Welcome!

@CloudExpo Authors: Yeshim Deniz, Pat Romanski, Liz McMillan, Elizabeth White, Ed Featherston

Related Topics: @CloudExpo, Agile Computing, Cloud Security

@CloudExpo: Article

Security Considerations for API Testing | @CloudExpo #API #Cloud #Security

Security is the #1 technology challenge teams that work with APIs would like to see solved in the years ahead

Eight Security Considerations for API Testing
By Cameron Laird

It seems like every day we see reminders of the importance of thorough security testing from all areas of the software world. Security has become an especially critical consideration for APIs in recent years. Organizations rely on APIs to share and receive information - either from a third party or between internal applications - so the level of security between these applications is critical for anyone who uses them.

Earlier this year, SmartBear Software released the results of its State of API 2016 Report, which found that security is the #1 technology challenge teams that work with APIs would like to see solved in the years ahead.

Security isn't an easy problem to solve. It starts with selecting the right tools to test for API security vulnerabilities. But there are other API security testing considerations your team should be aware of, whether you develop or integrate with APIs.

Here are eight problem spots for specific aspects of application programming interface (API) testing with impacts on security:

1. Too-accommodating decoding libraries
"CAPEC-80" illustrates how subtle security vulnerabilities can be. Unicode is a rich source of confusions, of course; English-speaking programmers often treat the world beyond ASCII as an afterthought. One immediate consequence: it comes as a surprise to find out that, for instance, the characters we see as MYBANK.COM might resolve to an entirely different and hostile site.

CAPEC-80 documents a distinct and thorny problem, one already observed in attacks against, among other applications, Microsoft's ISS server. Suppose an application immediately scans user input for dangerous sequences-an account name of ‘root', for instance, might be flagged as an error. The difficulty is that illegal values can be embedded in UTF-8 which results in a string decoding to ‘root' after it has already been validated.

Tests for such obscure errors are difficult to write. Generally, the best course is exploratory testing. In such cases, effective exploratory testing generally involves crafting problematic data, and seeing whether the API under investigation unequivocally rejects them. While requests which go through don't necessarily prove a defect, they mark at least a questionable area that deserves pursuit.

CAPEC-71 is another among several variations of this same theme.

2. Test the logger
Real-world services are under constant attack. Logging and good tactics for review of the logs are simple necessities. One consequence for testers: logging functionality is crucial. Anything a test program can do to verify logging is valuable.

Java architect Peter Verhas makes the point that logging for him is non-functional, and therefore we should "Never Test Logging". In this perspective, the point of this tip is: logging deserves to be a security requirement of every API, and therefore logging of this sort must be tested.

3. Make sure all the doors are locked
Testers with a focus on application functionality-most testers, that is-can easily overlook other-than-HTTP* channels. All the ways to enter an API need attention. If an API supports a legacy portal through SOAP or FTP, for instance, it must be tested.

4. Think about time
This one might better be labeled, "think about sessions". Conventional functional testing focuses on deterministic, correct results. Security-oriented API testing needs to consider also behaviors which are hard to replicate, especially around temporal sequences. In particular, APIs commonly authenticate throughout the mediation of tokens which expire.

Does the API handle expiration correctly? Do sessions give proper access-enough, but not too much-to data after renewal of an access authorization? Within a session, is the behavior of the API the same on the first and second uses? This isn't a question about the idempotency of GET requests; that's a product specification matter. Does the API somehow change at the boundary of a session?

5. Test developer experience
User experience  - and its testing - are recognized now as important. For APIs, developers are users, and their experience also deserves study.

Security considerations only underscore this reality. External developers perfectly competent to build the functionality of an API-based application might stumble in regard to security requirements. Do they store session tokens and API keys safely? Do they unintentionally degrade others' performance with inefficient coding? Do they find Terms of Use too difficult to respect? The only objective way to know is to measure what they actually do.

6. Test the documentation!
Crucial to developer experience is the documentation on which they rest their efforts. Published materials, of course, are the right reference for all testing, not internal product specifications. The importance for security is evident: developers who consume an API will code according to the documentation they read. To test the documentation against the publisher's intent is essential.

An especially important form of documentation is all the sample coding provided to API users. An example program written in even one language coded in an insecure way is an invitation for every programmer working in that language to open the API up to abuse. Think of testing an API comprehensively: it's not just the behavior of a specific endpoint, but everything-from content delivery network (CDN) to licensing agreement to support responders-that supports use of that API. Sample programs and related documentation influence API use enormously.

7. Test errors
Error-handling is an important functional requirement, and always deserves attention, of course. Diagnostics that leak information attackers value are evident security mistakes.

