarks set by the OWASP Top 10.

Introduction

API Security Testing focuses on assessing the robustness, reliability, and security of Application Programming Interfaces (APIs). As APIs act as gateways, enabling applications to communicate and exchange data, they have become attractive targets for cybercriminals. Inadequately protected APIs can lead to data breaches, unauthorized access, and other malicious activities. API Security Testing delves into identifying potential vulnerabilities within these interfaces, ensuring that they process requests securely, handle data responsibly, and reject unauthorized or malicious interactions. Embracing such testing is paramount in today’s interconnected digital landscape, where the stakes of a security lapse can be colossal in terms of data integrity, trust, and financial implications.
Postman, a powerful tool designed for API development, provides capabilities for testing APIs to ensure they meet performance, reliability, and security benchmarks. The Open Web Application Security Project (OWASP) Top 10 provides a definitive ranking of the most critical web application vulnerabilities. By integrating OWASP guidelines into our API testing strategy, we can ensure that our APIs are protected against the most common and devastating attacks.

API Security Vulnerabilities

The source of vulnerabilities includes,

  • Vulnerabilities and Exposures Frequently Seen (CVEs)
  • DDoS (Denial of Service) attacks
  • Assaults using data injection.
  • Misconfigurations of security
  • Data disclosure through “sniffing” attacks is made possible by a lack of encryption.
  • Inadequate function-level authentication (also known as BFLAs, or Broken Function Level Authorization)
  • Free access to third-party APIs
  • “Backdoor” APIs that aren’t documented, or shadow APIs
  • Old, obsolete APIs (sometimes known as “zombie APIs”)

RECENT API DATA BREACHES

Without further ado, here are some significant data breaches in 2022 that were caused by API security flaws, organized by the number of accounts impacted. APIs are here to stay and are progressively becoming a popular target for data breaches

image 29
API Security Testing

SHIFT LEFT SECURITY: A STRATEGY TO PREVENT API VULNERABILITIES

Security testing was implemented after application testing at the end of the development cycle. Security testing involves more than just breaking into an application to see how secure it is; it also involves finding application flaws that an attacker could take advantage of. In the evolving landscape of software development, rapid deployment cycles have been matched with a surge in security vulnerabilities, especially in APIs. “Shift Left Security” is a proactive approach to integrate security early in the software development life cycle (SDLC), moving it from a reactionary end-phase activity to an inherent part of every stage of development. “Shifting left” denotes the transition of security practices from the right (end) of the SDLC timeline to the left (beginning). The principle emphasizes embedding security considerations and tests from the inception of a project, rather than bolting them on at the end.

Also read: Mobile App Security: The Imperative for Mobile Penetration Testing

HOW CAN SHIFT LEFT SECURITY WORK?

Adopt a DevSecOps approach, which integrates security practices within the DevOps process.

  • Ensure that security is a part of the sprint planning.
  • The Secure Software Development Life Cycle (SSDLC) is a framework for developing secure software.
  • The SSDLC typically includes activities such as threat modeling, secure coding practices, security testing, and security reviews.
  • Threat modeling allows teams to proactively identify potential security threats and vulnerabilities during the early stages of API development.
  • Discuss potential security risks during feature development and b rainstorm ways to mitigate them.
  • Integrate SAST tools into the IDE or the CI/CD pipeline.
  • Address any vulnerabilities and Deploy the application in a staging environment. Run DAST tools to simulate various attacks and identify potential security risks.

  1. Security tests, both static and dynamic, run against the code and the application.
  2. If vulnerabilities are found, build fails. The developer to fix the vulnerabilities and recommit the code, restarting the process.

HOW SECURITY TESTING WORKS WITH API?

“Shift security left” in the context of APIs emphasizes the early integration of security practices within the API development life cycle. By introducing security measures from the outset, potential vulnerabilities can be identified and mitigated before they become major issues. An API’s security measures are examined and evaluated during API security testing to make sure they are effective in defending the API from threats, assaults, and vulnerabilities. It entails running extensive tests to find flaws in input validation, error handling, data integrity, encryption methods, authentication systems, and other security-related components of an API.

Most businesses use Postman to develop their APIs, generate collections for their APIs, and write tests and documentation for them. Dev teams want to do security scans on their API parts controlled in Postman before deployment as the shift-left mentality spreads. These tests cover a variety of contemporary attack types, including OAuth 2.0, JWT, authentication, authorization, and access control. With this method, developers can quickly enable security testing as they create and modify APIs in Postman while saving time and money.

API SECURITY TESTING TOOLS

Here are some notable tools for testing API security.

