We have a number of upcoming events planned for April 2023, including:

1. RSA Conference, DevSecOps Days, and BSides
2. Webinar: How to Increase Test Coverage With Mayhem for API
3. Speed vs. Resilience: Making the Right Trade-offs for Software Security
4. Securing Open Source Software University Hackathon

Read on to learn more about April’s events. We hope to see you there!

RSA Conference

The RSA Conference is an annual event that brings together cybersecurity professionals and experts from around the world to discuss the latest trends, challenges, and innovations in cybersecurity. 2023’s theme “Stronger Together” is all about “exchanging ideas, sharing our success stories, and bravely examining our failures.”

Where: San Francisco, CA | Moscone Center

Why Attend?‍

Attend RSA to network, learn about the latest trends and challenges in the industry, gain insights on emerging threats and solutions, and discover new technologies and solutions.

Join our team at RSA! Set up a meeting with us during the conference to learn more about how Mayhem makes security testing easy for development teams.

DevSecOps Days

DevOps Connect: DevSecOps at RSAC is a program within the RSA Conference that explores different ways to effectively integrate security into DevOps processes, discusses the emergence of security engineers in DevOps, and explores the role of developer security champions.

When: April 24, 2023 | 8 a.m. — 3 p.m. PST

Where: Moscone South 308, San Francisco or Virtual

Why Attend?‍

This year’s two main topics will be “shift left versus shift right security” and “open source security”. Learn about how adopting both shift left and shift right strategies enables DevOps teams to deliver the highest-quality software, and explore open source security risks and how to address them.

The Mayhem team will have a booth at DevSecOps days. Be sure to stop by so we can meet you and answer any questions you have about our security testing solution.

BSides

BSides San Francisco is a 100% volunteer-organized Information Security conference. There are no “attendees” at a BSides event. Everyone is a participant, adding something of value to the conversations.

Where: San Francisco, CA | City View at Metreon, 135 4th St #4000

When: Saturday, April 22nd and Sunday, April 23rd

Why Attend?‍

Come join us at the BSidesSF conference for two days of learning and fun with the Bay Area security community. Stop by our booth and ask us any questions you have. We’d love to meet you!

Webinar: How to Increase Test Coverage (And Confidence!) With Mayhem for API

In this webinar, you’ll learn how to increase your API testing coverage and build confidence in your code with Mayhem.

When: April 19, 2023 | 1pm EST / 10am PST

Why Attend?‍

Mayhem is a powerful testing tool that uses fuzz testing to identify and prevent bugs in your code.

We’ll explore how to integrate Mayhem into your testing workflow, best practices for using Mayhem, and real-world examples of how Mayhem has improved API testing for companies like yours.

• Discover the benefits of using Mayhem for API testing, including improved code quality and faster time to market.
• Learn how to set up Mayhem for API testing and configure it to meet your testing needs.
• Explore real-world examples of how companies have used Mayhem to improve their API testing coverage and identify critical bugs.
• Get expert tips and best practices for using Mayhem effectively in your testing workflow.
• Participate in a live Q&A session with our expert speaker and get your questions about Mayhem and API testing answered.

Argyle’s CISO Leadership Forum: Speed vs. Resilience: Making the Right Trade-offs for Software Security

A senior executive from ForAllSecure will be a panelist in a 45 minute discussion on strategic organizational resilience during Argyle’s full day CISO Leadership Forum on April 13.

Why Attend?‍

Developers and security professionals are always making trade-offs between competing priorities. No one can maximize speed to market, reliability, resilience and security all at the same time. Trade-offs are inevitable, and you want your trade-offs to be as thoughtful, balanced and conscious of the risks involved as possible.

Join this panel discussion at Argyle’s CISO Leadership Forum to learn how top CISOs and software professionals have successfully balanced the need for speed with the need for resilience.

You will learn:

• How to assess the trade-offs your business needs to make between speed and resilience
• Risk awareness and mitigation techniques for making better trade-offs
• Ways to make the business case for the best trade-offs possible
• Automated solutions for increasing both speed and resilience

Securing Open Source Software University Hackathon

UC Santa Cruz Computer Students: Join ForAllSecure on April 22nd to learn about DevSecOps and fuzz testing and to gain the skills needed to find security exploits in open source software.

