Introducing Test Editor: Your playground for writing custom API security tests
Akto's test editor is the world's first personalized API security testing tool. It is a simple, fast and scalable way to test APIs for security vulnerabilities.
Ankita Gupta
5 mins
Six months ago, we began our journey with security testing. Since then, we have worked with hundreds of security teams across the world. Our focus has been on automating the testing of APIs to make it as easy as possible for security teams to test them before each release. We covered hundreds of test cases and automated them from end to end, trying to cover all possible scenarios. However, we encountered a massive hurdle in doing so. We realized that every developer has a unique way of writing APIs, and the problem becomes even more complicated with multiple developers contributing to code at a massive speed. For example, for one API, the error status code may be 200 OK, for another, it may be 4xx, and for a third one, it could be 200 OK with a status of "error". Finally, we came to the following conclusion:
Every API is unique. Your API testing should be too.
This changed the way we thought about testing at Akto. It's not easy to cover all test cases with all possible logics for your unique APIs. We realized the need for personalized and scalable API security testing.
Today, we are going beyond automated testing with Akto’s new test editor.
Introducing World’s first personalized security testing
Security teams often find themselves performing manual grunt work before every release. Traditional API security testing products are becoming increasingly restrictive for three reasons.
Firstly, these products only cover a fraction of critical vulnerability tests. As more new vulnerabilities are found, it becomes harder for users to find tests for new vulnerabilities in these traditional tools. Secondly, users have no ability to customize tests based on their business requirements. They manually test for critical and business logic vulnerabilities that traditional tools do not cover. This painful process slows down users and negatively impacts the complete and deep security of the application. Thirdly, users want to understand how their APIs are being tested. Today's testing tools lack visibility completely.
Akto's test editor is the world's first personalized API security testing tool. It is a simple, fast and scalable way to test APIs for security vulnerabilities. It allows user to write easy YAML templates in under 10 mins, test them on sample APIs and add to their API Security test library for continuous testing. Test Editor supports tests for both JSON and graphQL APIs. It comes with built in 100 templates for users to play around with and edit as per business need. The best part is, since you already have your API inventory in Akto, you can automate all your custom tests on all your APIs after writing them in the test editor.
We chose YAML as the test language because it is the easiest language for security teams to write tests in.
Our beta customers have been able to write 10 or more custom tests for their unique API behaviors in just a few hours, compared to the weeks it would take for each test previously. Here is an example of a YAML template written in Akto.
Three components of Test Editor:
Akto's Test Library: Akto's default test library includes 100+ tests and continues to grow as we cover more cases from OWASP Top 10 of APIs, business logic tests, and more.
YAML Test Editor: The editable YAML file consists of five blocks- id, info, API filters, execute, and validation. This is where you will write your test.
Sample API to Test: This is a sample API that you can select and run your test on to see how it works. You can use Akto's default API for testing purposes.
Example test case
Let’s say you want to write a test on checking broken authentication by removing CSRF token. Watch this video for a step by step guide on how to write this test in test editor.
In the above demo, we created a custom template using test editor and tested our API fro vulnerability. As a security engineer, you can add as many custom templates as you want and automate your complete API testing.
For example, one of the customers was able to add privilege escalation test by writing rules to filter APIs based on url criteria and validation based on the error they expect. These custom tests are running in their CI/CD for all the new and old APIs.
Start writing API Security Tests
We are excited to see what you write with the endless possibilities with test editor. Test editor is now available for beta across self hosted and cloud plans starting today. Start writing tests by signing up on Akto account or read more details in docs.
Your testing playground
We understand that you may want to take the test editor for a spin before fully integrating it. With that in mind, we've created a dedicated interactive sandbox environment just for you. Go test your APIs in your playground.
Keep reading
API Security
10 minutes
PCI DSS Guidelines
PCI DSS includes a set of rules designed to ensure the safety and security of credit and debit card information, protecting it from data breaches.
Product updates
5 mins
Akto Introduces New Usage-Based Flexible Pricing Model
You can now upgrade your Akto account to our new usage-based pricing model, offering you greater flexibility and value.
API Security
10 minutes
10 Best WAF Solutions
10 best Web Application Firewall (WAF) solutions that filter and monitor web traffic, blocking malicious hackers before they can attack.