The hottest topic in the API realm these days seems to be API security. Looking at the OWASP API Top Ten, it's easy to see that many APIs are not immune to the effects of poor application security. As with any topic, there are many different ways to slice and dice precisely what this means. Does security start with how the APIs are coded or when the API is available in production? Is it better to take a proactive or reactive approach to API security or both? This is precisely the starting point we are looking to dive into when discussing API security testing vs API security monitoring. Both of these components hold a place in modern web API development and operations. However, it can be confusing as to where one ends and where the other begins. Let’s take a deeper look!
What is API Security Testing?
The drive to “shift left” has meant that security has become a concern earlier in the development lifecycle. The days of security scans and testing happening just before the move to production is archaic and inefficient. Modern API security testing has moved earlier in the software development lifecycle to find bugs, defects, and any type of API vulnerability before developers are deploying code in production. This type of testing generally takes place as developers are writing the code for a service that is not yet live. Although static code scans should be part of an engineering team's repertoire, API security testing generally tests running API code for vulnerabilities by attempting to exploit known attack vectors. By doing this, developers can be aware of potential vulnerabilities, fix them, and reduce the APIs' attack surface.
API security testing helps to identify potential issues before the code even moves into production. Tools like StackHawk actually move this process into the CI/CD pipeline so that scans can run automatically and consistently. Some tools allow you to upload an OpenAPI spec to define the API you’d like to test. From here, the testing tool is then able to generate tests for expected input and output and even test for user access, encryption, and authentication concerns.
Why use API Security Testing?
API security testing should be used as part of a modern SDLC to prevent security defects before they hit production. There’s never any guarantee that developers are following security best practices as they may be too rushed or not even aware of security flaws introduced through their code. Using a tool for API security testing in the early phases of development can allow developers and organizations to detect security issues and remedy them.
This also allows developers to work more quickly knowing that they have a second line of defense when it comes to detecting security defects in their code. Since API security testing can be automated, the process can be run as part of the development lifecycle without impacting developers and project timelines. The benefit of this is that security defects can be found earlier, automatically, and some tools even guide developers on how to fix the bugs they’ve introduced. Finding security defects later can lead to major overhauls of the codebase in order to remedy issues. This may require retesting of previously tested components and repetition of other late-stage SDLC activities. All of these outcomes likely will extend timelines resulting in delayed release cycles. Using API security testing leads to more secure software and a more predictable SDLC timeline.
What is API Security Monitoring?
API Security Monitoring is more focused on detecting threats within traffic coming into an API. This monitoring is usually applied to production APIs and monitors traffic as requests and responses flow through the APIs. API Security Monitoring is less proactive, in terms of preventing attacks before they happen, and more focused on being reactive by alerting companies of potential attacks and vulnerabilities that are actively being exploited.
API Security monitoring also may look at the geographic data attached to the request. Doing this can ensure that any regions that you want to exclude from using your APIs can either be blocked or teams at least alerted about traffic coming from a restricted region. This means that API security monitoring not only analyzes the request and response traffic but also makes sure the origin of the traffic is permitted.
Many times, API security monitoring tools will also allow API traffic to be intercepted and prevented from going to an upstream API while returning a custom response for the API call. This can prevent malicious traffic from overwhelming an API endpoint, potentially causing a denial of service attack.
API security monitoring is how companies can analyze traffic to ensure that APIs aren’t being exploited and if they are, be notified. As mentioned, some API security monitoring platforms also allow the blocking of potentially malicious API calls and other automated flows.
Why use API Security Monitoring?
API security monitoring is an important part of ongoing threat management. Even with the most secure code, exploits can be found and go undetected until it’s too late. Monitoring for exploits and attacks that are occurring on production APIs, by using an API security monitoring tool, is a great way to create automated defenses against attackers. By detecting attacks in their early stages, attacks can be prevented or halted quickly to minimize losses. After the attack is halted, information gathered by the monitoring tool can be used to improve the code and harden the API platform for the future.
Using API security platforms can not only detect when malicious activity is occurring but actively helps to prevent and mitigate it. This may also help to detect attacks that occur as part of accidental security misconfiguration. As with any aspect of application security, having monitoring in place allows your organization to have an active defense against threats.
Should You Use Both API Security Testing and Monitoring?
