There has been a lot of recent focus of shifting testing left, but a part of that which doesn\u2019t get much attention is API testing. <\/p>\n
Akshay Aggarwal, CEO of PeachTech and founder and COO of Deja Vu Security, believes that companies can better manage API testing by approaching it in a DevSecOps way. It needs to be integrated around teams\u2019 current workflow in order to be effective, according to him. <\/p>\n
Aggarwal believes there are seven fundamentals to API testing in a DevSecOps setting. The first is that testing needs to be specific to APIs. He says that teams need to test against vulnerability lists, such as the OWASP Top 10. <\/p>\n
The second point is that test cases need to be automatically generated. \u201cUnless you can automate, you\u2019re at least two orders of magnitude behind in terms of the amount of time and effort spent looking for issues,\u201d Aggarwal said. <\/p>\n
Aggarwal recommends that teams configure their testing in a way that allows them to convert their current unit tests into security tests. <\/p>\n
Third, security tests should be built into the existing developer workflows using normal tools. This allows vulnerable code to be sent back to development and prevented from entering into production. Using tools that developers are already familiar with prevents them from having to learn new tools, which saves time and money. Similarly, data should populate into the normal databases so that they don\u2019t have to use a specific tool to view results, Aggarwal explained. <\/p>\n
The fourth fundamental is a term known as fuzzing, which is when teams mutate valid messages to find additional vulnerabilities that were not discovered during automated OWASP testing. Fuzzing reduces the number of zero-day vulnerabilities present in code. <\/p>\n
Creating testing profiles that accommodate business needs is also important. For example, creating a profile that bypasses certain tests for projects with tight deadlines. <\/p>\n
Sixth, the test results should include information that developers will need in order to fix issues quickly. Finally, configuring how faults are managed is important because it ensures that false positives don\u2019t slow down development.<\/p>\n
\u201cEssentially what happens is that the tests transform as time goes on, but the fundamentals of that sound security remain constant,\u201d said Aggarwal.<\/p>\n
According to Aggarwal, organizations are not always clear on whose responsibility API testing is. When asked as part of a survey who is responsible for API testing, 49 percent said it was the development team and 51 percent said it was the security team, said Aggarwal.<\/p>\n
\u201cIf you dug down deeper into who was answering, it depended on the role that they had,\u201d said Aggarwal. \u201cDevelopers overwhelmingly said it was the security team\u2019s responsibility and security teams overwhelmingly said it was the developer\u2019s responsibility.\u201d<\/p>\n
This mismatch is one of three challenges to scaling API security. Because API security depends on the consumer to provide security, not knowing who is providing that security can have negative effects.<\/p>\n
Another challenge he lists is that APIs have increasingly complex actions. This makes it difficult to use tradition tooling, such as security vulnerability scanners, because those tools cannot \u201cdetect bugs that they can\u2019t see.\u201d<\/p>\n
The third challenge to scaling API security is that manual API testing is too expensive. But when companies don\u2019t find bugs until code is in production, it is too late to prevent losses from those bugs. <\/p>\n
By overcoming these challenges and following the fundamentals needed to approach testing in a DevSecOps way, companies can realize the full benefits of API testing. <\/p>\n","protected":false},"excerpt":{"rendered":"