These materials are © 2023 John Wiley & Sons, Inc.

Any dissemination, distribution, or unauthorized use is strictly prohibited.

 API Security
Testing
Noname Security Special Edition

by Lawrence Miller, CISSP

These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 API Security Testing For Dummies®,
Noname Security Special Edition

Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2023 by John Wiley & Sons, Inc., Hoboken, New Jersey

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,
except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without
the prior written permission of the Publisher. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com,
Making Everything Easier, and related trade dress are trademarks or registered trademarks of John
Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be
used without written permission. All other trademarks are the property of their respective owners.
John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHORS HAVE

USED THEIR BEST EFFORTS IN PREPARING THIS WORK, THEY MAKE NO REPRESENTATIONS
OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF
THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES, WRITTEN
SALES MATERIALS OR PROMOTIONAL STATEMENTS FOR THIS WORK. THE FACT THAT AN
ORGANIZATION, WEBSITE, OR PRODUCT IS REFERRED TO IN THIS WORK AS A CITATION AND/
OR POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE PUBLISHER
AND AUTHORS ENDORSE THE INFORMATION OR SERVICES THE ORGANIZATION, WEBSITE, OR
PRODUCT MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. THIS WORK IS SOLD WITH
THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING PROFESSIONAL
SERVICES. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR
YOUR SITUATION. YOU SHOULD CONSULT WITH A SPECIALIST WHERE APPROPRIATE. FURTHER,
READERS SHOULD BE AWARE THAT WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED
OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
NEITHER THE PUBLISHER NOR AUTHORS SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY
OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL,
CONSEQUENTIAL, OR OTHER DAMAGES.

ISBN 978-1-119-86976-4 (pbk); ISBN 978-1-119-86977-1 (ebk)

For general information on our other products and services, or how to create a custom For
Dummies book for your business or organization, please contact our Business Development
Department in the U.S. at 877-409-4177, contact [email protected], or visit www.wiley.com/go/
custompub. For information about licensing the For Dummies brand for products or services,
contact BrandedRights&[email protected].

Publisher’s Acknowledgments

Some of the people who helped bring this book to market include the
following:
Project Editor: Elizabeth Kuball Senior Client Account Manager:
Acquisitions Editor: Ashley Coffey Matt Cox

Editorial Manager: Rev Mengle Production Editor:

Mohammed Zafar

These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 Table of Contents
INTRODUCTION................................................................................................ 1
About This Book.................................................................................... 1
Foolish Assumptions............................................................................. 2
Icons Used in This Book........................................................................ 2
Beyond the Book................................................................................... 3

CHAPTER 1: Understanding Application Programming

Interfaces............................................................................................ 5
What Is an API?...................................................................................... 5
How Are APIs Used in the Private and Public Sector?....................... 8

CHAPTER 2: Exploring API Risks and Vulnerabilities.................... 13

Looking at the Growing API Attack Surface...................................... 13
Identifying the Top Threats................................................................ 14
Addressing Other API Vulnerabilities................................................ 17

CHAPTER 3: Recognizing the Limitations of Existing

Tools and Approaches............................................................ 19
Static Application Security Testing.................................................... 19
Dynamic Application Security Testing............................................... 21
Interactive Application Security Testing........................................... 23
Software Composition Analysis......................................................... 23
Recognizing the Need for API Security Testing................................ 26

CHAPTER 4: Adopting a Shift-Left Approach...................................... 27

Understanding the Need for API Security Testing........................... 27
Introducing Active Testing.................................................................. 29
Realizing the Value of Testing Early and Often................................ 30

CHAPTER 5: Five Keys to Rapidly Delivering Secure

Applications and APIs............................................................. 33

Table of Contents iii

These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 Introduction
D
igital transformation initiatives have forced application
developers to move at an accelerated pace to meet enter-
prise goals and maintain market competitiveness. However,
this “death march” frequently leads to DevOps teams cutting cor-
ners to execute plans and meet deadlines. Oftentimes, code qual-
ity suffers and security vulnerabilities are exposed.

Many organizations fail to adequately test their application pro-

gramming interfaces (APIs). Even organizations that do test their
APIs often test only for functionality, not security. API security
testing is either bypassed altogether or done manually via home-
grown processes without a true API security testing tool. This
increases the likelihood of APIs being released with design flaws
and misconfigurations.

