How Curefit solved API security using Akto
In this blog, you will learn how Curefit solved API security using Akto.
Swapnil Sharma, Security engineer at CureFit
5 min read
Working in the field of information security for more than ten years now, I have faced many challenges myself as an individual as well on a team front. Many tools and technologies, both open source and heavily paid, are available in the market to perform dynamic and automated assessments for applications, networks, and even for cloud infrastructure. The result is that they provide many bugs, issues, and best practices that need to be followed while taking care of compliance.
However, API security and testing were an untouched domain for a very long time. Keeping in view of how the technology is evolving to use API calls as a backend for both Mobile as well as Web environment and where in general Central API calls will receive and distribute traffic in a microservices various other API calls, it becomes essential to have an automation tool which can help perform security testing.
The Problems
Even though API architecture has solved many problems and is helpful in a very speedy throughput of the application, a certain amount of complications come with it from a testing point of view.
In the case of a web application, one can look for all the webpages and the deep links inserted in the page to find all the possible targets to perform Security testing, however when it comes to API, it is very dynamic, and it depends a lot on developers to keep a collection of API in some central location, such as postman etc.
If the developers do not keep such a collection creates a massive problem for the security team to keep track of the exact target and the progress of testing done.
For developers, it is not a Priority to keep such a collection; however, from a security point of you, on the other hand, it becomes very critical to know what is your target list to test, how many API calls exist, what is the flow, what calls are being done internally and externally and can we perform an automation test on it as we do it on a web web page or a mobile application?
Our problems were close to the ones mentioned above. We did not have a centralized API collection of all the calls in our environment. We needed a tool which could collect all the API calls in a central place so that we could start testing each of them one by one, both manually and dynamically. This is how our journey started with Akto. Swapnil Sharma, Security Engineer at Curefit.
Monthly product updates in your inbox. No spam.
Akto In the House
We kicked off our relationship with Akto as a trial to see if they could solve our problems. At this point, I can say it was quite a good decision to go with Akto for two significant reasons.
Firstly, their primary target was identifying sensitive information in the API calls and highlighting the same. In the process, they would create a collection of all the API calls in our environment. This solved a huge problem for us, where we were not clear on security coverage on APIs testing.
Secondly, as we moved ahead, Akto was keen to have regular discussions, identify the other problems we were facing, and try to solve them, becoming a centralized problem solver for our API testing needs.
Following are a few problems that Akto was able to solve for us:
With Akto, we were able to make sure that we have a centralized collection of all the API calls in our environment, regardless of internal or external facing.
On-demand, the actor was able to provide us with functionality to check the content of both request and the response of an API call.
It provides a function to copy the call as a call or Burp request and replay the same call as required by making whatever modifications we want to make in the request Parameters on the burp.
Furthermore, it started with automation testing and helped us create automation to check for IDOR.
The Akto team was very supportive in creating the smallest changes we requested based on our requirements and customizing them as per our needs. We were getting a lot of bug bounty reports on IDOR and using Akto; we were able to catch either on multiple API calls before getting a report from an external security researcher. This was a huge help financially.
I see a lot of potential in Akto as a tool which can grow to become something which is very helpful for both developers and security. Eagerly awaiting new test cases to be added to Akto and hopefully use Akto to solve other automation problems as well.
Keep reading
News
7 mins
March Product News: 98 New Tests, Dynamic wordlists, and more
This edition of Akto’s newsletter is packed with new features and tests that will greatly decrease your API Security testing time and increase targeted testing.
Product updates
5 mins
Detailed Errors on Postman and Swagger File Import
Akto now replays APIs to automatically get data during an import of Postman and Swagger files and transparently displays reasons why each specific API couldn't be replayed in the case of an error.
Product updates
5 mins
Added 98 New API Security Tests across 5 OWASP categories
Akto has introduced new tests across several categories including BOLA, Broken Authentication, Unrestricted Resource Consumption, BFLA, and SSRF that you can explore with Akto’s Test Editor.