Where: UC Santa Cruz | Jack Baskin Auditorium 101

When: April 22nd, 2022 | 11:30am — 6pm PST

Why Attend?‍

At minimum, lunch is on us. We’ll teach you how to do a fuzz test with Mayhem, and after you fill out a short survey we’ll pay you $100. Students who successfully integrate Mayhem into an open source project can be eligible for up to $1,000.

What you will learn:

• Fundamental DevSecOps concepts and best practices
• Using Docker and Github Actions as part of your development process
• Testing applications for defects with Mayhem

March Events

In March, the Mayhem team participated in the Miami Cybersecurity Summit, Automotive IQ, and Wright-Patterson AFB Training.

Miami CyberSecurity Summit

Our team had a wonderful time at the Miami Cybersecurity summit on March 17. We had a booth at the event where we answered questions and gave Mayhem product demonstrations.

Automotive IQ

ForAllSecure co-founder and VP Engineering, Thanassis Avgerinos spoke to a room of automotive industry representatives about how to adopt the techniques of attackers to deliver more secure connected vehicles.

VP Marketing Josh Thorngren provided comic relief, and the two of them discussed everything from how to adopt DevOps practices in traditional automotive “V” shaped SDLC, as well as what the automotive industry should take away from the new cybersecurity guidance from the Biden administration.

Get a copy of the presentation here.

Wright-Patterson AFB Training

The Mayhem team attended the Wright-Patterson AFB training on March 29th and gave a separate training session on how to use Mayhem.

Meet with the Team Behind Mayhem

Thanks to everyone who attended our March events!

If you haven’t had the chance to meet our amazing Mayhem team or aren’t familiar with what we do, come join us at one of our upcoming events.

We’d love to talk about how Mayhem makes security testing easy for development teams by automatically generating test cases and only reporting exploitable, confirmed risks that produce actionable AppSec results.

Looking forward to seeing you at an upcoming event!

Originally published at https://forallsecure.com.

Meet The Team Behind Mayhem: Come See Us At These Upcoming April 2023 Events was originally published in Mayhem by ForAllSecure on Medium, where people are continuing the conversation by highlighting and responding to this story.

Application Programming Interfaces (APIs) are a fundamental component of modern software development. APIs allow developers to integrate different software systems, making it easier than ever to create complex applications and services. However, as with any software component, APIs are also prone to security vulnerabilities that can be exploited by attackers.

API security is an ongoing process that demands continual attention and effort from everyone on the development team. However, with the right knowledge and tools, developers can design, build, and test secure APIs without adding to their workload.

By the end of this blog post, you will have a good understanding of API security and the steps you can take to easily secure your APIs.

API Basics: What Is an API and How Do APIs Work?

As a developer, you’ve likely encountered APIs in your work, and may even use them regularly in your projects. But for those new to the world of APIs, lets cover the basics:

What is an API?

An Application Programming Interface (API) is a set of protocols, routines, and tools used by developers to build software applications. APIs offer a standard method for software components to communicate with one another. This makes it possible for developers to connect different software systems without having to understand the details of each system.

How do APIs work?

In simpler terms, APIs allow developers to access data or functionality from one application or service and use it in another application or service. For example, a developer building a mobile app that displays weather information might use an API provided by a weather service to retrieve the current weather conditions and display them in the app.

APIs can be divided into two broad categories: internal and external. Internal APIs are used within an organization to share data and functionality between different software systems. External APIs are accessible to users outside of an organization. They allow third-party developers to access an organization’s software data or functions.

Examples of Popular APIs

Some popular examples of external APIs include the Twitter API, the Google Maps API, and the Facebook API. These APIs allow developers to access data and functionality provided by these services and integrate them into their own applications or services.

For example, the Google Maps API allows developers to integrate Google Maps into their own applications or websites. This gives them an easy way to build custom maps and add location-based features to their applications or websites. For example, a real estate website could use the Google Maps API to display the location of each property on a map. Or, a delivery app could use the API to calculate the best route between two locations.

In the next section, we will discuss common API security vulnerabilities that developers need to be aware of.

Common API Security Vulnerabilities

While APIs are useful for integrating software systems, they can also introduce security vulnerabilities that can be exploited by attackers. The most common API security vulnerabilities that developers need to be aware of are:

Injection Attacks

Injection attacks occur when an attacker sends malicious data to an API endpoint that can be interpreted as code by the server. This can allow the attacker to execute commands on the server, access sensitive data, or even take control of the server.