To protect their applications and data from increasingly sophisti-

cated threats that target API vulnerabilities and risks, application
developers and DevOps teams must adopt a “shift-left” approach,
testing early and often in their software development life cycle
(SDLC) with an enterprise-grade API security testing solution.

About This Book

API Security Testing For Dummies, Noname Security Custom Edition,
consists of five chapters that explore the following:

»» What APIs are and how they’re used (Chapter 1)

»» The growing API attack surface (Chapter 2)
»» The limitations of existing API security testing tools and
approaches (Chapter 3)
»» How Active Testing enables a shift-left approach to security
(Chapter 4)
»» Important keys to secure application and API delivery
(Chapter 5)

Introduction 1

These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 Each chapter is written to stand on its own, so if you see a topic
that piques your interest, feel free to jump ahead to that chapter.
You can read this book in any order that suits you.

Foolish Assumptions
It has been said that most assumptions have outlived their use-
lessness, but I assume a few things nonetheless!

Mainly, I assume that you are a DevOps manager, an application

security professional, or even an application developer, interested
in building a meaningful DevSecOps process for your organiza-
tion. As such, you recognize the need to overcome the common
perception of security as a hindrance to innovation and to pro-
actively collaborate with your application security teams to inte-
grate effective security measures into your delivery pipelines.

If any of these assumptions describes you, then this is the book

for you! If none of these assumptions describes you, keep reading
anyway — it’s a great book, and after reading it, you’ll know quite
a bit about API security testing.

Icons Used in This Book

Throughout this book, I use special icons to call attention to
important information. Here’s what to expect:

This icon points out important information you should commit to

your nonvolatile memory, your gray matter, or your noggin.

This icon explains the jargon beneath the jargon and is the stuff
legends — well, legendary nerds — are made of.

Tips are appreciated but never expected, and I sure hope you’ll
appreciate these useful nuggets of information.

2 API Security Testing For Dummies, Noname Security Special Edition

These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 These alerts point out the stuff your mother warned you about.
Well, probably not, but they do offer practical advice.

Beyond the Book

There’s only so much I can cover in this short book, so if you find
yourself at the end of it wondering, “Where can I learn more?,”
head to https://nonamesecurity.com.

Introduction 3

These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 IN THIS CHAPTER
»» Defining application programming
interfaces (APIs)

»» Leveraging the power of APIs in the

private and public sectors

Chapter 1
Understanding
Application
Programming
Interfaces

T
his chapter starts with the basics: what APIs are, what they
do, and how they enable our digital world in both the pri­
vate and public sectors.

What Is an API?
Application programming interfaces, or APIs, help make appli­
cations and digital services easier to consume. APIs also make
it easier for developers to build, enhance, and maintain appli­
cations. How exactly? In a nutshell, APIs are software interfaces
that dictate how software components interact with each other
and define how data is shared and modified.

CHAPTER 1 Understanding Application Programming Interfaces 5

These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 APIs can be written in practically any programming language
(such as Java, Go, or C#), and many API standards exist that use
Extensible Markup Language (XML), JavaScript Object Notation
(JSON), and so on as a data protocol, making it possible to seam­
lessly transmit data between disparate systems (see Figure 1-1).

Source: Altexsoft

FIGURE 1-1: API architectural styles comparison.

APIs do two things (see Figure 1-2):

»» They allow people to build applications (software) that

communicate with existing applications and services.
»» They allow people to build applications that perform certain
actions on data.

Some APIs even give software the ability to interact with physical
devices using specialized protocols.

6 API Security Testing For Dummies, Noname Security Special Edition

These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 FIGURE 1-2: APIs allow applications to communicate with other applications
and services.

The Twitter API is a real-world example of an API that allows people

to build applications that are able to pull Twitter data and compose
tweets. Using an API, it’s possible for an application like Tweetbot
to pull tweets from a Twitter account and allow the user to compose
a new tweet without explicitly logging in to the Twitter website as
a user. Similarly, the API for Gmail allows people to build applica­
tions that let users compose and send emails without ever logging
in to Gmail.

With APIs, you can build applications that automatically update

without requiring any manual work. You can also empower users
to interact with existing applications and services in a more effi­
cient way. This increases developer productivity by allowing them
to focus on the functionality of their applications rather than on
the different software components.

