With data breaches and cyber-attacks occurring more frequently, the need for regular, intelligent, and thorough penetration testing is at an all-time high.
Industry experts agree that 2020 saw a noticeable shift in cyber-attack methodologies and tactics, with APIs now accounting for 40% of the attack surface for all web-enabled apps. Global brands and United States government agencies such as the US Postal Service and IRS have all suffered API-related breaches in recent years. Current prevention mechanisms have struggled to keep up.
API related attack mitigation techniques are possible and now strongly encouraged by practitioners closely aligned with OWASP. To prevent further API-related breaches and replace inefficient manual pen-testing, APIsec has launched its Automated Penetration Testing capability. Automated Pen-Testing automatically learns about an application's APIs, detects changes, and continually mounts attacks, mimicking tactics deployed by red teams and hackers.
What is Penetration Testing (And Why Does it Need Automating?)
Penetration testing, or pen-testing, is an authorized and simulated cyberattack on a website, an application, APIs, or any other system. The system owner authorizes the "attack" to test the security measures in place and discover hidden security flaws. Increasingly, organizations have prioritized attacking the API layer that connects Web, Mobile and machine to machine interfaces.
In the on-premises software era, software vendors deployed, secured, and upgraded their applications within their corporate networks. Vendors released software annually and aligned manual penetration testing to those schedules. Those tests were subsequently scheduled to repeat on an annual or bi-annual basis.
This changed with the advent of the cloud and SaaS products. Software is no longer on-premise with a tightly coupled frontend and backend. Instead, most modern applications are cloud-based, fundamentally relying on APIs to communicate with various backends, databases, and subsystems. Furthermore, Web and Mobile applications are leveraging a common API layer. As a result, unsurprisingly, hackers, red teams, and penetration testers have shifted their focus and TTPs to the API layer, while software developers have been slow to expand their defences to APIs.
Manual pen-testing is typically an infrequent monitoring methodology that leaves a large window of opportunity open to cyber-attackers, leading to potential data loss and breach. After all, manual pen-testing that takes place annually or even quarterly, simply cannot keep up with the pace of software releases, or even the pace of cyber-attack evolutions. By the time a pen-test is run, the software in question has already been in production for months and has changed numerous times.
As a result of these outdated pen-testing protocols, notable breaches have occurred:
- Venmo: Hackers scraped millions of Venmo payment data via an unsecured API endpoint which was leaking data.
- Bumble: An insecure API was allowing malicious hackers to download Bumble’s entire user base. Hackers were also able to bypass paying for premium features.
- USPS: An informed delivery API exposed the data of over 60 million users through broken access controls.
Automated Pen-Testing: The Final API Security Solution for SaaS
APIsec’s Automated Pen-Testing solution is an alternative pen-testing strategy that is aligned with contemporary web development practices. It ensures vulnerabilities are detected and fixed before they get to production.
APIsec’s Automated Penetration Testing feature automatically and instantly:
- Learns each application’s APIs and creates thousands of custom attack scenarios
- Discovers and prioritizes API vulnerabilities based on severity
- Performs continuous pen-testing based on automatically created playbooks
- Detects new API changes and creates missing tests
- Opens tickets, verifies fixes and closes tickets
- Generates a compound Pen-Test Report PDF, detailing new, existing, and closed security issues
The above benefits are possible thanks to APIsec’s machine-learning engine, which can automatically analyze and understand any modern API and execute bespoke pen-tests as a result.
APIsec also brings about tangible business value in three parts:
- Reduced manual pen testing costs
- Simplified security compliance
- Enablement of frequent releases with automated security working in the background of your CI/CD operations, speeding up agile development processes
APIsec doesn’t stop there, though.
When vulnerabilities are uncovered, APIsec automatically provides a detailed description of the attack playbook used, giving the client an actual “recording” or wire logs of the successful attack, along with remediation recommendations. Engineers never have to waste time investigating issues; instead, they can focus on remediation of the underlying problem.
Modern Software Requires Modern Security
Cutting-edge software relies heavily on API calls for basic functions, data delivery, integrations, and more. That growing reliance on APIs is precisely why hackers are targeting the API layer more, and the frontend presentation layer less.
By continuously testing and reporting on the health of your API layer, an area often neglected by software developers, you can mitigate risk minute by minute, not year to year.
Learn more about securing your APIs against malicious attacks by reading our white paper, “Best Practices for API Security”.