Introducing Akto Open Source: Redefining API security

30 million devs today use APIs everyday to build beautiful software applications. Typically, these software application runs on 1000s of APIs. Developers are continuously adding APIs and modifying request and response params of existing APIs everyday with every release cycle. These APIs are vulnerable to all kinds of attacks such as bruteforce, account takeovers, IDORs and so on. To counter these attacks, thousands of fascinating and secure coding practices, packages, auth mechanisms, libraries and what not have been introduced in the last ten years. Secure API development practices has undergone a radical change. This hasn’t been enough to stop these API attacks.

Why? Securing APIs is hard. First, Attackers are only becoming smarter and finding creative ways to hack APIs. Security teams are using clever ways to prevent attacks while also trying to catchup with the new ways hackers are using to exploit vulnerabilities. Secondly, no single team can secure their APIs from all possible attacks by themselves. Imagine learning the business logic of each API, then writing 1000s of tests for each of these APIs and updating these tests if developer modifies API logic even slightly. Not to mention adding new test suites for constantly changing attack patterns in the world. We are talking about massive number of custom tests here!

How can we solve these challenges? Enter Open source API security world - a world where any developer/ security engineer can add their API security tests and make it available to the community to use, a world where securing APIs is quick and easy, a world where a security engineer in California can collaborate with a security engineer in Australia to secure APIs. We strongly believe Akto open source will help developers and security teams around the world to secure their application APIs from attacks. Today, we are excited to introduce Akto Open Source to the world.

It has been 400 days since we ever started programming for Akto. And we arrive to a decision to open source everything that we have developed so far! Do show us your support by starring & contributing us on Github here.

What is open sourced?

All of Akto environment is now publicly available at GitHub. It has 3 parts -

Akto software - This is the brain of Akto, written by our team in Java and Vue.js

1. Dashboard - This module handles user interface and auth

2. Runtime - This module processes data (API calls) & saves meta info for each API

3. Testing - This module tests the endpoints for security vulnerabilities

Setup - This comprises of docker compose files to setup Akto on any machine

Resources - These are written or compiled by team at Akto.

1. Sensitive data types - These contain list of default sensitive data types

2. Testing sources - These contain several API security tests. This is the quickest and most important way to contribute to Akto.

In terms of effort, these many contributions are now available publicly 😃

How do you use it?

For Security engineer / Independent pentester

If you are a security engineer and want to use Akto to pentest your APIs, get started right away -

1. Run the setup command.

2. Add some traffic to Akto dashboard by integrating with BurpSuite, Postman, traffic mirroring.‍

3. Start testing the APIs against all of OWASP API Top 10 vulnerabilities

4. If you love it and want to elevate API security posture in your company, use the Enterprise version (for free). It automates all the 3 steps above and allows collaboration.

For Developer

If you are a developer, you can use Akto to automate API security tests as part of your CI/CD pipeline.

1. Setup Akto in your Cloud. You can use the enterprise setup from here (for free)

2. Use Traffic mirroring to auto-populate data in Akto

3. Setup triggered or daily tests and send Slack alerts.

For Contributor

If you want to contribute to Akto, we (and the security community) would be forever grateful to you. You can contribute to

1. Sensitive data types - Your nation’s identification patterns, cookie patterns, PII patterns etc.

2. Adding more tests - Familiar with Nuclei? Add or improve existing templates.

For Dreamer

If you want to pursue your dream to create your own API security tool - feel free to get a head start using Akto. It is under MIT licence. A few good ideas -

1. Reduce it to a command line tool - strip off UI and embed in any other security tool

2. Make a self-serve tool for devs for API security

3. Make a VSCode plugin that populates and tests APIs in VSCode itself - no dashboard

4. If you need any help or suggestions, feel free to contact us at ankush@akto.io, ankita@akto.io or avneesh@akto.io.

Troubleshoot:

Ask any question on the product, request a feature and collaborate with other members to write API security tests on slack here. Our devs are working very very hard to build an awesome software for you all and will be more than happy to help you.

Open Source community edition vs Enterprise edition

It is a single-instance tool for now. It is meant for individual security engineers or pentesters who want to test their APIs extensively for vulnerabilities. By the nature of individual usage, a couple of things might not work out the best -

1. Scale - It depends on power of the instance. If you plan to feed it your production data, we suggest you to move to an Enterprise version - which is again free! It can easily handle 20M API calls per minute (5X of Google searches worldwide!) with a very low cost of infra.

2. False positives - Runtime tries to understand and infer a lot of context around the APIs. It comes from the traffic data. The number of false positives reduce drastically with good amount of data. A single user’s traffic isn’t usually enough to make a difference. You might see some false positives. We will be actively working to reduce this rate further.

3. Machine learning - Talking about inferring context around the APIs - this requires statistical analysis and machine learning models. These are data-hungry pipelines. Any app with 10K sessions is good enough to get started. Can’t expect this from a single user!

Will it never have?

To be honest, we don’t know. Our motivation of making Akto open source is to understand the technical challenges in API security by establishing a community of security engineers. We want to work with diverse people who can provide feedback or even contribute to Akto. If community benefits from opensourcing the ML modules, we will make it happen!

Plan - next 3 months

We have been transparent with our project roadmap. Here is our plan for this quarter (2 more months pending). All of it to be contributed to this open source branch.

1. 300+ tests by end of this quarter

2. Less than 10% false positive rate

3. Setup time under 60 seconds

4. Delight quotient - absolute 💯 😃

Drop us a Hi hello@akto.io. Join our Slack community actively growing. Follow us on Twitter, LinkedIn or GitHub.