There are different types of APIs, some of which are used for com­
munication between microservices. These types include Simple
Object Access Protocol (SOAP), Representational State Transfer
(REST), and Graph Query Language (GQL) APIs. Some APIs are
intended to manipulate data, such as create, read, update, delete
(CRUD) APIs.

APIs and microservices often get confused because microservices

use APIs. However, APIs are usually the communication medium
between microservices, which are groups of software components
that communicate autonomously. Microservices are capable of
processing requests on their own, usually without requiring human
intervention. Those requests can be for actions such as reading
data, updating data, or even deleting data. So again, microservices
leverage APIs but are not APIs themselves (see Figure 1-3).

CHAPTER 1 Understanding Application Programming Interfaces 7

These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 FIGURE 1-3: APIs and microservices.

How Are APIs Used in the Private

and Public Sector?
Simply put, APIs connect the world, from revenue-generating cus­
tomer experiences to cost-saving back-end integrations, and every­
thing in between. Quite frankly, APIs are an integral part of practically
every digital activity — in both the private and public sectors.

In the private sector, APIs enable financial institutions to enhance

the consumer experience and streamline payments. APIs enable
retailers to generate new revenue streams, optimize existing pro­
cesses, and strengthen relationships with customers. Likewise,
healthcare organizations use APIs to seamlessly share data across
the continuum of care.

According to Marsh McLennan Global Cyber Risk Analytics Center,

“healthcare API traffic grew by more than 400 percent in 2020,
and health monitoring API use increased an additional 941 per­
cent in 2021.” This explosive growth in API usage presents a rich
target for cybercriminals to exploit sensitive data. And the reality
is, healthcare organizations can’t afford to sit idle — especially
when considering the average cost of a data breach in healthcare
reached $9.42 million per incident, according to IBM Security.

The impact of APIs can be seen across all areas of the public sec­
tor, including education, transportation, healthcare, social ser­
vices, and law enforcement. APIs enable government agencies to
seamlessly share data across federal, state, and local levels. APIs

8 API Security Testing For Dummies, Noname Security Special Edition

These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 are also essential for ushering in advanced capabilities and new
functionality for citizens, veterans, and government personnel.

However, despite the myriad benefits that APIs present to gov­

ernment agencies, APIs also expand the attack surface. And
with API usage skyrocketing, agencies need to proactively guard
against the new security risks that APIs present. As the number of
APIs quickly surpasses the manual span of control and capabili­
ties of existing legacy security controls, public agencies are facing
increasing challenges when it comes to security. To put things
into perspective, the average cost of a data breach in the public
sector has surged 78.7 percent year over year to $1.93 million per
incident, according to IBM Security.

Unfortunately, many government agencies look at APIs as part

of traditional application security. The reality is, AppSec and
DevOps personnel need to think about APIs separately, with their
own security considerations. APIs present their own unique risks,
which legacy tools can’t address. Agencies need to partner with
the right API security vendor in order to build a complete gover­
nance and security program for their APIs.

CUSTOMER SUCCESS
STORY: RAPYD
Rapyd is the fastest way to power local payments anywhere in the
world, enabling companies across the globe to access markets
quicker than ever before. By utilizing Rapyd’s unparalleled payments
network and Fintech as a Service (FaaS) platform, businesses and con-
sumers can engage in local and cross-border transactions in any mar-
ket. The Rapyd platform is unifying fragmented payment systems
worldwide by bringing together 900-plus payment methods in more
than 100 countries.

Challenges

Rapyd’s main product is its public payments API, which handles bil-
lions of dollars of transactions 24/7. Even minor instances of

(continued)

CHAPTER 1 Understanding Application Programming Interfaces 9

These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 (continued)

disruptions, fraud, or abuse could mean millions of dollars in lost rev-

enue, significant remediation costs, and a loss of customer trust for
both Rapyd and its customers.

Although Rapyd ran an active bug bounty program, significantly cus-

tomized its web application firewall (WAF), and considered API secu-
rity mission-critical, its APIs were a “black box” to its security team. It
lacked granular visibility into API usage and behavior, business logic
was unknown, and it was difficult to identify — let alone stop —
attacks in real time.

