Is your API security testing process mature enough?
Regardless of the maturity of your development and security processes / methodologies, integrating security testing automation into your API development pipelines is a struggle.
With CI/CD and easy deployment of new microservices, changes to APIs are lightning quick with multiple iterations in a day, with the problem compounded further with the need to test tens, hundreds and even thousands of APIs.
In their recent webinar “Rest Assured…with DevSecOps for APIs “ Bright Security ran a poll asking – How would you describe your API security testing process(es)?”. This was also repeated on LinkedIn and Twitter with the following results.
“How would you describe your API security testing process(es)?”
An overwhelming 79% of respondents carry out their API security testing manually, with 13% conceding they don’t really have a process at all. This is not surprising, given that most legacy Dynamic Application Security Testing (DAST) tools, used to test applications for security vulnerabilities, simply lack the ability to test APIs at all. Almost 50% of total respondents outsource their manual testing for APIs to a third party. This is a very expensive process and is typically periodic (weekly, quarterly, annually, increasing the organisations’ window of exposure and cyber risk. Some organisations are lucky to have internal testing teams, but in many cases, these can be inexperienced, such as the QA team being leveraged with limited security training. Even in enterprise organisations, recent studies have shown that the ratio of developers to security can be 50:1 respectively. With APIs being tested manually, this adds a slow, expensive human bottleneck that is simply impossible to scale, leaving difficult cyber risk decisions to be made when releasing APIs into production.
Very few companies have the requisite maturity and experience in their security teams to develop their own ‘automation’, with security experts manually configuring, tweaking and managing a myriad of different purchased and / or OpenSource security testing tools, which may account for the 8% of those that have it fully automated.
Regardless of which of the above brackets you fall under, API security testing is carried out manually and late in the SDLC at best, and at worst, not at all!
DevOps and DevSecOps for your APIs is simply unachievable when having to rely on these manual processes that lack the ability to provide timely feedback to developers to fix issues early to be secure by design and minimise risk. Automation of security testing baked across your pipelines, for both WebApps and APIs, is paramount.
The company they keep
Any technology is only as good as the companies who trust it enough to buy it.
Bright Security are no exception, but we we're impressed with their customer portfolio. Here are some of the brands they work with: