By Vinoth Venkatesan, Head, Cyber Engineering at State Street Corp.
Why API Testing?
In the previous post , we discussed API and why it needs to be secured. Also, we detailed the top five testing methods that anyone can follow to ensure their API security. In this article, we will cover more on how to protect the APIs using leading open-source tools and their high-level benefits.
Top Open-source API Testing Tools
Securing production APIs requires automated tools, especially with a steady development and release process. The following open-source tools can help you design security-related test cases, run them against API endpoints, and remediate issues you discover. They can also find business logic vulnerabilities, part of the testing regime.
1. Postman
Postman is a leading API development platform. Its key features include:
• Automating API tests
• Integrating API test cases into the CI/CD pipeline
• Simulating expected value/behavior of API endpoints and their responses
• Validating API performance and response times
• Enhances collaboration between developers through the built-in version control
2. Swagger
Swagger is an open-source toolkit that can help you create RESTful APIs. It permits two API development methods:
• Top-down API design – Helps to build an API in Swagger and then generate code from specifications
• Bottom-up API design – Swagger takes existing code and generates documentation about API operations, parameters, and outputs
3. JMeter
JMeter is a leading load testing tool, which is also utilized for security testing. Key features include:
• Feeding CSV files and using them for load testing.
• It lets you perform tests with various values to simulate scenarios and cyber-attacks.
• Automate API test cases into the CI/CD process through Jenkins
• It has the potential to replay test results using advanced performance testing.
4. SoapUI
Soap UI is a prevalent API functional testing tool. Its key features include:
• An extensive library of functional testing essentials that let you automate API tests
• Fully customizable – It comes with source code to build additional features based on demand
• Easy drag and drop interface to develop the tests
• It enables you to reuse existing load tests or security scans for functional tests
5. Karate
Karate is a Java API testing tool using the Behavior-Driven Development (BDD) method. Its key features include:
• Writing BDD for APIs with ready-made steps
• Generates standard Java reports
• It does not require Java knowledge to write tests for Java-based APIs
• Enables multi-threaded execution
• Supports switching configuration between staging and production
6. Fiddler
Fiddler is a tool that screens and replays HTTP requests, with an API testing extension for .NET, Java, Ruby, and other popular frameworks. Its key features include:
• Debugging requests from any client — including Linux, Windows, macOS, and mobile platforms
• It also tests cookies, cache, and headers in client-server communication
• Provides a friendly UI for grouping and organizing API requests
• Allows to simulate requests and responses with no code changes
7. Sqlmap
Sqlmap is an open-source penetration testing tool.
• It enhances detecting and exploiting SQL injection flaws and taking over database servers.
• It has a potent detection engine and many niche features for excellent penetration testing.
• Sqlmap comes with a broad range of switches, including fingerprinting and accessing the underlying file system.
• It also allows executing commands on the operating system via out-of-band connections.
API Security Best Practices
The above tools will help validate the security controls around the API ecosystem. Still, part of the deployment or implementation stage, each entity should follow the below best practices to ensure API is secured across the layers.
• Implement access token — Access tokens should be enforced to users while signing up to preserve a level of authorization. Authenticate Access tokens every time a user requests the API. As well as introduce the option to revoke or reset the token.
• Enforce SSL to encrypt HTTP messages to and from your API.
• Always sanitize the input parameters sent to API, including the access token field.
• Rate limit the requests sent to API per minute by any user.
• Implement a pair of API gateways to consolidate all accesses centrally.
• Implement a security solution to scan every request to the API endpoint.
Final Words
Using these leading testing tools and the best practices mentioned above will help you build a robust and secured API ecosystem. Always make sure to keep your underlying Operating system, Database, and Web Servers up-to-date on the patch level as they can provide a sufficient layer of security to the API endpoint.
About the Author
Vinoth Venkatesan – Cybersecurity professional by heart with over two decades of experience in Information Technology and Cybersecurity. He is an Australian Computer Society (ACS) Senior Certified Professional in Cybersecurity and holds various industry-leading cybersecurity credentials. Vinoth loves to write about the latest cyber happenings and blockchain-related articles.