For example, an SQL injection is a type of injection attack that occurs when an attacker sends malicious SQL statements to an API endpoint that interacts with a database. If the API does not properly validate and sanitize user input, the attacker can execute arbitrary SQL statements on the database.

Broken Authentication and Session Management

Authentication is the process of verifying the identity of a user or system. Session management is the process of managing user sessions once they are authenticated. Broken authentication and session management vulnerabilities can allow attackers to impersonate legitimate users and access sensitive data or functionality.

For example, weak or predictable passwords make your APIs vulnerable. An attacker can use brute force attacks to guess the password and gain access to the system. Similarly, APIs need to use strong session identifiers and properly expire user sessions. If this is not done, an attacker can hijack a legitimate user’s session and gain access to the system.

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) attacks occur when an attacker injects malicious code into a web page that is viewed by other users. This code is typically in the form of JavaScript that executes in the user’s browser and can be used to steal sensitive information or perform other malicious activities.

API-based XSS attacks involve exploiting vulnerabilities in the APIs used by web applications to fetch and display data. An attacker can craft a malicious query that includes a script tag with JavaScript code that steals the user’s session token, allowing the attacker to impersonate the user and perform actions on their behalf.

To prevent XSS attacks, web developers must sanitize user input and validate it on the server side. Additionally, they should use content security policies (CSPs) to limit the sources of scripts and other resources that can be loaded by the browser.

Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) occurs when an attacker tricks a victim into performing an action on an API endpoint without their knowledge or consent. This can allow the attacker to perform actions on the victim’s behalf, such as making unauthorized purchases or changing the victim’s account settings.

For example, if an API does not use CSRF tokens to validate requests, an attacker can create a malicious web page that sends unauthorized requests to the API endpoint when a victim visits the page.

Insufficient Encryption and Transport Layer Protection

APIs that transmit sensitive data, such as user credentials or payment information, need to use encryption and transport layer protection to ensure that the data is not intercepted or modified by attackers.

For example, if an API does not use HTTPS to encrypt traffic or uses weak encryption algorithms, an attacker can intercept and modify API requests or responses.

Developer Best Practices for API Security: How to Prevent Common API Vulnerabilities

There are a number of steps developers can take to prevent the common API security vulnerabilities discussed in the previous section, including:

Follow the Principle of Least Privilege

Development teams should always follow the principle of least privilege. API access should be limited to only what is necessary for a given user or system. This means that users should only be able to access the data and functionality that they need to perform their tasks.

For example, a user who only needs to view data should not have write access to the data. Limiting API access in this way reduces the risk of unauthorized access and data breaches.

Use Strong and Secure Authentication and Authorization Mechanisms

Authentication is the process of verifying the identity of a user or application attempting to access an API. Authorization is the process of determining whether a user or application has the necessary permissions to perform a specific action or access a specific resource. Authentication and authorization are critical to API security, as they ensure that only authorized users or applications can access sensitive data.

One common method of authentication and authorization is the use of OAuth 2.0. OAuth 2.0 is an open standard for authorization. It allows third-party applications to access a user’s data without the user sharing their credentials. Instead, the user grants the application access to their data using an access token.

Implement Access Control Mechanisms

Access control is the process of determining who has access to a specific resource or API endpoint. Access control is important for API security, as it ensures that only authorized users or applications can access sensitive data.

One common method of access control is role-based access control (RBAC). RBAC is a method of access control that restricts access based on the roles of individual users within an organization. For example, a developer building an API for a financial institution might use RBAC to ensure that only authorized employees can access customer financial data.

Use Secure Passwords and Password Policies

Strong passwords and password policies are essential to prevent brute force attacks and other password-related vulnerabilities. Password policies should enforce password complexity, minimum password length, and password expiration. Developers should also consider implementing passwordless authentication methods such as biometric authentication to improve the security of their APIs.

Validate and Sanitize All User Input

Input validation ensures that data is in the correct format and meets specific criteria. Input sanitization removes any malicious content from user input. Using input validation and sanitization libraries and frameworks reduces the risk of security vulnerabilities such as SQL injection and cross-site scripting (XSS) attacks.

Use Encryption and Hashing

Encryption is the process of encoding data so that only authorized users can read it. Hashing is the process of transforming data into a fixed-length string of characters. Developers should use encryption to protect sensitive data such as passwords, credit card information, and personal information.