  • OWASP ZAP (Zed Attack Proxy)
  • BurpSuite
  • Telerik Fiddler
  • Pynt Library
  • Taurus
  • AppCheck
  • Probely

A SAMPLE INTEGRATION OF PYNT WITH POSTMAN

Recent API Data Breaches

The sophisticated engine of Pynt is built on a solid ML analysis module that converts API traffic into a usable model. Pynt’s integration allows Postman users to see actionable results from security tests in a format and platform that many are already familiar with, also its dynamic security testing covers all the OWASP Top 10

PYNT’S USAGE

  1. Integration of Pynt with Postman Collections: The requests in your functional test collection may be parsed by Pynt, which will then list the different endpoints, methods, and arguments that your API employs.
  2. Automated Test Generation: Based on prevalent flaws and their patterns, such as SǪL injection, Cross-Site Scripting (XSS), CSRF, etc., it may produce security-specific test scenarios. A new or existing test collection in your Postman workspace will then contain these produced tests.
  3. Execution of Security Tests: The produced security test collection may be used in Postman just like any other collection. Pynt may alter the request payloads, headers, methods, and parameters while the tests are running.
  4. Reporting and Feedback: After executing the tests, results will be displayed, typically indicating which requests passed or failed the security tests. Detailed feedback might be provided for any identified vulnerabilities, including potential impacts, risk ratings, and possibly remediation steps.

PYNT – TEST REPORT

image 7
CONCLUSION

In conclusion, API security testing is a critical aspect of ensuring the robustness and integrity of web applications. Knowing where your APIs are and how attackers could use them against you is more important because an API breach can have a devastating effect on the company’s finances and reputation. Here, we have brought in the idea of an open-source solution: integrating the Pynt library with Postman. Whereas, alternative API security tools or solutions can be used based on the organization’s bandwidth or security test requirements. Regular API security scans find vulnerabilities in your application so you may address them before they’re exploited, increasing application’s security. A well-executed API security testing strategy and tools are always essential to identify and mitigate these risks and make the application unbroachable.

source: https://techblog.cisco.com/blog/top-5-api-security-breaches-in-2022

Picture of Nancy Jerfia

Nancy Jerfia

Suggested Reading

Ready to Unlock Your Enterprise's Full Potential?

Michael Woodall

Chief Growth Officer of Financial Services

Michael Woodall, as the Chief Growth Officer of Financial Services at Altimetrik, spearheads the identification of new growth avenues and revenue streams within the financial services sector. With a robust background and extensive expertise, Michael brings invaluable insights to his role.

Previously, Michael served as the Chief of Operations and President of the Trust Company at Putnam Investments, where he orchestrated strategic developments and continuous operational enhancements. Leveraging strategic partnerships and data analytics, he revolutionized capabilities across investments, retail and institutional distribution, and client services. Under his leadership, Putnam received numerous accolades, including the DALBAR Mutual Fund Service Award for over 30 consecutive years.

Michael’s dedication to industry evolution is evident through his involvement with prestigious organizations such as the DTCC Senior Wealth Advisory Board, ICI Operations Committee, and NICSA, where he served as Chairman and now holds the position of Director Emeritus. Widely recognized as an industry luminary, Michael frequently shares his expertise with various divisions of the SEC, solidifying his reputation as a seasoned presenter.

At Altimetrik, Michael plays a pivotal role in driving expansion within financial services, leveraging his expertise and Altimetrik’s Digital Business Methodology to ensure clients navigate their digital journey seamlessly, achieving tangible outcomes and exponential growth.

Beyond his corporate roles, Michael serves as Chair of the Boston Water & Sewer Commission, appointed by the Mayor of Boston, and is actively involved in various philanthropic endeavors, including serving on the board of the nonprofit Inspire Arts & Music.

Michael holds a distinguished business degree from Northeastern University, graduating with distinction as a member of the Sigma Epsilon Rho Honor Society.

Anguraj Kumar Arumugam

Chief Digital Business Officer for the U.S. West region

Anguraj is an accomplished business executive with an extensive leadership experience in the services industry and strong background across digital transformation, engineering services, data and analytics, cloud and consulting.

Prior to joining Altimetrik, Anguraj has served in various positions and roles at Globant, GlobalLogic, Wipro and TechMahindra. Over his 25 years career, he has led many strategic and large-scale digital engineering and transformation programs for some of world’s best-known brands. His clients represent a range of industry sectors including Automotive, Technology and Software Platforms. Anguraj has built and guided all-star teams throughout his tenure, bringing together the best of the techno-functional capabilities to address critical client challenges and deliver value.

Anguraj holds a bachelor’s degree in mechanical engineering from Anna University and a master’s degree in software systems from Birla Institute of Technology, Pilani.

In his spare time, he enjoys long walks, hiking, gardening, and listening to music.

