10 top API security testing tools


Credit: Dreamstime

Application programming interfaces (APIs) are a critical part of most modern programs and applications. In fact, both cloud deployments and mobile applications have come to rely so heavily on APIs that you can’t have either without an API managing components somewhere along the line.

Many larger companies, especially those with a big online presence, have hundreds or even thousands of APIs embedded in their infrastructure. The growth of APIs will only continue to increase.

The ingenious thing about APIs is that many of them are just tiny snippets of code, and all are designed to be small and unobtrusive in terms of their network resource requirements. Yet they are also flexible and able to keep working and performing their main functions even if the program they are interfacing with or controlling changes, such as when patches are applied.

As amazing as APIs are, they also have their faults. Because they can be designed to do almost anything, from single functions repeated over and over to smartly controlling the advanced aspects of various programs or platforms, almost no standards govern their creation. Most APIs are unique, and many organisations simply create new APIs as needed. That can be a nightmare for security teams.

Another way APIs are attractive to attackers is that many are over-permissioned. Even APIs that perform only a few functions often have near administrator privileges. The thinking is that such a tiny API could not possibly do any harm.

Hackers compromise APIs and then use those credentials for new purposes, such as data exfiltration or deeper penetration into a network. According to security research conducted by Akamai, nearly 75 per cent of modern credential attacks targeted vulnerable APIs.

The problem is getting worse. According to Gartner, by 2022, vulnerabilities involving APIs will become the most frequently attacked vector across all cybersecurity categories.

API testing tools to the rescue

Having a critical networking and program component in the crosshairs of attackers is bad enough, but with APIs the situation is even more precarious because of the lack of standards involved in their creation. Many organisations likely don’t know how many APIs they are using, what tasks they are performing, or how high a permission level they hold. Then there is the question of whether those APIs contain any vulnerabilities.

Industry and private groups have come up with API testing tools and platforms to help answer those questions. Some testing tools are designed to perform a single function, like mapping why specific Docker APIs are improperly configured.

Others take a more holistic approach to an entire network, searching for APIs and then providing information about what they do and why they might be vulnerable or over-permissioned.

Several well-known commercial API testing platforms are available as well as a large pool of free or low-cost open-source tools. The commercial tools generally have more support options and may be able to be deployed remotely though the cloud or even as a service.

Some open-source tools may be just as good and have the backing of the community of users who created them. Which one you select depends on your needs, the security expertise of your IT teams, and budget.

Below are some of the top commercial API testing tools on the market and their main features, followed by some open-source tools.

Commercial API testing tools and platforms


The APIsec platform acts like a penetration tool aimed at APIs. Whereas many tools can scan for common vulnerabilities to typical attacks like script injections, APIsec stress tests every aspect of targeted APIs to ensure that everything from the core network to the endpoints accessing it are protected from flaws in the API’s code.

One big advantage to APIsec is that it can be deployed in the development phase while APIs are being programmed. A full scan of apps that are in the process of being built takes only a couple minutes, with results comparable to old-school penetration testing operations that used to take days or weeks to complete.


AppKnox offers a lot of assistance to those who purchase and deploy their platform. Combined with its easy-to-use interface, this makes AppKnox a good choice for organisations that don’t have large security teams dedicated to their APIs. AppKnox starts with a scan to locate APIs either in the production environment, on endpoints or wherever they may be deployed. Once located, users can select which APIs they want to submit for further testing.

AppKnox tests for all the common problems that can cause an API to break or become compromised like command injection vulnerabilities in HTTP requests, cross-site tracing, and SQL injection vulnerabilities. This includes a complete analysis of web servers, databases and all components on the server that interact with the API.

After the API scan, users can submit their results for advanced analysis with a human security researcher, a process the company says normally takes between three and five days.

Data Theorem API Secure


Read More:10 top API security testing tools