Using both API security testing and API security monitoring together can help to create an extremely robust security framework for your organization. API usage has been exploding in growth over the past few years and with that, there has been an increase in API-related security events. Because of this, using both approaches as part of your API testing regimen can help to make sure your code and platform are secure before it hits production. It also can add peace of mind when it is released into the wild. By using both API security testing and API security monitoring, you can mitigate many of the exploits and vulnerabilities outlined in the OWASP API Security Top Ten.
Using both types of tools, organizations can be proactive by testing services earlier in the software development lifecycle but also monitor potential security threats unfolding in the production environment if they do occur or slip past the security testing. With the ever-changing landscape of security and potential attack vectors, a suite of tools is recommended that cover your operations from all angles.
Getting Started with API Security Testing and Monitoring
At StackHawk, in our experience, it makes the most sense to start with API security testing and then layer in monitoring as the code goes live. Implementing API security testing should be done first since it can help to uncover defects earlier in the development process. This should be done by adding it as part of your existing automated test suites to make sure you’re also including security tests on top of unit, E2E, and other API testing. Then, as APIs begin to see live traffic, API monitoring should be added on top to monitor the traffic for potential attacks occurring in real time.
For API security testing, StackHawk is a best-in-class solution which brings automation, easy configurability, and robust testing to your code. With StackHawk, creating your API security testing configuration can be done in many different ways. One way is to run a scan to crawl your application and identify endpoints, although this can be rather inconsistent and miss API endpoints. For more complete and explicit testing, you can use an OpenAPI spec to define all endpoints as well as the expected input and output of your APIs. StackHawk also allows you to test API authorization and authentication to ensure sensitive data is protected and access control is working as anticipated.
On top of RESTful API support, StackHawk also supports GraphQL APIs, through the use of an introspection endpoint, and SOAP APIs, by uploading a WSDL to identify services. You can also use a Postman Collection to identify endpoints and add them to your security scan. Going beyond traditional API security testing tools, StackHawk allows you to support your legacy APIs and technologies as well as the latest and greatest.
To get started with API security testing and StackHawk, your first need to sign up for a StackHawk account. After you have signed up, you’ll simply need to:
Add the StackHawk config file to your project’s repo. The config file will link out to OpenAPI Spec, GraphQL introspection endpoint, Postman collection, or any other inputs used to inform the scan of your available endpoints.
Add the StackHawk scan to your setup. This can be done via the StackHawk docker container or StackHawk CLI tool. This can be added directly to your CI/CD pipeline to enable testing directly within your GitOps flow.
From here, you can start catching API security issues as they are introduced into the codebase.
Once these steps are complete, you’ll have active and automated API security testing built directly into your organization's SDLC.
Next, you will layer in API security monitoring. For this, most companies either offer an SDK which can be added directly to your API code or a plugin for the API gateway or proxy you may be using. The monitoring tool will receive analytics data from the traffic running through the API which will then be monitored for anomalies. Implementing a monitoring tool is usually quite simple:
Add the API monitoring tool to your stack through an SDK or plugin
Depending on the tool, configure the tool for the type of monitoring you’d like to enable
Create your notification channels for alerting when anomalies are detected
Going forward, receive alerts any time an event of interest is detected to help detect any threats as they are happening
Some platforms to check out for API security monitoring include ThreatX, Arkose Labs, and DataDog.
With both of these tools in place, your APIs will be more secure as you build them and as you release them into the wild. Getting started can be extremely simple and definitely worth the investment.
Wrapping Up!
Implementing API security testing and monitoring is a crucial step in creating and offering secure APIs. As the frequency of API attacks increases, so does the need for tools that help developers to follow security best practices more easily. With the abundance of tools available, adding these options to your SDLC has never been easier, with many even offering deep customization. These platforms allow you to prevent and monitor for many of the vulnerabilities and attacks outlined in the OWASP Top Ten. Keeping your APIs secure requires multiple angles of prevention and monitoring to ensure a holistic approach to API security.
At StackHawk, we cover API security testing by offering a platform that is easy to configure and easy for developers to use. Blazingly fast scans right in your CI/CD workflow and an easy to comprehend report helps developers to identify and remedy any security defects. Combining StackHawk with your favorite API security monitoring tool can help to create a robust security framework to decrease your security risk to keep your APIs safe from threats. Sign up for StackHawk today to get started!