API Security Testing

Primary areas covered by security testing are:

• Authentication
• Authorization
• Availability
• Confidentiality
• Integrity
• Non-repudiation

API Security Testing

• Input Parameter Validation
• SQL Injection
• Sensitive data exposure in URL
  • Private IP disclosure
  • Password
  • PII Data: like CC numbers..etc
  • Disclosure Server information in headers
• Parameter tampering
• Application error disclosure
• Cookie not HttpOnly flag
• HTTPS: Weak encryption on Edge servers

Best Practices

• Infusing Security Practices in to SDLC
• Consider adding timestamp in Request (to avoid brute forcing)
• Authentication and Authorization
• Using Static Code Analysis Like Sonarqube
• Performing Dependency Check for Opensource Libraries
• Performing Dynamic Application Security Testing
• Protecting from DOS Attacks

Tools and Libraries to Help

• SonarQube Static Code Analysis for Secure Coding Practices Review
• OWASP Dependency Check utility
• ZAP Proxy and Burp Suite for DAST

Reference Standards

• OWASP Top 10
• SANS 25
• HIPPA compliance
• SOX Compliance
• PCI-DSS Compliance

References:

• https://github.com/shieldfy/API-Security-Checklist
• https://hackr.io/blog/top-10-open-source-security-testing-tools-for-web-applications