One common method of encryption is Transport Layer Security (TLS). TLS is a protocol that encrypts data as it is transmitted between a client and a server. For example, a developer building an API for an e-commerce site might use TLS to encrypt customer credit card information as it is transmitted between their browser and server.

Rate Limiting

Rate limiting is the process of limiting the number of requests that a user or application can make to an API within a specified time period. Rate limiting prevents denial-of-service (DoS) attacks and ensures that the API is available to all users.

For example, a developer building an API for a weather application might implement rate limiting to ensure that one user cannot make an excessive number of requests in a short period of time, which could cause the API to become unavailable for other users.

Implement Secure Session Management

Session management is essential to prevent session hijacking and other attacks. Secure session management mechanisms such as secure cookies, session timeouts, and re-authentication can help prevent attackers from hijacking user sessions.

Regularly Test for Security Vulnerabilities

It’s important to test your API for vulnerabilities regularly, including before you ship code to production and throughout the development process. API security testing tools perform a variety of tests to identify security vulnerabilities. These tests include vulnerability scanning, SQL injection testing, cross-site scripting (XSS) testing, and broken authentication and session management testing.

By using these tools, developers can identify and address security vulnerabilities before they can be exploited by attackers. This can help prevent data breaches, unauthorized access to sensitive data, and other security incidents. Additionally, using API security testing tools can help ensure compliance with security regulations and standards.

Put Your API Security on Autopilot

As you can see, API security requires a lot of work and consideration from developers. And even when following best practices, it’s impossible to prevent all vulnerabilities. That’s why APIs should be regularly tested for security vulnerabilities. The easiest way for developers to do this is to use an automated API testing tool that integrates directly into their existing development process.

Mayhem is a security testing solution that we built specifically for developers. It runs continuously in the background and eliminates the need for manual test generation, putting your API security on autopilot. Try it free for 30 days.

Originally published at https://forallsecure.com.

API Security 101 for Developers: How to Easily Secure Your APIs was originally published in Mayhem by ForAllSecure on Medium, where people are continuing the conversation by highlighting and responding to this story.

Of course it doesn’t go far enough, but the Biden-Harris Administration’s 2023 National Cybersecurity Strategy is a good first step. Rather than carrying forth the strategies of previous administrations, Biden-Harris considered the problem of defending the US in cyberspace holistically. For example, why put so much effort in defending bad software when you can (and should) fix it at the vendor level?

One of the more radical proposals in the new strategy is just that: shift the liability for data breaches and ransomware toward the software that made these attacks possible. Of course, the software industry will say that you can’t predict unknown or zero days. (Actually, you can, using security solutions like Mayhem, which find both known vulnerabilities and the unknown vulnerabilities often responsible for zero days.)

What is the Biden-Harris 2023 National Cybersecurity Strategy?

Released on March 3, 2023, the Biden-Harris 2023 National Cybersecurity Strategy is an attempt to update national strategy around cyberspace. This includes fundamental shifts in how the private sector, peer-competitor states, and nonstate actors navigate around and with each other.

Here are a couple of key takeaways. The new strategy:

Shifts Cybersecurity Responsibility Onto Software Vendors

Fundamentally, the strategy includes the much-needed beginnings of an ambitious shift in US cybersecurity policy. The strategy’s greatest shift is toward liability for software vendors. That means that liability for future data breaches and ransomware can be tied back to the software vendors themselves, incentivizing them to secure their software on release and to provide regular updates for that software post-release.

Currently, only the organizations using the software are held accountable for any breaches. This is not to say that organizations are off the hook with the new strategy. Rather, it seeks to share the liability.

By sharing the liability with the original software vendors, this strategy will enforce the use of best practices to be followed in the development lifecycle of that software. This includes the use of new technologies such as Mayhem which finds both known and unknown vulnerabilities without the need for source code and provides prioritized and actionable results.

Reinforces the Need for More Public-Private Partnerships

The strategy also reinforces the need for more public-private partnerships and to remove the existing silos of information where it makes sense.

As an example, eighteen months ago, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency or CISA, announced the Joint Cyber Defense Collaborative or JCDC at Black Hat 2021. Launch partners included Amazon Web Services, AT&T, CrowdStrike, FireEye Mandiant, Google Cloud, Lumen, Microsoft, Palo Alto Networks, and Verizon. Perhaps this is a model for the rest of the industry and government to follow.

Looking Forward

The Atlantic Council, a Washington think tank, has provided a markup with expert commentary by Jeff Moss, Katie Nickels, Marc Rogers, Chris Wysopal (Weld Pond), and Danielle Jablanski. The experts conclude that “the strategy offers the much-needed beginnings of an ambitious shift in US cybersecurity policy, but it often falls short on implementation details and addressing past failures.”

Indeed, the details remain to be worked out. However, at least having a strategy that advances the discussion and highlights the concerns is a major step forward.

The 2023 National Cybersecurity Strategy Shifts Responsibility onto Software Vendors was originally published in Mayhem by ForAllSecure on Medium, where people are continuing the conversation by highlighting and responding to this story.

Shifting left for API security has many benefits. It allows developers to produce better code, catch API issues earlier in the development cycle, and get their work done faster.

In order to build API security testing into the development process naturally, use a shift left approach along with an automated API tester, such as Mayhem for API .

What Is Shifting Left?

Shifting left is the process of testing the quality and performance of software earlier in the development cycle. Instead of having a separate testing phase before software deployment, shift left testing is done as a continuous process throughout development.

What Is Mayhem for API?

Mayhem for API is an API testing tool that uses fuzzing automation technology to give developers detailed API testing results in less than five minutes. You can use Mayhem for API to test for API defects with each commit or build.

3 Reasons Developers Should Shift Left for API Security

1. Produce Software With Fewer Defects

In the traditional software development life cycle (SDLC), all testing occurs just before the deployment phase. However, this is the point where the software has the largest API attack surface. A shift left approach gives you more time to discover vulnerabilities, since testing occurs throughout the entire development process.

How Mayhem for API Can Help:

Mayhem for API gives you the opportunity to build a secure API from your earliest commit.

Running directly in your command line, Mayhem for API generates a security report in less than five minutes. Detailed documentation about API issues can be viewed in the application, where each issue is tagged, cross-referenced with the latest specs, sorted by the path it was found in, and assigned a severity score for easy remediation.

2. Identify API Bugs Sooner

Since shift left testing happens throughout the DLC (development life cycle), developers are able to identify vulnerabilities earlier in the process, when they are easier to remediate.

How Mayhem for API Can Help:

Mayhem for API flags your API defects in real time, commit-by-commit or build-by-build , and provides you with context for each issue, including:

• Hints that describe the problem
• Potential remediation techniques
• Fast tips on how to resolve critical errors

Using a shift left approach means there is not a separate testing phase before deployment. This lets development teams avoid bottlenecks in the DLC and bring software to market faster.

How Mayhem for API Can Help:

You can save even more time by letting Mayhem for API take on the bulk of API testing. While you might eventually be able to find API issues manually with random requests, Mayhem for API will find them much faster and can run in the background while you work on solving high-level problems for your clients.

Try Mayhem for API Free

Using Mayhem for API is the easiest way to integrate API testing into your CI/CD pipeline. Try Mayhem for API free for 30 days and see how easy it is to shift left for API security.

Originally published at https://forallsecure.com.

3 Reasons Developers Should Shift Left for API Security was originally published in Mayhem by ForAllSecure on Medium, where people are continuing the conversation by highlighting and responding to this story.

Which API testing is best for you largely depends on the type and complexity of the APIs being tested. If you’re dealing with a basic API that mainly performs CRUD (Create, Read, Update, Delete) operations, then simple manual testing may be sufficient.

However, if the API is more complex or requires loads of data manipulation to get the results you’re after, then an automated API testing tool is the way to go. It’s easier to implement automated testing than it is to run manual tests over and over. You should conduct automated testing if you’re testing in a regulated environment, handling sensitive data, or working on a large project.

Overall, API testing is an important part of the development process and should not be overlooked. With the right combination of manual and automated API testing, you can ensure your APIs are functional, secure, and perform as they should.

Is API testing manual or automated?

API testing can be either manual or automated.

Manual API testing involves manually sending requests to an application’s interface and verifying the responses, while automated API testing utilizes specialized software tools to send requests and validate responses.

Automation is generally recommended for larger projects that require comprehensive and frequent testing. Automation allows development teams to quickly run tests when changes are made and easily track results over time.

However, manual testing can still be useful when dealing with smaller projects or when testing individual features, and is good for those just getting started, as it can help you better understand the process of API testing. While you should weigh the pros and cons of both approaches, for most development teams, the benefits of automated testing far outweigh those of manual testing.

Can API testing be done manually?

Yes, API testing can be done manually. Manual API testing takes more time and effort than automated testing and involves sending requests to the application’s interface and verifying the responses.

How does manual testing work?

Testing an API manually is a skill that requires practice and patience. Before diving in, you should familiarize yourself with the fundamental concepts of API testing.

To test an API manually, you’ll need a tool that allows you to make requests and view responses from the API. Popular tools for manual testing include Postman and SoapUI.

Once your chosen tool is set up, it’s time to formulate your test plan. First, decide what conditions you wish to test against and what criteria should be met for a successful test. Then, create an environment in which to test your API from start to finish, taking into account the input parameters and functional requirements.

When you begin testing, it’s important to identify any errors or unexpected behaviors that arise during the process. Make sure to collect any data related to those errors such as log files, screenshots and any other relevant information.

Finally, track the progress of your test using a bug tracking system like JIRA to identify errors, security vulnerabilities and performance issues.

Can API testing be automated?

Yes, API testing can be automated. Automated API testing utilizes specialized software tools to send requests and validate responses. Automated testing involves all of the same steps as manual testing, but eliminates the need to do every step manually. Automated API testing requires much less effort than manual testing, and is both more cost-effective and efficient, allowing you to run more tests in less time.

Another huge advantage of automated API testing is that it can be easily integrated into your CI/CD pipeline, allowing teams to quickly run tests when changes are made and easily track results over time.

How does automated testing work?

When testing an API automatically, you will need to use an API Testing Tool. These tools allow you to create tests and run them automatically.

There are many different API Testing Tools available, so it is important to choose one that is right for your project. Some factors you may want to consider include the cost, the features that it offers, and the level of support available. The best solution will allow for ease of integration, security and performance testing in one, and support for API testing standards like OWASP’s API Top 10.

Once you have selected an API Testing Tool, you can begin testing your API automatically. The tool will allow you to create tests for different parts of the API, such as authentication, input validation, response codes, etc. Ideally, your chosen tool will generate the tests and inputs for you, further automating the process. You can also use the tool to create tests for different scenarios, such as testing for errors or specific responses. Once you have created the tests, it is time to run them.

Automatic testing allows you to quickly check your API to ensure that it’s secure, reliable and performs the way it should. By testing your API automatically, you will be able to quickly identify any issues in your application and fix them before they become a problem.

Automated testing allows developers to focus on improving the user experience, rather than spending time writing tests. This makes it easier to ensure that users have a seamless experience with your application.

What to Look For in an Automated API Testing Tool

When choosing an automated API testing tool, look for one that easily integrates with your existing development pipeline and allows you to quickly and seamlessly run tests whenever new functionality is added or changes are made. With the right tool, development teams can test their APIs quickly and efficiently, allowing them to focus on more important tasks.

Some of the key features you should look for include:

• Automated test creation and running: The ability to create tests and run them automatically, making testing easier and faster.
• Security testing: The ability to check for security vulnerabilities in the API and make sure that it is secure.
• Performance testing: The capacity to test the speed and performance of an API, ensuring it performs as expected under different scenarios.
• Integration with existing development tools: If you are using a version control system or continuous integration platform, look for a tool that integrates with them.
• Documentation and support: Look for an API Testing Tool that offers good documentation and support in case you have any questions or issues.
• Easy to use and understand: The benefits of automation quickly vanish if your tool has a steep learning curve. An intuitive API Testing Tool allows developers to quickly become proficient with it so they can focus on writing code.

Mayhem: Our Recommendation for an Automated API Testing Solution

Mayhem is an excellent solution for automated API testing, offering all of the above features and more, such as:

• Noise cancellation and finding deduplication: Mayhem bucketizes findings so you can focus on core issues and don’t waste time with hundreds of reports for the same finding.
• Easy integration with existing development tools: Mayhem integrates with popular source code management systems to automatically test each pull request.
• Ridiculously Easy to Use: Mayhem gives you meaningful testing results within 5 minutes. Mayhem’s simple integrations with development and build pipeline solutions allow you to focus on testing results, not the process of conducting the testing.
• Free 30 day trial: Try Mayhem for free for 30 days to ensure that it’s the right tool for your team.

