API or application programming interface is a software intermediary – namely, a set of protocols and routines – that allows programmers to integrate applications with one another. Increasingly, enterprises are turning to APIs to support a myriad of client-facing and internal use cases.
But despite increased importance of APIs in software technologies, and rise of the API economy in the recent years, API security remains an unsolved problem for enterprises. Evidence shows that API vulnerabilities have served as entry points for notable breaches, and attackers are increasingly targeting insecure and vulnerable APIs as their preferred attack vectors. This, in no small part, has roots in the fact that private APIs are extremely easy to hack into. Even the biggest tech companies struggle to keep accounts of all third-party users accessing their private APIs.
Moving from Left to Right
One of the ways to mitigate API vulnerabilities would be to push security further up the development chain, and be able to look inside the source code and business logic for potential leaks. This concept led to the emergence of what is known today as the shift left movement.
But in security, shift left is neither a freshly minted terminology, nor a novel idea. Shift-left methods have existed a long time, but the old methods did poorly, causing frequent disruptions and pauses in the development cycle.
The modern approach of shifting left security redefines last generations’ strategies, and aims to create a balance of responsibility and autonomy between developers and security professionals.
Today, shift left is a widely adopted approach in enterprises, leveraged to streamline development and quality analysis processes. The modern shift left philosophy calls for merging SecOps with DevOps, and advocates for a joint DevSecOps that implements security as a shared responsibility throughout the IT lifecycle.
One of the companies to play a star role in mitigating API risks and exploits is Noname Security. Noname’s Active Testing offer provides a way to continuously test APIs’ capabilities using shift left before they reach production. As they launched the second iteration of the tool, Active Testing v2, Noname Security took part in the recent Security Field Day event in California to demo the solution.
Active Testing v2 is a Dynamic Application Security Testing (DAST) solution that helps users stay ahead of APIs risks and exposures through rapid and accurate discovery.
Although DAST is a sophisticated technology, the tools that most companies have deployed in their systems are not nearly as advanced. Semo highlighted three key goals Noname Security aimed when designing Active Testing.
It takes broad end-to-end coverage to suss out all vulnerabilities with accuracy. True testing and detection entails reaching deep into impactful business logic that often hosts critical vulnerabilities.
Designed to be API-first, Active Testing provides broad testing coverage for every API in the stack, integrating effortlessly with shift left solutions,. It enables automatic testing of the APIs in preproduction, while they are in development and QA.
As the maker of a DAST solution, Noname Security is an active proponent of shift left security. While presenting Active Testing v2 to the audience, Tomer Semo, Group Manager of Active Testing, shined light on the many advantages of the approach.
For one, shifting security to the early stages of development helps teams anticipate the changes that may arise downstream, and sidestep potential performance issues and delivery delays. Early detection of vulnerabilities not only prevents potential API exploits, but also reduces impact, saves cost and accelerates remediation.
“Today the industry understands that the shift left approach is crucial for optimizing development processes. We all know that early detection and mitigation of any bug or problem during the development process itself is beneficial in order to reduce cost, risk, and response times, and this is the same for security, and the world is starting to accept this as well. More and more cybersecurity solutions are trying to achieve the same effect,” said Semo.
Active Testing v2
Active Testing v2 provides deep API security insights along the CI/CD pipelines, sniffing out leaks and exposures in the early stages, sometimes even before the code is written.
Semo underscored the value of leveraging a DAST solution for API security. DAST enables a proactive approach of testing applications outside-in and finding exploitable points that often go undetected in static state.
It is a lot simpler when API vulnerabilities are scanned and detected in pre-production. “We should simply ask the relevant questions, talk with the APIs, instead of waiting for answers to appear in traffic in non-production environments,” he emphasized.
One of the things Noname Security seeks to accomplish with Active Testing is deliver high accuracy of output. “I can think of so many tools that are integrated with CI/CD solutions that throw back so many issues that nobody even looks at because they are not focused and are usually clear junk,” he pointed out.
Active Testing scan starts at the API inventory. The solution tests and analyzes APIs navigating the vagaries of their security postures and statuses at multiple checkpoints, making sure that everything is as it should be. Then using a set of sophisticated business logic analysis tools, the solution inspects business logic for vulnerabilities. Semo explained that the goal is to understand the application fully, and find answers to “what the API is meant to do, with which resources it mingles, how it affects these resources, what are the connections between the APIs” for the purposes of obtaining a baseline behavior.
Above everything, Active Testing is designed to be simple, user-friendly, and flexible. The solution is completely non-disruptive to the development process, giving developers extra reason to embrace it. Designed to perform shift left analysis, it supports multiple environments and streamlines CI/CD integrations.
Testing can be done with just a few clicks. The process starts with onboarding applications to the application hub by filling out a couple quick categories. Once applications are added, hitting the Scan button starts the testing process. You can create your own custom test profiles by altering the severity of the test and other presets or take advantage of the pre-built ones.
Active Testing v2 provides complete audits of all scans, and saves logs of past tests for future reference. It then aggregates and tallies past and present data to analyze security postures and profiles, enabling issues to reduce over time.Optionally, tests can be pre-scheduled to run a preferred number of times daily.
Wrapping Up
APIs have proliferated hugely over the past years, giving organizations more reason to actively track their vulnerabilities. Progressing from left to right is the best approach for that, but they also need a tool that facilitates adoption of shift left. Active Testing v2 is a clear winner because it firstly enables teams to integrate security organically in the CI/CD processes, and secondly, in doing so, it makes it possible to weed out the culprits in the early stages of application building, nipping any chances of API exploits in the bud.
For more information, be sure to watch the demo from the recent Security Field Day event at the Tech Field Day website.