Independent information security

API Security Testing

Focus on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs

Home Solutions Penetration Testing API Security Testing

API Testing

A foundational element of innovation in today’s app-driven world is the API (Application Programming Interfaces).

From banks, retail and transportation to IoT, autonomous vehicles and smart cities, APIs are a critical part of modern mobile, SaaS and web applications. APIs are found in customer-facing, partner-facing and internal applications. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.

Web application security vs API security

With the rapid rise of microservices and the rush to build more applications more quickly, APIs are in use more than ever to connect services and transfer data. However, with a growing number of smaller applications trying to communicate, APIs are becoming increasingly challenging to secure.

The implications of these risks have resulted in some of the most significant breaches recently.

Data exposure
Security misconfigurations
Insufficient logging and monitoring
Man in the Middle Attacks (MiTM)
Lack of resources
Authentication and authorisation

What Are Benefits Of API Testing

SecuriCentrix is a network and web application testing provider, helping organisations identify weaknesses that could enable sensitive details compromised by criminal attackers.

PCI DSS, ISO 27001, GDPR, POPIA
Security by design validation
Assess threats to the API
Identify potential data leakage

Approach

At SecuriCentrix, we have identified an API testing strategy for testing an API to better understand testing techniques.

Web application security vs API security

While REST APIs have many similarities with web applications, there are also fundamental differences.

In traditional web applications, data processing is done on the server-side, and the resulting web page is then sent to client browsers to be rendered. Thus, the entry points to this, the entry points to the network architecture of the business were relatively few and straightforward to protect by setting up a web application firewall (WAF) in front of the application server.

Modern API-based applications are very different. More and more, the UI uses APIs to send and receive the data from the backend servers to provide the application’s functions. It is now the clients that do the rendering and maintain the state.

Why Choose Us

Our team of skilled penetration testers follow a structured approach to meet the expectations of your organisation, to safely conduct vulnerability discovery and exploits. As a result, we help you identify and reduce your risks and ensure compliance with industry standards and regulations.

Frequently Asked Questions

What are penetration tests?

Penetration tests are the authorised, simulated cyber-attack against your computer system in a targeted environment to check for exploitable vulnerabilities. The penetration tester will use both manual or automated testing techniques to identify the vulnerabilities that are in an environment and use these to exploit the environment potentially.

What are the different types of tests?

Internal Penetration tests
Internal tests simulate an attack that has already bypassed your security perimeter. It discovers what an attacker can do internally, such as moving across systems and networks. It also simulates what a trusted insider (like disgruntled employees) could potentially do.

External Penetration tests
External tests simulate the ability of an attacker to gain access to your internal network and infrastructure from outside of your security perimeter.

Segmentation Tests
Segmentation Tests are conducted from untrusted networks to validate the functioning of segmentation security controls.

Web Application Penetration testing
Web application penetration tests are conducted against public-facing web applications or interface to validate whether vulnerabilities, including those listed in OWASP, will expose the back-end systems to any potential attacks or compromises.

What are the different levels of Penetration Tests?

Black Box tests are where the penetration tester knows nothing of the infrastructure to be tested. So it’s more indicative of a real-world attack, but this method may not always expose all vulnerabilities.

White Box tests are tests where the penetration tester can access complete and in-depth information on the infrastructure kept for testing. Whilst not as realistic as a black-box test, it allows thorough testing of the infrastructure.

Grey Box tests are the most popular form of test that takes a balanced approach between white and black boxes. A grey box test discloses just enough information to perform a thorough, systematic test whilst keeping the scenario relevant and realistic.

What are the types of penetration tests required for PCI DSS?

As part of Requirement 11, PCI DSS requires Internal Infrastructure Tests, External Infrastructure Tests and Segmentation Tests. In addition to this, as per Requirement 6, the applications or interfaces should have a public-facing environment. One will also need to perform a Web Applicable Penetration test known as Web Application vulnerability assessments.

What is the frequency to conduct different types of Penetration tests?

As a good security practice, Internal, External and Web application tests should be conducted at least annually or after any significant change to the infrastructure or applications, this is to ensure that the change has not adversely affected the security of the environments in which they reside. In addition, segmentation testing should be completed every six months if you are a service provider facilitating payments and annually for other organisations.

Our services

SecuriCentrix’s security services are designed to provide the vital assistance needed to make tangible improvements to your organisation’s cyber security posture.