Synack, the premier security testing platform, has launched an API pentesting capability powered by its global community of elite security researchers. Organizations can now rely on the Synack platform for continuous pentesting coverage across “headless” API endpoints that lack a user interface and are increasingly exposed to attackers.

“Synack’s human-led, adversarial approach is ideal for testing APIs that form the backbone of society’s digital transformation,” said Synack CTO and co-founder Mark Kuhr, a former National Security Agency cybersecurity expert. “We are thrilled to offer customers a unique, scalable way to secure this growing area of their attack surfaces.”

Gartner estimates API abuses will be the most common source of data breaches in enterprise web applications this year. Synack enables organizations to verify exploitable API vulnerabilities like broken authorization and authentication–noted in the OWASP API top 10–can’t be abused by malicious hackers.

“Many organizations are struggling to find the top-tier cyber talent needed to root out API-specific vulnerabilities,” said Peter Blanks, Chief Product Officer at Synack. “We’re excited to extend our Synack platform to provide human-powered offensive security testing on APIs.”

Synack’s headless API capability builds on years of API pentesting experience through web and mobile applications. The new platform features allow customers to enter API documentation to guide testing scope and coverage. Next, researchers with the Synack Red Team attempt to exploit API endpoints in the way a real external adversary would.

Of the Synack Red Team’s over 1,500 global members, only those with proven API testing skills are activated on API requests, reducing noise. Synack’s Special Projects division led over 100 successful pentests against headless APIs in 2022, providing customers with critical proof-of-coverage reports while validating researchers’ API expertise.

Vulnerability submissions and testing reports are routed through Synack’s Vulnerability Operations team for a rigorous vetting process before being displayed in the platform, minimizing false positives and ensuring high-quality results.

For more information about Synack’s API security testing, visit our Solutions page.

The post Synack Expands Security Platform with Adversarial API Pentesting appeared first on Synack.

Planning Ahead to Pentest APIs Can Secure Communications and Save Development Time

What Are Application Programming Interfaces?

Application Programming Interfaces (APIs) are the workhorses of the internet. They facilitate the efficient communication of information between applications. They improve connectivity and help in building modern architectures. When an application makes a request to another application over the internet, chances are that those applications are communicating through an API. 

Organizations are rapidly adopting APIs to deliver service and data, both internally and externally. API requests in 2021 comprised up to 83% of all internet traffic. And developers are using them more each year. API traffic grew 300% faster than traditional web traffic in 2020 and hits are expected to reach 42 trillion by 2024.

API Security Issues

APIs provide developers with powerful interfaces to the organization’s services. But while facilitating communication, the explosion in API use has broadened the attack surface available to hackers. It even spurred the Open Web Application Security Project (OWASP) in 2019 to put together a top 10 checklist for developers. In 2021, 95% of organizations running production APIs experienced an API security incident, according to a survey of 250 companies. Yet, 34% of these organizations report that they don’t have any API security strategy and slightly less than 27% report having only a basic strategy. Unmanaged and unsecured APIs are extremely inviting to attackers. In 2022, API abuse is predicted to be the most frequent attack vector for web applications. 

Shift Left with API Testing

API testing is critical. And the earlier in the development process testing can be done, the better. Almost two thirds of surveyed organizations have had to delay new application rollout due to concerns with API security. In any development project, testing early in the development process–“shifting left” in industry parlance–saves development time and cost. APIs are no exception. You need to test not only for functional problems but also for security issues. Security testing can complement web application penetration testing by directly testing functions not accessible via external GUIs. And early testing can influence the development of functionalities, informing developers and designers about what is feasible and what the risk is with each planned function.

Traditional Application Testing vs. API Security Testing

Your API security testing program needs to recognize the differences between web application testing and testing an API directly. While classical web application security deals with threats such as injection attacks, cross-site scripting and buffer overflows, API breaches typically occur through authorization and authentication issues. The problems are most often in the business logic and loopholes in the API code. The end result is unintended access.

API Pentesting with Human Expertise

Automated testing solutions like scanners and firewalls only go so far in securing your APIs. Injecting human expertise into the process can take API security to the next level with true offensive testing. But not just any tester can effectively perform pentesting on an API. Security researchers skilled in API testing understand API logic and endpoint functionality, and they can develop tests to identify vulnerabilities. They approach testing with the mindset of an adversarial attacker, testing the API one endpoint and method at a time. And they have the API-specific knowledge to properly interpret testing data, allowing them to do a thorough assessment and provide only exploitable vulnerabilities, minimizing false positives. You’ll be identifying security gaps and vulnerabilities in your APIs before they can be exploited by an attacker.

The value that diverse human perspectives bring to your security posture is not to be understated. That’s why the Synack Red Team is integral to providing a true adversarial perspective for your attack surface and bridging the cyber talent gap.

The post Why You Need to Pentest Your APIs appeared first on Synack.