Welcome!

Agile Computing Authors: Pat Romanski, Liz McMillan, Corey Roth, Elizabeth White, Yeshim Deniz

Related Topics: @CloudExpo, Agile Computing, Cloud Security

@CloudExpo: Article

Security Considerations for API Testing | @CloudExpo #API #Cloud #Security

Security is the #1 technology challenge teams that work with APIs would like to see solved in the years ahead

Eight Security Considerations for API Testing
By Cameron Laird

It seems like every day we see reminders of the importance of thorough security testing from all areas of the software world. Security has become an especially critical consideration for APIs in recent years. Organizations rely on APIs to share and receive information - either from a third party or between internal applications - so the level of security between these applications is critical for anyone who uses them.

Earlier this year, SmartBear Software released the results of its State of API 2016 Report, which found that security is the #1 technology challenge teams that work with APIs would like to see solved in the years ahead.

Security isn't an easy problem to solve. It starts with selecting the right tools to test for API security vulnerabilities. But there are other API security testing considerations your team should be aware of, whether you develop or integrate with APIs.

Here are eight problem spots for specific aspects of application programming interface (API) testing with impacts on security:

1. Too-accommodating decoding libraries
"CAPEC-80" illustrates how subtle security vulnerabilities can be. Unicode is a rich source of confusions, of course; English-speaking programmers often treat the world beyond ASCII as an afterthought. One immediate consequence: it comes as a surprise to find out that, for instance, the characters we see as MYBANK.COM might resolve to an entirely different and hostile site.

CAPEC-80 documents a distinct and thorny problem, one already observed in attacks against, among other applications, Microsoft's ISS server. Suppose an application immediately scans user input for dangerous sequences-an account name of ‘root', for instance, might be flagged as an error. The difficulty is that illegal values can be embedded in UTF-8 which results in a string decoding to ‘root' after it has already been validated.

Tests for such obscure errors are difficult to write. Generally, the best course is exploratory testing. In such cases, effective exploratory testing generally involves crafting problematic data, and seeing whether the API under investigation unequivocally rejects them. While requests which go through don't necessarily prove a defect, they mark at least a questionable area that deserves pursuit.

CAPEC-71 is another among several variations of this same theme.

2. Test the logger
Real-world services are under constant attack. Logging and good tactics for review of the logs are simple necessities. One consequence for testers: logging functionality is crucial. Anything a test program can do to verify logging is valuable.

Java architect Peter Verhas makes the point that logging for him is non-functional, and therefore we should "Never Test Logging". In this perspective, the point of this tip is: logging deserves to be a security requirement of every API, and therefore logging of this sort must be tested.

3. Make sure all the doors are locked
Testers with a focus on application functionality-most testers, that is-can easily overlook other-than-HTTP* channels. All the ways to enter an API need attention. If an API supports a legacy portal through SOAP or FTP, for instance, it must be tested.

4. Think about time
This one might better be labeled, "think about sessions". Conventional functional testing focuses on deterministic, correct results. Security-oriented API testing needs to consider also behaviors which are hard to replicate, especially around temporal sequences. In particular, APIs commonly authenticate throughout the mediation of tokens which expire.

Does the API handle expiration correctly? Do sessions give proper access-enough, but not too much-to data after renewal of an access authorization? Within a session, is the behavior of the API the same on the first and second uses? This isn't a question about the idempotency of GET requests; that's a product specification matter. Does the API somehow change at the boundary of a session?

5. Test developer experience
User experience  - and its testing - are recognized now as important. For APIs, developers are users, and their experience also deserves study.

Security considerations only underscore this reality. External developers perfectly competent to build the functionality of an API-based application might stumble in regard to security requirements. Do they store session tokens and API keys safely? Do they unintentionally degrade others' performance with inefficient coding? Do they find Terms of Use too difficult to respect? The only objective way to know is to measure what they actually do.

6. Test the documentation!
Crucial to developer experience is the documentation on which they rest their efforts. Published materials, of course, are the right reference for all testing, not internal product specifications. The importance for security is evident: developers who consume an API will code according to the documentation they read. To test the documentation against the publisher's intent is essential.

