Welcome!

@CloudExpo Authors: Liz McMillan, Elizabeth White, Pat Romanski, Yeshim Deniz, William Schmarzo

Related Topics: @CloudExpo, Agile Computing, Cloud Security

@CloudExpo: Article

Security Considerations for API Testing | @CloudExpo #API #Cloud #Security

Security is the #1 technology challenge teams that work with APIs would like to see solved in the years ahead

Eight Security Considerations for API Testing
By Cameron Laird

It seems like every day we see reminders of the importance of thorough security testing from all areas of the software world. Security has become an especially critical consideration for APIs in recent years. Organizations rely on APIs to share and receive information - either from a third party or between internal applications - so the level of security between these applications is critical for anyone who uses them.

Earlier this year, SmartBear Software released the results of its State of API 2016 Report, which found that security is the #1 technology challenge teams that work with APIs would like to see solved in the years ahead.

Security isn't an easy problem to solve. It starts with selecting the right tools to test for API security vulnerabilities. But there are other API security testing considerations your team should be aware of, whether you develop or integrate with APIs.

Here are eight problem spots for specific aspects of application programming interface (API) testing with impacts on security:

1. Too-accommodating decoding libraries
"CAPEC-80" illustrates how subtle security vulnerabilities can be. Unicode is a rich source of confusions, of course; English-speaking programmers often treat the world beyond ASCII as an afterthought. One immediate consequence: it comes as a surprise to find out that, for instance, the characters we see as MYBANK.COM might resolve to an entirely different and hostile site.

CAPEC-80 documents a distinct and thorny problem, one already observed in attacks against, among other applications, Microsoft's ISS server. Suppose an application immediately scans user input for dangerous sequences-an account name of ‘root', for instance, might be flagged as an error. The difficulty is that illegal values can be embedded in UTF-8 which results in a string decoding to ‘root' after it has already been validated.

Tests for such obscure errors are difficult to write. Generally, the best course is exploratory testing. In such cases, effective exploratory testing generally involves crafting problematic data, and seeing whether the API under investigation unequivocally rejects them. While requests which go through don't necessarily prove a defect, they mark at least a questionable area that deserves pursuit.

CAPEC-71 is another among several variations of this same theme.

2. Test the logger
Real-world services are under constant attack. Logging and good tactics for review of the logs are simple necessities. One consequence for testers: logging functionality is crucial. Anything a test program can do to verify logging is valuable.

Java architect Peter Verhas makes the point that logging for him is non-functional, and therefore we should "Never Test Logging". In this perspective, the point of this tip is: logging deserves to be a security requirement of every API, and therefore logging of this sort must be tested.

3. Make sure all the doors are locked
Testers with a focus on application functionality-most testers, that is-can easily overlook other-than-HTTP* channels. All the ways to enter an API need attention. If an API supports a legacy portal through SOAP or FTP, for instance, it must be tested.

4. Think about time
This one might better be labeled, "think about sessions". Conventional functional testing focuses on deterministic, correct results. Security-oriented API testing needs to consider also behaviors which are hard to replicate, especially around temporal sequences. In particular, APIs commonly authenticate throughout the mediation of tokens which expire.

Does the API handle expiration correctly? Do sessions give proper access-enough, but not too much-to data after renewal of an access authorization? Within a session, is the behavior of the API the same on the first and second uses? This isn't a question about the idempotency of GET requests; that's a product specification matter. Does the API somehow change at the boundary of a session?

5. Test developer experience
User experience  - and its testing - are recognized now as important. For APIs, developers are users, and their experience also deserves study.

Security considerations only underscore this reality. External developers perfectly competent to build the functionality of an API-based application might stumble in regard to security requirements. Do they store session tokens and API keys safely? Do they unintentionally degrade others' performance with inefficient coding? Do they find Terms of Use too difficult to respect? The only objective way to know is to measure what they actually do.

6. Test the documentation!
Crucial to developer experience is the documentation on which they rest their efforts. Published materials, of course, are the right reference for all testing, not internal product specifications. The importance for security is evident: developers who consume an API will code according to the documentation they read. To test the documentation against the publisher's intent is essential.

An especially important form of documentation is all the sample coding provided to API users. An example program written in even one language coded in an insecure way is an invitation for every programmer working in that language to open the API up to abuse. Think of testing an API comprehensively: it's not just the behavior of a specific endpoint, but everything-from content delivery network (CDN) to licensing agreement to support responders-that supports use of that API. Sample programs and related documentation influence API use enormously.

7. Test errors
Error-handling is an important functional requirement, and always deserves attention, of course. Diagnostics that leak information attackers value are evident security mistakes.

