Security testing

API security testing refers to the process of evaluating the security of software applications to identify potential vulnerabilities or weaknesses that could be exploited by attackers. The goal of API security testing is to detect security flaws and address them before they can be used to compromise the confidentiality, integrity, or availability of the application or its data.

Traceable's API Security Testing (AST) provides you with an option to test your application against various vulnerabilities and security gaps before they are deployed in a production environment. API security testing gives your developers and product security engineers the right context about vulnerabilities so that they can prioritize the threats that may arise because of gaps in API specifications and implementation.  Traceable’s AST is built on top of an API Catalog that provides the necessary context to run heavily contextualized tests, prioritize the mitigation of vulnerabilities, and build resilient systems.

The API security testing suite performs specific tests on APIs. You can choose the types of tests you want to run. These tests intelligently leaves those APIs from tests that have been inactive for a long time or have never been used. The following is a list of tests that you can currently run:

• Server-Side Request Forgery (SSRF)
• Security misconfiguration
• JSON web token
• Access control
• Zed attack proxy (ZAP)
• Insecure design
• SQL injection
• Authorization
• Information disclosure
• Remote code execution
• Cross site scripting
• TLS
• NoSQL injection
• Business logic
• Authentication

To start the security tests, you can either use Traceable generated OpenAPI specification or you can upload your API specification. If the test results report vulnerabilities in your APIs, you can directly create a JIRA ticket for your developers and product security engineers. For more information on JIRA integration, see JIRA. The following diagram summarizes the process of API security testing:

API security testing 

---

Start API security testing (AST)

API security testing is driven by Scan policies. Scan policies are nothing but a set of conditions based on which API security tests are run. Scan policies help you to reduce the configuration time when you need to run the same test in an environment. You can have more than one scan policy for an environment addressing different testing requirements. 

Understand scan policies

You can create a scan policy from two places in the Traceable UI. As shown in the screenshot below, you can either click on Policies → Create scan policies, or you can click on Dashboard → Generate Scan → New scan policy to create a new scan policy. When you create a New scan from the Dashboard, you can run the scan policy as part of the same step.

Creating a scan policy consists of:

1. Deciding whether to use Traceable generated specification or uploading your specification.
2. Deciding whether to use live traffic to generate test traffic or create test traffic by fuzzing the data based on the specification that you have provided.
3. Select the assets that you wish to test.
4. Select the attacks against which you wish to test your assets.

Create scan policy

Complete the following steps to create a scan policy:

1. Navigate to either Policies → Create scan policies, or Dashboard →New scan policy.
2. Provide the details in the first step of Policy details:
   1.  Scan policy name – Provide a name that will help you identify the test.
   2. API Specification – Choose from Traceable generated specification or if you wish to upload your specification. For more information on Traceable generated specification, see OpenAPI Specification.
   3. Traffic – Choose the traffic source to create test data:
      1. XAST – Live traffic going to your end points.
      2. DAST – Use the API specification that you have provided to fuzz and create test data. 
      3. XAST replay – Replay traffic from other environments to generate test traffic.
         Note

         Make a note of the following points:

         • The XAST live option is available only when Traceable generated specifications is selected under API Specification.
         • DAST is available only when User provided specification is selected under API Specification.

• Environment – Choose the environment in which you would like to run the test suite.
• Target URL – Configure this option when you want to test a specific domain, for example, mydomain.com. This is optional if you are using live traffic because in that case, AST targets the domain to which the live traffic is going. This is mandatory if you have selected DAST.
• Select the API Endpoints on which you wish to run the security tests and click on Next. You can choose from:
  1. All Endpoints 
  2. A set of Endpoints 
  3. Services
  4. Endpoint Labels – All Endpoints which are tagged with a certain label, for example, critical, sensitive, external, and so on. 
     Note

     You cannot select assets if you have chosen User provided specification in step 2.
• Select the attacks against which you wish to test your assets and click on Next. In the screenshot below, only Security Misconfiguration attacks are selected.
• Review the scan policy and click on Create Policy.
  

Data suppression

AST scans give better test results when data suppression is disabled. If data suppression is enabled for the environment for which you are running API security testing, Traceable displays a message with a link to disable data suppression. 

Navigate to Administration () → Data Classification and click on the Environment tab. You can enable or disable data suppression for your environment by toggling the button.

Run the scan

The scan policy that you created in the previous section is saved for future use. When you run the scan, you have to pick a policy from one of the saved scan policy. To run the scan, click on Dashboard → Generate Scan button. 

On the Generate Scan window, you can either decide to use an Existing Scan Policy to start the scan, or you create a New Scan Policy as explained earlier. If you decide to select an existing policy, then select the scan policy from the drop-down list as shown above and click on Next. Review the scan details and then click on Generate Scan.

Traceable gives you the option to run the scan in your Python or Docker environment. You can copy these commands to your terminal and run the scan, or you can integrate them with your CI/CD pipeline. You can also run the scan by clicking on the Submit button.

Snyk integration

Snyk is a cloud-based software development platform that helps developers find and fix security vulnerabilities in their open-source dependencies. It provides a range of tools and services to help developers identify and remediate vulnerabilities in their applications before they are deployed to production. Snyk scans application dependencies to identify known vulnerabilities and provides guidance on how to remediate them. Traceable provides a Snyk integration with its API security testing (AST). This integration allows you to correlate vulnerabilities found by AST with static code analysis performed by Snyk.

Integrating Snyk with Traceable is a one-step process. Navigate to Integrations → All available integrations and select and click on Configure in the Snyk box. 

You would need to add the Snyk API token for the integration to complete. For more information on generating Snyk API Token, see Obtaining your Snyk API Token in Snyk documentation. Add this token in the Snyk API Token field as shown below.

Scan policy and Snyk integration

Once you have successfully integrated Snyk with Traceable, you can enable Snyk integration when you create a Scan Policy. Create a scan policy as explained earlier and toggle the Add Snyk Integration button to enable the integration. Select the organization and project for which you wish to correlate the results and run the scan. 

Understand the Snyk integration results

You can view the scan results from the Scan history dashboard as explained in the next section. Click on the Scan name to view the detailed result.

Clicking on the Scan name gives you the detailed report as shown below. The Snyk button under the SAST column is enabled if there are any correlations between vulnerabilities found during test and Snyk identified code issues; otherwise, it is greyed out. As shown below, Blind SQL injection was discovered by AST scans as well as Snyk in static code analysis.

Click on the Snyk button as shown above to view the detailed analysis. For example, when you click on the Snyk button for Blind SQL Injection, a Code Analysis slider window is displayed. It indicates that the line number 296 has an issue. You can view the detailed code when you click on View in GitHub, or you can view the issue on Snyk issue details page.

Scan history dashboard

You can view the scan in the Scan History dashboard as soon as a scan is triggered. The Dashboard summary section displays all the Vulnerabilities and Scan History across all the reports for the selected time duration for the chosen environment. As shown in the screenshot below, the Dashboard displays a history of scans runs for the selected time duration. You can filter these scans based on the scan status, for example, the scans in the below screenshot are filtered based on Completed status.

 The Dashboard gives a summary of the report metadata like:

• Scan name – The name of the test run that you set in the previous section.
• Build ID – This is a unique ID generated by CI build, which is hyperlinked to the build URL. This helps you correlate scans with builds.
• Start time – The time at which you triggered the security test.
• Mode – Provides you information about the origin of the security test. The two supported modes are CLI or CI/CD. You had configured this in step 6 of the previous section.
• Scan status – Displays the status of the scan whether it is completed, initialized, running, or aborted. You can also filter the reports based on the scan status, as shown in the screenshot above.
• Initiated by – Displays the name of the person who initiated the test.
• Vulnerabilities – This shows the distribution of critical, high, medium, and low severity vulnerabilities that Traceable found in this particular scan.

Understand the test report

You can view the details about the test result by clicking on the report name under the Scan policy name column. The detailed view window displays the summary dashboard with all Vulnerabilities and Vulnerabilities Distribution for the specific report. For example, in the screenshot below, the summary section shows the total number of vulnerabilities (13) for this specific report along with the distribution across different vulnerabilities. The summary report dashboard displays:

• The different vulnerabilities that the test discovered
• The API Endpoint in which the vulnerability was found. Note that a POST /workshop/api/shop is a different API than GET /workshop/api/shop.
• The service associated with the API
• The status of the vulnerability, like, Open, Accepted Risk, Not a Vulnerability, Under Review, and Fixed.
• Option to create a JIRA directly from the vulnerability summary report.

You can also view a detailed summary report by clicking on the View Summary Report as shown in the screenshot above. 

Scan summary report

The scan summary report displays the high-level information about the scan result. The summary section displays the number of APIs scanned, the environment for which the tests were run, and the number of tests that were run. The summary section also displays the time taken for all tests to run.

The Result section of the report, for example, displays the attack category and subcategory for which the tests were run, the number of vulnerabilities found for each test and the associated severity. The scan report also displays the number of tests that were run for each attack category, as shown in the screenshot below:

 The severity is displayed when a vulnerability is found against an attack.

View detailed vulnerability report

You can view a detailed report about a vulnerability by clicking on the vulnerability name. For example, if you click on Broken Object Level Authorization (BOLA) as shown in the above screenshot, Traceable would display a detailed report as shown below: 

Vulnerability details

The detailed report gives a wealth of information about the vulnerability. Information like CVSS 3.1 score, status of the vulnerability, the approximate time it will take to fix the vulnerability, and so on. The detailed report also provides the description of the vulnerability, possible mitigation, and the impact that the vulnerability can have on your API ecosystem. 

You can also separately re-run the test command to identify the vulnerability. Copy the cURL command to re-run the test. 

Further analysis

You can carry out further analysis, for example, based on the request header x-traceable-ast as shown in the screenshot below:

Copy the x-traceable-ast header value and navigate to API Analytics as marked in the screenshot above. In the API Analytics page, enter the request header.x-traceable-ast=<value of x-traceable-ast request header>. The result of search displays the various Endpoint Traces. Click on individual traces to view detailed information, as shown below:

Traceable CLI

You can install Traceable CLI by running the following commands. 

Linux

If you are a Linux user, use the following command:

curl -o- https://downloads.traceable.ai/cli/release/latest/install.sh | bash

macOS

If you are a macOS user, use the following docker command:

docker create --name traceable-data traceableai/traceable-cli

Demo

Following are the two clickable demos for creating a policy and starting a scan.

Create a scan policy

Generate a scan