Power and control in the hands of DevOps. Scanning in minutes, not hours
Is your API security testing process mature enough?
Regardless of the maturity of your development and security processes / methodologies, integrating security testing automation into your API development pipelines is a struggle.
With CI/CD and easy deployment of new microservices, changes to APIs are lightning quick with multiple iterations in a day, with the problem compounded further with the need to test tens, hundreds and even thousands of APIs.
In their recent webinar “Rest Assured…with DevSecOps for APIs “ Bright Security ran a poll asking – How would you describe your API security testing process(es)?”. This was also repeated on LinkedIn and Twitter with the following results.
An overwhelming 79% of respondents carry out their API security testing manually, with 13% conceding they don’t really have a process at all. This is not surprising, given that most legacy Dynamic Application Security Testing (DAST) tools, used to test applications for security vulnerabilities, simply lack the ability to test APIs at all. Almost 50% of total respondents outsource their manual testing for APIs to a third party. This is a very expensive process and is typically periodic (weekly, quarterly, annually, increasing the organisations’ window of exposure and cyber risk. Some organisations are lucky to have internal testing teams, but in many cases, these can be inexperienced, such as the QA team being leveraged with limited security training. Even in enterprise organisations, recent studies have shown that the ratio of developers to security can be 50:1 respectively. With APIs being tested manually, this adds a slow, expensive human bottleneck that is simply impossible to scale, leaving difficult cyber risk decisions to be made when releasing APIs into production.
Very few companies have the requisite maturity and experience in their security teams to develop their own ‘automation’, with security experts manually configuring, tweaking and managing a myriad of different purchased and / or OpenSource security testing tools, which may account for the 8% of those that have it fully automated.
Regardless of which of the above brackets you fall under, API security testing is carried out manually and late in the SDLC at best, and at worst, not at all!
DevOps and DevSecOps for your APIs is simply unachievable when having to rely on these manual processes that lack the ability to provide timely feedback to developers to fix issues early to be secure by design and minimise risk. Automation of security testing baked across your pipelines, for both WebApps and APIs, is paramount.
Bright Security are no exception, but we we're impressed with their customer portfolio. Here are some of the brands they work with:
AUTOMATED Application Security Testing for SOFTWARE DEVELOPERS
And why they’re crucial
A must-read for DevOps and Cyber Security leaders
Apples and Pears, or on the same side?
Digital transformation is different in every organisation, but a key contingent involves the business implementing new strategies around how they deploy technology and the security required to keep business assets safe
Application security testing can be categorized into three types: black-box, grey-box, and white-box testing.
Bright Security is the industry's first zero-false positive, fully automated AI-DAST platform built for developers and modern development environments.
Security Misconfiguration: Impact, Examples and Prevention
Sign up for free trial. No credit card required.
The Winning Approach to Microservices Security
NeuraLegion helps significantly improve application security at a lower cost by providing no false-positive, AI-powered DAST & Fuzzer solutions, purpose-built for modern development environments.
Continuing our evaluation of legacy DAST vs Modern DAST, we’ve taken a light-hearted look at the operational and process challenges experienced by DevOps, Cybersecurity teams and QA when preparing Apps for release to the wild
Richard Dickinson, EMEA Sales Director, Bright Security
Delivering stability, control, cost savings and speed to market
Enabling the ‘Shift Left’. FAST
Share this story
Let us know what you think about the article.
We're a community where IT security buyers can engage on their own terms.
We help you to better understand the security challenges associated with digital business and how to address them, so your company remains safe and secure.