More than that, though, error-handling remains poorly-standardized in REST APIs. The poverty of best practices in the area means that a lot of implementations are written for the first time: a recipe for security gaps. API error-handling merits proportionately more attention than error-handling for applications.

8. Challenge of flexibility
The flexibility of REST - REpresentational State Transfer  - introduces other specific technical challenges to testers, especially those sensitive to security. Think of a typical resource URI:/api/$VERSION/directory/UserID/$ID/Transactions/$DATE. The data are part of the URI; older testing tools handle this poorly. Even well-designed tools have difficulty expressing the whole range of inputs worth testing. Fuzz-based testing becomes difficult, if not intractable.

Adding to the complexity: many valid URIs are generated dynamically, sometimes in client-side AJAX. All this flexibility and variation overwhelms vulnerability scanners and other tools based on lookups.

Make API security a top priority
Security-pertinent API testing will remain incomplete and dynamic for a long time to come. Publishers need to analyze their own situation and vulnerabilities to decide the kind and intensity of testing which pay off for their biggest "hot spots".

More Stories By SmartBear Blog

As the leader in software quality tools for the connected world, SmartBear supports more than two million software professionals and over 25,000 organizations in 90 countries that use its products to build and deliver the world’s greatest applications. With today’s applications deploying on mobile, Web, desktop, Internet of Things (IoT) or even embedded computing platforms, the connected nature of these applications through public and private APIs presents a unique set of challenges for developers, testers and operations teams. SmartBear's software quality tools assist with code review, functional and load testing, API readiness as well as performance monitoring of these modern applications.

@CloudExpo Stories
"We were founded in 2003 and the way we were founded was about good backup and good disaster recovery for our clients, and for the last 20 years we've been pretty consistent with that," noted Marc Malafronte, Territory Manager at StorageCraft, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are an IT services solution provider and we sell software to support those solutions. Our focus and key areas are around security, enterprise monitoring, and continuous delivery optimization," noted John Balsavage, President of A&I Solutions, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"DivvyCloud as a company set out to help customers automate solutions to the most common cloud problems," noted Jeremy Snyder, VP of Business Development at DivvyCloud, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We want to show that our solution is far less expensive with a much better total cost of ownership so we announced several key features. One is called geo-distributed erasure coding, another is support for KVM and we introduced a new capability called Multi-Part," explained Tim Desai, Senior Product Marketing Manager at Hitachi Data Systems, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
SYS-CON Events announced today that Calligo, an innovative cloud service provider offering mid-sized companies the highest levels of data privacy and security, has been named "Bronze Sponsor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Calligo offers unparalleled application performance guarantees, commercial flexibility and a personalised support service from its globally located cloud plat...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
"The Striim platform is a full end-to-end streaming integration and analytics platform that is middleware that covers a lot of different use cases," explained Steve Wilkes, Founder and CTO at Striim, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"With Digital Experience Monitoring what used to be a simple visit to a web page has exploded into app on phones, data from social media feeds, competitive benchmarking - these are all components that are only available because of some type of digital asset," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
SYS-CON Events announced today that DXWorldExpo has been named “Global Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Digital Transformation is the key issue driving the global enterprise IT business. Digital Transformation is most prominent among Global 2000 enterprises and government institutions.
SYS-CON Events announced today that Datera, that offers a radically new data management architecture, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera is transforming the traditional datacenter model through modern cloud simplicity. The technology industry is at another major inflection point. The rise of mobile, the Internet of Things, data storage and Big...
Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Kubernetes was originally built by Google, leveraging years of experience with managing container workloads, and is now a Cloud Native Compute Foundation (CNCF) project. Kubernetes has been widely adopted by the community, supported on all major public and private cloud providers, and is gaining rapid adoption in enterprises. However, Kubernetes may seem intimidating and complex ...
"Outscale was founded in 2010, is based in France, is a strategic partner to Dassault Systémes and has done quite a bit of work with divisions of Dassault," explained Jackie Funk, Digital Marketing exec at Outscale, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We focus on SAP workloads because they are among the most powerful but somewhat challenging workloads out there to take into public cloud," explained Swen Conrad, CEO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are still a relatively small software house and we are focusing on certain industries like FinTech, med tech, energy and utilities. We help our customers with their digital transformation," noted Piotr Stawinski, Founder and CEO of EARP Integration, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I think DevOps is now a rambunctious teenager – it’s starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We've been engaging with a lot of customers including Panasonic, we've been involved with Cisco and now we're working with the U.S. government - the Department of Homeland Security," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We're here to tell the world about our cloud-scale infrastructure that we have at Juniper combined with the world-class security that we put into the cloud," explained Lisa Guess, VP of Systems Engineering at Juniper Networks, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.