Vikas Krishan

Chief Digital Business Officer and Head of the EMEA region

Vikas (Vik) Krishan serves as the Chief Digital Business Officer and Head of the EMEA region for Altimetrik. He is responsible for leading and growing the company’s presence across new and existing client relationships within the region.

Vik is a seasoned executive and brings over 25 years of global experience in Financial Services, Digital, Management Consulting, Pre- and Post-deal services and large/ strategic transformational programmes, gained in a variety of senior global leadership roles at firms such as Globant, HCL, Wipro, Logica and EDS and started his career within Investment Banking. He has developed significant cross industry experience across a wide variety of verticals, with a particular focus on working with and advising the C-Suite of Financial Institutions, Private Equity firms and FinTech’s on strategy and growth, operational excellence, performance improvement and digital adoption.

He has served as the engagement lead on multiple global transactions to enable the orchestration of business, technology, and operational change to drive growth and client retention.

Vik, who is based in London, serves as a trustee for the Burma Star Memorial Fund, is a keen photographer and an avid sportsman.

Megan Farrell Herrmanns

Chief Digital Officer, US Central

Megan is a senior business executive with a passion for empowering customers to reach their highest potential. She has depth and breadth of experience working across large enterprise and commercial customers, and across technical and industry domains. With a track record of driving measurable results, she develops trusted relationships with client executives to drive organizational growth, unlock business value, and internalize the use of digital business as a differentiator.

At Altimetrik, Megan is responsible for expanding client relationships and developing new business opportunities in the US Central region. Her focus is on digital business and utilizing her experience to create high growth opportunities for clients. Moreover, she leads the company’s efforts in cultivating and enhancing our partnership with Salesforce, strategically positioning our business to capitalize on new business opportunities.

Prior to Altimetrik, Megan spent 10 years leading Customer Success at Salesforce, helping customers maximize the value of their investments across their technology stack. Prior to Salesforce, Megan spent over 15 years with Accenture, leading large transformational projects for enterprise customers.

Megan earned a Bachelor of Science in Mechanical Engineering from Marquette University. Beyond work, Megan enjoys playing sand volleyball, traveling, watching her kids soccer games, and is actively involved in a philanthropy (Advisory Council for Cradles to Crayons).

Adaptive Clinical Trial Designs: Modify trials based on interim results for faster identification of effective drugs.Identify effective drugs faster with data analytics and machine learning algorithms to analyze interim trial results and modify.
Real-World Evidence (RWE) Integration: Supplement trial data with real-world insights for drug effectiveness and safety.Supplement trial data with real-world insights for drug effectiveness and safety.
Biomarker Identification and Validation: Validate biomarkers predicting treatment response for targeted therapies.Utilize bioinformatics and computational biology to validate biomarkers predicting treatment response for targeted therapies.
Collaborative Clinical Research Networks: Establish networks for better patient recruitment and data sharing.Leverage cloud-based platforms and collaborative software to establish networks for better patient recruitment and data sharing.
Master Protocols and Basket Trials: Evaluate multiple drugs in one trial for efficient drug development.Implement electronic data capture systems and digital platforms to efficiently manage and evaluate multiple drugs or drug combinations within a single trial, enabling more streamlined drug development
Remote and Decentralized Trials: Embrace virtual trials for broader patient participation.Embrace telemedicine, virtual monitoring, and digital health tools to conduct remote and decentralized trials, allowing patients to participate from home and reducing the need for frequent in-person visits
Patient-Centric Trials: Design trials with patient needs in mind for better recruitment and retention.Develop patient-centric mobile apps and web portals that provide trial information, virtual support groups, and patient-reported outcome tracking to enhance patient engagement, recruitment, and retention
Regulatory Engagement and Expedited Review Pathways: Engage regulators early for faster approvals.Utilize digital communication tools to engage regulatory agencies early in the drug development process, enabling faster feedback and exploration of expedited review pathways for accelerated approvals
Companion Diagnostics Development: Develop diagnostics for targeted recruitment and personalized treatment.Implement bioinformatics and genomics technologies to develop companion diagnostics that can identify patient subpopulations likely to benefit from the drug, aiding in targeted recruitment and personalized treatment
Data Standardization and Interoperability: Ensure seamless data exchange among research sites.Utilize interoperable electronic health record systems and health data standards to ensure seamless data exchange among different research sites, promoting efficient data aggregation and analysis
Use of AI and Predictive Analytics: Apply AI for drug candidate identification and data analysis.Leverage AI algorithms and predictive analytics to analyze large datasets, identify potential drug candidates, optimize trial designs, and predict treatment outcomes, accelerating the drug development process
R&D Investments: Improve the drug or expand indicationsUtilize computational modelling and simulation techniques to accelerate drug discovery and optimize drug development processes