December 28, 2022
Working in the field of information security for more than ten years now, I have faced many challenges myself as an individual as well on a team front. Many tools and technologies, both open source and heavily paid, are available in the market to perform dynamic and automated assessments for applications, networks, and even for cloud infrastructure. The result is that they provide many bugs, issues, and best practices that need to be followed while taking care of compliance.
However, API security and testing were an untouched domain for a very long time. Keeping in view of how the technology is evolving to use API calls as a backend for both Mobile as well as Web environment and where in general Central API calls will receive and distribute traffic in a microservices various other API calls, it becomes essential to have an automation tool which can help perform security testing.
Even though API architecture has solved many problems and is helpful in a very speedy throughput of the application, a certain amount of complications come with it from a testing point of view.
In the case of a web application, one can look for all the webpages and the deep links inserted in the page to find all the possible targets to perform Security testing, however when it comes to API, it is very dynamic, and it depends a lot on developers to keep a collection of API in some central location, such as postman etc.
If the developers do not keep such a collection creates a massive problem for the security team to keep track of the exact target and the progress of testing done.
For developers, it is not a Priority to keep such a collection; however, from a security point of you, on the other hand, it becomes very critical to know what is your target list to test, how many API calls exist, what is the flow, what calls are being done internally and externally and can we perform an automation test on it as we do it on a web web page or a mobile application?
We kicked off our relationship with Akto as a trial to see if they could solve our problems. At this point, I can say it was quite a good decision to go with Akto for two significant reasons.
Firstly, their primary target was identifying sensitive information in the API calls and highlighting the same. In the process, they would create a collection of all the API calls in our environment. This solved a huge problem for us, where we were not clear on security coverage on APIs testing.
Secondly, as we moved ahead, Akto was keen to have regular discussions, identify the other problems we were facing, and try to solve them, becoming a centralized problem solver for our API testing needs.
I see a lot of potential in Akto as a tool which can grow to become something which is very helpful for both developers and security. Eagerly awaiting new test cases to be added to Akto and hopefully use Akto to solve other automation problems as well.