More than that, though, error-handling remains poorly-standardized in REST APIs. The poverty of best practices in the area means that a lot of implementations are written for the first time: a recipe for security gaps. API error-handling merits proportionately more attention than error-handling for applications.

8. Challenge of flexibility
The flexibility of REST - REpresentational State Transfer  - introduces other specific technical challenges to testers, especially those sensitive to security. Think of a typical resource URI:/api/$VERSION/directory/UserID/$ID/Transactions/$DATE. The data are part of the URI; older testing tools handle this poorly. Even well-designed tools have difficulty expressing the whole range of inputs worth testing. Fuzz-based testing becomes difficult, if not intractable.

Adding to the complexity: many valid URIs are generated dynamically, sometimes in client-side AJAX. All this flexibility and variation overwhelms vulnerability scanners and other tools based on lookups.

Make API security a top priority
Security-pertinent API testing will remain incomplete and dynamic for a long time to come. Publishers need to analyze their own situation and vulnerabilities to decide the kind and intensity of testing which pay off for their biggest "hot spots".

More Stories By SmartBear Blog

As the leader in software quality tools for the connected world, SmartBear supports more than two million software professionals and over 25,000 organizations in 90 countries that use its products to build and deliver the world’s greatest applications. With today’s applications deploying on mobile, Web, desktop, Internet of Things (IoT) or even embedded computing platforms, the connected nature of these applications through public and private APIs presents a unique set of challenges for developers, testers and operations teams. SmartBear's software quality tools assist with code review, functional and load testing, API readiness as well as performance monitoring of these modern applications.

@CloudExpo Stories
JETRO showcased Japan Digital Transformation Pavilion at SYS-CON's 21st International Cloud Expo® at the Santa Clara Convention Center in Santa Clara, CA. The Japan External Trade Organization (JETRO) is a non-profit organization that provides business support services to companies expanding to Japan. With the support of JETRO's dedicated staff, clients can incorporate their business; receive visa, immigration, and HR support; find dedicated office space; identify local government subsidies; get...
Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like “How is my application doing” but no id...
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
"We're focused on how to get some of the attributes that you would expect from an Amazon, Azure, Google, and doing that on-prem. We believe today that you can actually get those types of things done with certain architectures available in the market today," explained Steve Conner, VP of Sales at Cloudistics, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...
As organizations shift towards IT-as-a-service models, the need for managing and protecting data residing across physical, virtual, and now cloud environments grows with it. Commvault can ensure protection, access and E-Discovery of your data – whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise. In his general session at 18th Cloud Expo, Randy De Meno, Chief Technologist - Windows Products and Microsoft Part...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
DXWorldEXPO LLC announced today that ICC-USA, a computer systems integrator and server manufacturing company focused on developing products and product appliances, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City. ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of ...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
Vulnerability management is vital for large companies that need to secure containers across thousands of hosts, but many struggle to understand how exposed they are when they discover a new high security vulnerability. In his session at 21st Cloud Expo, John Morello, CTO of Twistlock, addressed this pressing concern by introducing the concept of the “Vulnerability Risk Tree API,” which brings all the data together in a simple REST endpoint, allowing companies to easily grasp the severity of the ...
Michael Maximilien, better known as max or Dr. Max, is a computer scientist with IBM. At IBM Research Triangle Park, he was a principal engineer for the worldwide industry point-of-sale standard: JavaPOS. At IBM Research, some highlights include pioneering research on semantic Web services, mashups, and cloud computing, and platform-as-a-service. He joined the IBM Cloud Labs in 2014 and works closely with Pivotal Inc., to help make the Cloud Found the best PaaS.
We all know that end users experience the Internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices – not doing so will be a path to eventual b...
We all know that end users experience the internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices - not doing so will be a path to eventual ...
We all know that end users experience the internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices - not doing so will be a path to eventual ...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. All In Mobile is a mobile app development company from Poland. Since 2014, they maintain passion for developing mobile applications for enterprises and startups worldwide.
Sanjeev Sharma Joins November 11-13, 2018 @DevOpsSummit at @CloudEXPO New York Faculty. Sanjeev Sharma is an internationally known DevOps and Cloud Transformation thought leader, technology executive, and author. Sanjeev's industry experience includes tenures as CTO, Technical Sales leader, and Cloud Architect leader. As an IBM Distinguished Engineer, Sanjeev is recognized at the highest levels of IBM's core of technical leaders.
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. ...
As Cybric's Chief Technology Officer, Mike D. Kail is responsible for the strategic vision and technical direction of the platform. Prior to founding Cybric, Mike was Yahoo's CIO and SVP of Infrastructure, where he led the IT and Data Center functions for the company. He has more than 24 years of IT Operations experience with a focus on highly-scalable architectures.
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.