Making automated API vulnerability testing a reality

Scanning API endpoints for vulnerabilities is both a necessity and a serious technical challenge. Web applications rely heavily on APIs in many roles, including accessing data, interfacing with external systems, and providing internal communication between components. This makes them common and high-value targets for cyberattackers, with some data suggesting a 400% rise in API attacks just across Q4 of 2022 and Q1 of 2023. API security based purely on manual testing can really struggle under the combined pressure of managing development and threats at the same time.

APIs are ubiquitous in modern web applications and permeate both the software world and our daily lives, whether we see them or not. For any organization that wants complete coverage, API security is a must-have element of any application security strategy. This post presents highlights from a new Invicti white paper that details best practices for making API vulnerability scanning a routine and reliable part of application development and operations so you can embed API security as a routine part of your software development lifecycle (SDLC).

Read the complete white paper API vulnerability testing in the real world: Best practices for building API security testing into your SDLC

Extending the DAST umbrella to APIs

APIs can be extremely complex, but the basic idea is simple. An application programming interface (API) provides a layer of abstraction that isolates a requesting application from any backend implementation details. In other words, you’re talking to the API and don’t care what’s behind it. While this makes interfaces very convenient for development, it also makes them harder to test for security vulnerabilities. That’s because, ideally, you would first need to know all about the API and the underlying system (or multiple systems).

Since APIs are just another way to interact with a web application, they should be tested for vulnerabilities along with the rest of the application, using the same tools and processes if possible. Scanning APIs using an existing dynamic application security testing (DAST) tool seems the logical thing to do, as it would allow you to consolidate testing and remediation workflows instead of adding extra tools and processes. Making this work in practice, however, is a tall order for most vulnerability scanners – especially as it requires integration into the development pipeline, which many scanners don’t directly support.

While many of the testing techniques look similar, scanning APIs for vulnerabilities adds specific requirements that go way beyond what a typical website scanner can do. If you seriously want to use a DAST tool to scan APIs, that tool will need to:

• Work with popular API types, including at least REST, SOAP, and GraphQL
• Support major API specification formats, including Postman, OpenAPI (Swagger), WADL, and WSDL
• Authenticate automatically using basic HTTP auth, JWTs, and OAuth2 for single sign-on
• Execute realistic and accurate security checks to probe for exploitable vulnerabilities
• Integrate into development and testing pipelines to speed up remediation

Finding a DAST solution like Invicti that checks all of these boxes (and then some) means getting a centralized view of your web security posture across websites, applications, and APIs at multiple stages of the SDLC. 

API security testing with Invicti as a routine part of development

As with all application security testing, manual penetration testing on APIs should only be the cherry on the cake to catch any issues that cannot be found automatically. With an advanced DAST platform such as Invicti Enterprise, you can integrate vulnerability scanning at multiple points across your software development lifecycle from early development builds (as soon as you have a running prototype) right through to production. To extend this dynamic testing coverage to APIs without leaving gaps in your security, the platform lets you import API specifications into the scanner in 15 formats (including API traffic capture files). As long as the scanner always works with the latest available specifications, it will also test the API part of your attack surface.

Consolidating on a mature DAST platform does away with the inefficiencies of using point solutions to cover only specific API formats in addition to existing toolchains. With Invicti, you get over 50 built-in integrations with popular issue trackers and CI/CD tools, allowing you to plug into existing development and testing workflows with minimal hassle. This is crucial if security testing is to keep up with heavily automated development pipelines and feed scan results directly into issue trackers – but it also requires uncompromising accuracy so developers are not flooded with non-actionable issues or downright false positives.

Invicti-level accuracy starts with proof-based scanning to automatically confirm vulnerabilities by safely and unambiguously exploiting them. Apart from purpose-built checks for specific API types, the Invicti scanner also applies many of its existing web security checks to test for SQL injection, cross-site scripting (XSS), server-side request forgery (SSRF), and other common vulnerabilities in underlying applications. Combined with remediation guidance, this helps to minimize the risk of exploitable weaknesses slipping into production and makes fixing security issues a routine part of the development process across all web assets – including APIs.

To learn more about integrated and automated API vulnerability testing with Invicti, read the full white paper: API vulnerability testing in the real world: Best practices for building API security testing into your SDLC.

Watch our on-demand webinar An Integrated Approach to Scanning APIs with DAST and join us for the upcoming API Security Decoded: Insights into Emerging Trends and Effective AppSec Strategies.