Application Programming Interface (APIs), allow services to communicate with each other. Naturally, applications that are interconnected through many APIs, require thorough security testing, as each connection could potentially include software vulnerabilities. Since there are different methods to test these junctions, I want to briefly discuss the benefits and weaknesses of the most commonly used API testing methods in this article.
Static application security testing (SAST) is a white-box testing method that examines the underlying framework and implementation of applications and APIs. Since they scan the source code without actually executing it, SAST tools can generate 100% code coverage. Using this approach is a good way to detect software vulnerabilities such as SQL injections and other OWASP top 10 bugs.
Since SAST tools do not test the code during runtime, they tend to produce false positive results. The challenge of this method is to manually weed out these false positives from the actual bug findings. Since some SAST tools (especially the dated ones) are not designed to identify API ingress points, they are most efficient when implemented alongside more specialized tools that can explore the structure of APIs.
Dynamic application security testing (DAST) is usually implemented as a black-box testing method, i.e. without access to the source code. By feeding a system with randomized or predefined inputs, DAST tools aim to identify weaknesses that an attacker could take advantage of. In contrast to SAST, DAST works from the outside in. Since it executes the code during testing, DAST tools generate virtually no false positives. Therefore, DAST tools are highly effective at finding edge cases and testing APIs from an attacker's perspective.
Often, DAST tools are deployed at later stages of the development process since they require a somewhat functional application. Since DAST tools test software based on random or predefined inputs, manual fine-tuning can greatly enhance their ability to reach relevant parts of the system under test.
Interactive application security testing (IAST) unites static and dynamic application security testing (SAST and DAST) to build a cooperative and self-learning application security testing approach. IAST offers higher code coverage, produces better results, and works faster than SAST or DAST tools alone. To get the most out of IAST approaches, it is considered a best practice to either pair them up with predefined test cases or with black-box approaches that use well-defined patterns.
Feedback-based fuzzing or feedback-based application security testing (FAST) is a dynamic testing method that uses an advanced white-box technique to find functional bugs and security issues in software. It analyzes the structure of the code and gives feedback during the testing process. With this feedback, fuzzers can automatically generate test cases that maximize code coverage and thereby target the majority of APIs in a system. Feedback-based fuzzing is compatible with most CI/CD environments, where it can be automated to enable developers to run continuous security tests on their own code.
Which testing approach will deliver the best results for you is largely dependent on the project you are working on and the goals you are trying to achieve. Nonetheless, I would recommend using multiple testing methods that complement each other. For example, you could pair up a SAST solution with feedback-based fuzzing. With the SAST solutions, you will be able to scan the entire source code for vulnerabilities, while fuzzing enhances it with the relevant runtime context to find unexpected edge cases.
REST APIs are by far the most used API format in web development. Learn more about best practices and testing approaches that can help you detect and secure REST API endpoints.