January 31, 2023
30 million devs today use APIs everyday to build beautiful software applications. Typically, these software application runs on 1000s of APIs. Developers are continuously adding APIs and modifying request and response params of existing APIs everyday with every release cycle. These APIs are vulnerable to all kinds of attacks such as bruteforce, account takeovers, IDORs and so on. To counter these attacks, thousands of fascinating and secure coding practices, packages, auth mechanisms, libraries and what not have been introduced in the last ten years. Secure API development practices has undergone a radical change. This hasn’t been enough to stop these API attacks.
Why? Securing APIs is hard. First, Attackers are only becoming smarter and finding creative ways to hack APIs. Security teams are using clever ways to prevent attacks while also trying to catchup with the new ways hackers are using to exploit vulnerabilities. Secondly, no single team can secure their APIs from all possible attacks by themselves. Imagine learning the business logic of each API, then writing 1000s of tests for each of these APIs and updating these tests if developer modifies API logic even slightly. Not to mention adding new test suites for constantly changing attack patterns in the world. We are talking about massive number of custom tests here!
How can we solve these challenges? Enter Open source API security world - a world where any developer/ security engineer can add their API security tests and make it available to the community to use, a world where securing APIs is quick and easy, a world where a security engineer in California can collaborate with a security engineer in Australia to secure APIs. We strongly believe Akto open source will help developers and security teams around the world to secure their application APIs from attacks. Today, we are excited to introduce Akto Open Source to the world.
It has been 400 days since we ever started programming for Akto. And we arrive to a decision to open source everything that we have developed so far! Do show us your support by starring & contributing us on Github here.
All of Akto environment is now publicly available at GitHub. It has 3 parts -
Akto software - This is the brain of Akto, written by our team in Java and Vue.js
Setup - This comprises of docker compose files to setup Akto on any machine
Resources - These are written or compiled by team at Akto.
In terms of effort, these many contributions are now available publicly 😃
For Security engineer / Independent pentester
If you are a security engineer and want to use Akto to pentest your APIs, get started right away -
If you are a developer, you can use Akto to automate API security tests as part of your CI/CD pipeline.
If you want to contribute to Akto, we (and the security community) would be forever grateful to you. You can contribute to
If you want to pursue your dream to create your own API security tool - feel free to get a head start using Akto. It is under MIT licence. A few good ideas -
Ask any question on the product, request a feature and collaborate with other members to write API security tests on slack here. Our devs are working very very hard to build an awesome software for you all and will be more than happy to help you.
It is a single-instance tool for now. It is meant for individual security engineers or pentesters who want to test their APIs extensively for vulnerabilities. By the nature of individual usage, a couple of things might not work out the best -
Will it never have?
To be honest, we don’t know. Our motivation of making Akto open source is to understand the technical challenges in API security by establishing a community of security engineers. We want to work with diverse people who can provide feedback or even contribute to Akto. If community benefits from opensourcing the ML modules, we will make it happen!
We have been transparent with our project roadmap. Here is our plan for this quarter (2 more months pending). All of it to be contributed to this open source branch.
Drop us a Hi firstname.lastname@example.org. Join our Slack community actively growing. Follow us on Twitter, LinkedIn or GitHub.