Tool for API and Security Testing?

I saw an interesting conversation pop up recently where someone was asking for others experiences with SoapUI and Postman for API testing. In the first instance, they planned to only use the tool they chose

to test API’s for integration testing and also test API’s between our Front end and Back end projects for our web application.

Longer-term, they wanted to choose a tool that could potentially be used for security testing so that they could do both API and security testing within the same tool.

Have you tried something similar? Is it something you would recommend? If so, what tools would you suggest and why?

1 Like

Security testing is a harder thing that I don’t think goes well with API automation. With security you want a tool that gets updates and you should understand what your runtime environment looks like. I’ve had various architects setup WAF(Web application firewalls)'s and scanning tools that get updates and run scans against an API on intervals.

If you don’t take the time to constrain it you don’t really come up with much. There are a lot of low hanging fruit OWASP top ten that can be found from scanning but the stuff that pays out from a bug crowd campaign are things dedicated security testers find. Things like cached login credentials, poorly set authorization schemes that allow the enduser to disable encryption themselves, and on and on.

There’s low hanging fruit but as far as I know no silver bullet security tool without spending time on understanding the problem space. I would love to hear that i’m wrong and there are good automated tools on the market now.

1 Like

Hi!

I’m the CEO of a testing automation company called Meeshkan, and this is part of the service we offer on meeshkan.com. The way we’re initially developing our service is that it tests authentication for certain popular frameworks (Spring Boot, Django, Phoenix) and certain popular providers (Okta, Auth0), although we hope to support any OAuth/JWT flow as the product grows over time.

@alanmbarr is right that this is a hard problem and it needs to be constrained. Our service only works (for now) on a small set of frameworks/languages that we can analyze to find these constraints, ie what roles exist, what scopes exist, what grants exist, what resources need what permissions, etc.

Do you know with what languages/frameworks the API you’re testing has been built? I can let you know if we support them at Meeshkan.

I thought that might be the case @alanmbarr but it’s been a long time since I looked at security testing so I’m not up to speed on what’s out there at the moment.

It’s not my project I’m afraid @mikesol so I’m not sure on the exact language/framework. If I can find the conversation again though I’ll be sure to pass your tool on :slight_smile:

1 Like

Using zed attack for security testing, you can scan the automation scripts for vulnerabilities and malicious attacks with high reporting feature.

Also you can include static code analyser in automation to do the security validations at code level.

Hope this might help

1 Like