An especially important form of documentation is all the sample coding provided to API users. An example program written in even one language coded in an insecure way is an invitation for every programmer working in that language to open the API up to abuse. Think of testing an API comprehensively: it's not just the behavior of a specific endpoint, but everything-from content delivery network (CDN) to licensing agreement to support responders-that supports use of that API. Sample programs and related documentation influence API use enormously.

7. Test errors
Error-handling is an important functional requirement, and always deserves attention, of course. Diagnostics that leak information attackers value are evident security mistakes.

More than that, though, error-handling remains poorly-standardized in REST APIs. The poverty of best practices in the area means that a lot of implementations are written for the first time: a recipe for security gaps. API error-handling merits proportionately more attention than error-handling for applications.

8. Challenge of flexibility
The flexibility of REST - REpresentational State Transfer  - introduces other specific technical challenges to testers, especially those sensitive to security. Think of a typical resource URI:/api/$VERSION/directory/UserID/$ID/Transactions/$DATE. The data are part of the URI; older testing tools handle this poorly. Even well-designed tools have difficulty expressing the whole range of inputs worth testing. Fuzz-based testing becomes difficult, if not intractable.

Adding to the complexity: many valid URIs are generated dynamically, sometimes in client-side AJAX. All this flexibility and variation overwhelms vulnerability scanners and other tools based on lookups.

Make API security a top priority
Security-pertinent API testing will remain incomplete and dynamic for a long time to come. Publishers need to analyze their own situation and vulnerabilities to decide the kind and intensity of testing which pay off for their biggest "hot spots".

More Stories By SmartBear Blog

As the leader in software quality tools for the connected world, SmartBear supports more than two million software professionals and over 25,000 organizations in 90 countries that use its products to build and deliver the world’s greatest applications. With today’s applications deploying on mobile, Web, desktop, Internet of Things (IoT) or even embedded computing platforms, the connected nature of these applications through public and private APIs presents a unique set of challenges for developers, testers and operations teams. SmartBear's software quality tools assist with code review, functional and load testing, API readiness as well as performance monitoring of these modern applications.

@ThingsExpo Stories
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
DXWorldEXPO LLC, the producer of the world's most influential technology conferences and trade shows has announced the 22nd International CloudEXPO | DXWorldEXPO "Early Bird Registration" is now open. Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)
Join IBM November 1 at 21st Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA, and learn how IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Cognitive analysis impacts today’s systems with unparalleled ability that were previously available only to manned, back-end operations. Thanks to cloud processing, IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Imagine a robot vacuum that becomes your personal assistant tha...
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
I think DevOps is now a rambunctious teenager - it's starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, introduced two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a multip...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
Detecting internal user threats in the Big Data eco-system is challenging and cumbersome. Many organizations monitor internal usage of the Big Data eco-system using a set of alerts. This is not a scalable process given the increase in the number of alerts with the accelerating growth in data volume and user base. Organizations are increasingly leveraging machine learning to monitor only those data elements that are sensitive and critical, autonomously establish monitoring policies, and to detect...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settl...
In his session at @ThingsExpo, Dr. Robert Cohen, an economist and senior fellow at the Economic Strategy Institute, presented the findings of a series of six detailed case studies of how large corporations are implementing IoT. The session explored how IoT has improved their economic performance, had major impacts on business models and resulted in impressive ROIs. The companies covered span manufacturing and services firms. He also explored servicification, how manufacturing firms shift from se...
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of bus...
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
IoT solutions exploit operational data generated by Internet-connected smart “things” for the purpose of gaining operational insight and producing “better outcomes” (for example, create new business models, eliminate unscheduled maintenance, etc.). The explosive proliferation of IoT solutions will result in an exponential growth in the volume of IoT data, precipitating significant Information Governance issues: who owns the IoT data, what are the rights/duties of IoT solutions adopters towards t...
Amazon started as an online bookseller 20 years ago. Since then, it has evolved into a technology juggernaut that has disrupted multiple markets and industries and touches many aspects of our lives. It is a relentless technology and business model innovator driving disruption throughout numerous ecosystems. Amazon’s AWS revenues alone are approaching $16B a year making it one of the largest IT companies in the world. With dominant offerings in Cloud, IoT, eCommerce, Big Data, AI, Digital Assista...