From the Blogosphere
Security Considerations for API Testing | @CloudExpo #API #Cloud #Security
Security is the #1 technology challenge teams that work with APIs would like to see solved in the years ahead
By: SmartBear Blog
Dec. 3, 2016 11:00 AM
Eight Security Considerations for API Testing
It seems like every day we see reminders of the importance of thorough security testing from all areas of the software world. Security has become an especially critical consideration for APIs in recent years. Organizations rely on APIs to share and receive information - either from a third party or between internal applications - so the level of security between these applications is critical for anyone who uses them.
Earlier this year, SmartBear Software released the results of its State of API 2016 Report, which found that security is the #1 technology challenge teams that work with APIs would like to see solved in the years ahead.
Security isn't an easy problem to solve. It starts with selecting the right tools to test for API security vulnerabilities. But there are other API security testing considerations your team should be aware of, whether you develop or integrate with APIs.
Here are eight problem spots for specific aspects of application programming interface (API) testing with impacts on security:
1. Too-accommodating decoding libraries
CAPEC-80 documents a distinct and thorny problem, one already observed in attacks against, among other applications, Microsoft's ISS server. Suppose an application immediately scans user input for dangerous sequences-an account name of ‘root', for instance, might be flagged as an error. The difficulty is that illegal values can be embedded in UTF-8 which results in a string decoding to ‘root' after it has already been validated.
Tests for such obscure errors are difficult to write. Generally, the best course is exploratory testing. In such cases, effective exploratory testing generally involves crafting problematic data, and seeing whether the API under investigation unequivocally rejects them. While requests which go through don't necessarily prove a defect, they mark at least a questionable area that deserves pursuit.
CAPEC-71 is another among several variations of this same theme.
2. Test the logger
Java architect Peter Verhas makes the point that logging for him is non-functional, and therefore we should "Never Test Logging". In this perspective, the point of this tip is: logging deserves to be a security requirement of every API, and therefore logging of this sort must be tested.
3. Make sure all the doors are locked
4. Think about time
Does the API handle expiration correctly? Do sessions give proper access-enough, but not too much-to data after renewal of an access authorization? Within a session, is the behavior of the API the same on the first and second uses? This isn't a question about the idempotency of GET requests; that's a product specification matter. Does the API somehow change at the boundary of a session?
5. Test developer experience
6. Test the documentation!
An especially important form of documentation is all the sample coding provided to API users. An example program written in even one language coded in an insecure way is an invitation for every programmer working in that language to open the API up to abuse. Think of testing an API comprehensively: it's not just the behavior of a specific endpoint, but everything-from content delivery network (CDN) to licensing agreement to support responders-that supports use of that API. Sample programs and related documentation influence API use enormously.
7. Test errors
More than that, though, error-handling remains poorly-standardized in REST APIs. The poverty of best practices in the area means that a lot of implementations are written for the first time: a recipe for security gaps. API error-handling merits proportionately more attention than error-handling for applications.
8. Challenge of flexibility
Adding to the complexity: many valid URIs are generated dynamically, sometimes in client-side AJAX. All this flexibility and variation overwhelms vulnerability scanners and other tools based on lookups.
Make API security a top priority
Latest Cloud Developer Stories
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
SYS-CON Featured Whitepapers
Most Read This Week