12 Testing API security
This chapter covers
- Creating a testing strategy tailored to our threat models
- Testing API specifications to discover security by design flaws
- Leveraging contract testing and fuzzing to ensure our APIs work as intended
- Creating unit tests that help us assess the security posture of our APIs
- Creating complex tests to identify vulnerabilities in our business logic and flows
As we build our APIs, the inevitable question is whether we are making them secure. If you’ve followed all the best practices described in this book, you’ve threat modeled your API design choices, considered tradeoffs, accepted some risks, and produced a sound implementation. The thing is, there’s only so much we can do using threat modeling techniques and following best practices. At some point, we need some tests that give us a good level of confidence that our APIs are working the way they’re supposed to, and that they’re not vulnerable to exploits.
The two most common approaches to assessing the security of API implementations are using a penetration testing service and automated API security testing tools. Both choices are good and have their own place in a security testing strategy.