Consequently, Rapyd’s security team needed a better way to secure

both its public API and its hundreds of internal APIs in a highly com-
plex system operating in Amazon Web Services (AWS) at a global
scale. This meant a purpose-built API security solution that didn’t have
the blind spots of its existing infrastructure, including WAFs and API
gateways. Rapyd needed a granular inventory of all its APIs, visibility
into mistakes or misconfigurations creating vulnerabilities in its secu-
rity posture, intelligently prioritized alerts so security analysts could
focus on the most important risks, and the automation and integra-
tions necessary to stop attacks.

Solution

Rapyd’s chief information security officer (CISO) evaluated a number

of established purpose-built API security solutions, including from
vendors with numerous patents and long track records. However,
most fell short of providing complete API security because they lacked
important capabilities, such as full packet capture for deep analysis of
attacker behavior, visibility beyond traffic and anomalies into its
global API security posture, and the backing of world-class security
researchers.

Unlike other vendors and the “API security” features of their current
infrastructure, only Noname Security provided the combination of
comprehensive visibility from code to production, discoverability,
automation, integrations, and intelligent behavior-based anomaly
detection that Rapyd needed.

From their first meeting, Noname Security demonstrated an intense

customer focus, level of expertise, and industry leadership that sur-
passed other vendors.

10 API Security Testing For Dummies, Noname Security Special Edition

These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 After evaluating each vendor’s holistic combination of product and
team capabilities, Noname Security emerged as the clear leader. The
CISO’s team quickly deployed the Noname API Security Platform —
with posture management, runtime protection, and Active Testing in
one unified solution — across all its AWS regions globally.

Results

With the Noname API Security Platform, Rapyd can protect its APIs
and critical assets from cyberattacks with:

• Easy, effective, and accurate API behavioral prevention, detection,

and response
• Effective resource utilization to proactively de-risk the
environment
• Evidence of security control and demonstration of compliance

• Secure handling of sensitive data and third-party risk exposure

Rapyd can now confidently grow its global business both quickly and
securely, as real data from blocked attacks and production vulnerabili-
ties inform its development efforts and new code can be easily tested
before going live. Rapyd will also have full architectural freedom to
deploy Noname as fully cloud-based, fully on-premises, or any hybrid
combination as needed as it continues to expand into new markets
and regulatory environments.

CHAPTER 1 Understanding Application Programming Interfaces 11

These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 IN THIS CHAPTER
»» Surveying the burgeoning application
programming interface (API) attack
surface

»» Looking at the top API threats

»» Addressing other API vulnerabilities

Chapter 2
Exploring API Risks and
Vulnerabilities

T
his chapter explores the rapidly growing application pro-
gramming interface (API) attack surface, the top threats to
APIs, and other vulnerabilities that need to be addressed in
a robust API security program.

Looking at the Growing

API Attack Surface
APIs are the backbone of today’s app-driven world, and they
establish key conduits for working both inside the enterprise
and with partners and customers. But these critical byways are
under attack, and simple API misconfigurations have already led
to major breaches.

APIs are specifically designed to allow access to software services

that may contain sensitive data. Unfortunately, many organi-
zation’s API ecosystems are fraught with vulnerabilities. Too
often, enterprises only become aware after a breach has already
occurred. API security is complex, and even for organizations
that are proactively managing API risk, the range of vulnerabili-
ties and security risks associated with APIs can be daunting.

CHAPTER 2 Exploring API Risks and Vulnerabilities 13

These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
 According to The API Security Disconnect – API Security Trends in
2022, 76 percent of respondents suffered an API security incident
in the last 12 months.

Identifying the Top Threats

The Open Web Application Security Project (OWASP) API Security
Top 10 is an excellent starting point to help organizations identify
the most critical threats to their API footprint.

OWASP classifies each API security threat according to four

criteria:

»» Exploitability
»» Weakness prevalence
»» Weakness detectability
»» Technical impact
Each factor is given a score, with three being the most severe (see
Figure 2-1). A vulnerability that is easy to exploit, widespread,
and easily detectable with severe technical impact is the most
urgent to address. These dimensions allow API security risks to be
force-ranked in terms of severity.

FIGURE 2-1: OWASP scoring criteria.

The OWASP API Security Top 10 (2019) includes the following

vulnerabilities (note that OWASP is typically updated every three
years, and the 2022 Top 10 is currently in development):

»» Broken object level authorization: APIs often expose

endpoints that handle object identifiers (that is, a unique

14 API Security Testing For Dummies, Noname Security Special Edition

These materials are © 2023 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.