Introducing Akto Open Source: Redefining API security
This blog is about our Open source launch, why we went open source and what future holds for Akto Open Source.
Akto Team
10 min read
30 million devs today use APIs everyday to build beautiful software applications. Typically, these software application runs on 1000s of APIs. Developers are continuously adding APIs and modifying request and response params of existing APIs everyday with every release cycle. These APIs are vulnerable to all kinds of attacks such as bruteforce, account takeovers, IDORs and so on. To counter these attacks, thousands of fascinating and secure coding practices, packages, auth mechanisms, libraries and what not have been introduced in the last ten years. Secure API development practices has undergone a radical change. This hasn’t been enough to stop these API attacks.
Why? Securing APIs is hard. First, Attackers are only becoming smarter and finding creative ways to hack APIs. Security teams are using clever ways to prevent attacks while also trying to catchup with the new ways hackers are using to exploit vulnerabilities. Secondly, no single team can secure their APIs from all possible attacks by themselves. Imagine learning the business logic of each API, then writing 1000s of tests for each of these APIs and updating these tests if developer modifies API logic even slightly. Not to mention adding new test suites for constantly changing attack patterns in the world. We are talking about massive number of custom tests here!
How can we solve these challenges? Enter Open source API security world - a world where any developer/ security engineer can add their API security tests and make it available to the community to use, a world where securing APIs is quick and easy, a world where a security engineer in California can collaborate with a security engineer in Australia to secure APIs. We strongly believe Akto open source will help developers and security teams around the world to secure their application APIs from attacks. Today, we are excited to introduce Akto Open Source to the world.
It has been 400 days since we ever started programming for Akto. And we arrive to a decision to open source everything that we have developed so far! Do show us your support by starring & contributing us on Github here.
What is open sourced?
All of Akto environment is now publicly available at GitHub. It has 3 parts -
Akto software - This is the brain of Akto, written by our team in Java and Vue.js
Dashboard - This module handles user interface and auth
Runtime - This module processes data (API calls) & saves meta info for each API
Testing - This module tests the endpoints for security vulnerabilities
Setup - This comprises of docker compose files to setup Akto on any machine
Resources - These are written or compiled by team at Akto.
Sensitive data types - These contain list of default sensitive data types
Testing sources - These contain several API security tests. This is the quickest and most important way to contribute to Akto.
In terms of effort, these many contributions are now available publicly 😃
Monthly product updates in your inbox. No spam.
How do you use it?
For Security engineer / Independent pentester
If you are a security engineer and want to use Akto to pentest your APIs, get started right away -
Run the setup command.
Add some traffic to Akto dashboard by integrating with BurpSuite, Postman, traffic mirroring.
Start testing the APIs against all of OWASP API Top 10 vulnerabilities
If you love it and want to elevate API security posture in your company, use the Enterprise version (for free). It automates all the 3 steps above and allows collaboration.
For Developer
If you are a developer, you can use Akto to automate API security tests as part of your CI/CD pipeline.
Setup Akto in your Cloud. You can use the enterprise setup from here (for free)
Use Traffic mirroring to auto-populate data in Akto
Setup triggered or daily tests and send Slack alerts.
For Contributor
If you want to contribute to Akto, we (and the security community) would be forever grateful to you. You can contribute to
Sensitive data types - Your nation’s identification patterns, cookie patterns, PII patterns etc.
Adding more tests - Add or improve existing templates.
For Dreamer
If you want to pursue your dream to create your own API security tool - feel free to get a head start using Akto. It is under MIT licence. A few good ideas -
Reduce it to a command line tool - strip off UI and embed in any other security tool
Make a self-serve tool for devs for API security
Make a VSCode plugin that populates and tests APIs in VSCode itself - no dashboard
If you need any help or suggestions, feel free to contact us at ankush@akto.io, ankita@akto.io or avneesh@akto.io.
Troubleshoot:
Ask any question on the product, request a feature and collaborate with other members to write API security tests on slack here. Our devs are working very very hard to build an awesome software for you all and will be more than happy to help you.
Open Source community edition vs Enterprise edition
It is a single-instance tool for now. It is meant for individual security engineers or pentesters who want to test their APIs extensively for vulnerabilities. By the nature of individual usage, a couple of things might not work out the best -
Scale - It depends on power of the instance. If you plan to feed it your production data, we suggest you to move to an Enterprise version - which is again free! It can easily handle 20M API calls per minute (5X of Google searches worldwide!) with a very low cost of infra.
False positives - Runtime tries to understand and infer a lot of context around the APIs. It comes from the traffic data. The number of false positives reduce drastically with good amount of data. A single user’s traffic isn’t usually enough to make a difference. You might see some false positives. We will be actively working to reduce this rate further.
Machine learning - Talking about inferring context around the APIs - this requires statistical analysis and machine learning models. These are data-hungry pipelines. Any app with 10K sessions is good enough to get started. Can’t expect this from a single user!
Will it never have?
To be honest, we don’t know. Our motivation of making Akto open source is to understand the technical challenges in API security by establishing a community of security engineers. We want to work with diverse people who can provide feedback or even contribute to Akto. If community benefits from opensourcing the ML modules, we will make it happen!
Plan - next 3 months
We have been transparent with our project roadmap. Here is our plan for this quarter (2 more months pending). All of it to be contributed to this open source branch.
300+ tests by end of this quarter
Less than 10% false positive rate
Setup time under 60 seconds
Delight quotient - absolute 💯 😃
Drop us a Hi hello@akto.io. Join our community. Follow us on Twitter, LinkedIn or GitHub.
Keep reading
News
7 mins
March Product News: 98 New Tests, Dynamic wordlists, and more
This edition of Akto’s newsletter is packed with new features and tests that will greatly decrease your API Security testing time and increase targeted testing.
Product updates
5 mins
Detailed Errors on Postman and Swagger File Import
Akto now replays APIs to automatically get data during an import of Postman and Swagger files and transparently displays reasons why each specific API couldn't be replayed in the case of an error.
Product updates
5 mins
Added 98 New API Security Tests across 5 OWASP categories
Akto has introduced new tests across several categories including BOLA, Broken Authentication, Unrestricted Resource Consumption, BFLA, and SSRF that you can explore with Akto’s Test Editor.