Get Mayhem for API Free

Originally published at https://forallsecure.com.

Which API Testing Is Best: When To Use Manual vs. Automated Testing was originally published in Mayhem by ForAllSecure on Medium, where people are continuing the conversation by highlighting and responding to this story.

In last week’s post we talked about what API testing is and why it’s important . In this week’s post, we’ll talk about when API testing is required and industry-specific API standards.

When is API testing required?

As a whole, API testing is not regulated, so it isn’t legally required in most cases. API security is a fairly new field, so while there aren’t currently many regulations around how APIs are built and secured, conducting API testing is still an important part of your development process. API testing can save your development team time and money, as well as ensure that your software is secure and reliable.

Get Mayhem for API Free

API Testing Requirements

Depending on what type of data is being exchanged by an API, the API may need to undergo further testing for compliance. In the United States, organizations must comply with the , for online services directed to children under thirteen, and California’s Consumer Privacy Act ( ). It’s important for development teams to pay close attention to all relevant regulations and test their APIs appropriately.

APIs also need to follow industry-specific laws and regulations since there are different needs and concerns across industries. These industry-specific regulations will influence what steps your development team needs to take when testing APIs.

Below, we will explore API standards in healthcare, automotive, and financial services, but these are only a few examples of industry-specific API standards.

Healthcare API Standards

APIs, according to Ben Moscovich , project director of Health Information Technology at Pew Charitable Trusts, have “the potential to make healthcare more efficient, lead to better care coordination, and give providers and patients additional tools to access information and ensure high-quality, efficient, safe, and value-based care.”

While APIs haven’t been adopted by most healthcare systems until recently, the 21st Century Cures Act now requires healthcare providers to allow the easy exchange of health data for patients in order to be able to participate in the Medicare program. To accomplish this, many healthcare providers are turning to the power of APIs for this easy exchange of patient data.

Healthcare API Standards

is the largest compliance requirement in the United States for healthcare applications. Any API used within healthcare applications needs to be tested for compliance by ensuring that protected health information is properly secured with the correct authentication protocols in place and by limiting what types of requests can access what types of data.

The healthcare industry’s standard “instruction manual” for APIs is , or the Fast Healthcare Interoperability Resource, which is the standard set by the 21st Century Cures Act to accomplish healthcare data exchange. FHIR is implementation-focused, so it’s easy for development teams to use to produce working interfaces quickly. FHIR specification is free for use with no restrictions. Get started with FHIR here .

HL7 develops and publishes the FHIR standards. They also provide services to support FHIR’s implementation, such as guides, programs, and testbeds. FHIR is now both a U.S. and global standard, with full documentation in English, Russian, Chinese, and Japanese. Learn more FHIR standards and the federal regulations here .

Automotive API Standards

Many automotive manufacturers still use EDI, or Electronic Data Interchange , more than APIs to transfer electronic data, but this is changing.

APIs are used to integrate mobile apps with your vehicle’s user interface, enabling users to answer phone calls, play music, and view mobile apps on the car’s screen through integrations like Apple CarPlay.

APIs are also used with VIN and license plate identification services and vehicle data history services like CARFAX. Many car manufacturers have their own applications that tell you when service is due and communicate other information to users, such as when tire pressure is low.

Automotive API Standards

, the Organization for Data Exchange by Tele Transmission in Europe, is responsible for the EDI standards followed by many manufacturers in the automotive industry around the world. These standards define what should be tested before releasing an application and other aspects of data exchange between vehicles and vehicle systems.

ODETTE recently formed an API Expert group to develop a standardized approach to the implementation of REST APIs in the automotive supply chain. The goal of this group is to extend ODETTE’s successful EDI standardization to APIs.

In North America, ODETTE’s equivalent is AIAG, or the Automotive Industry Action Group, but currently no API standards exist within AIAG.

Finance API Standards

APIs have played a large role in customer’s expanded access to their financial data in recent years. APIs allow users to easily and safely share and access their financial data across many financial providers, and play a role in banking, investment, budgeting, and third-party payment apps.

Finance API Standards

In North America, API standards in the financial industry have come around as more of a market-driven need for standardized APIs across the financial industry and have limited government regulation. Having standardized APIs benefits financial institutions and users, allowing for more secure and reliable data access across the industry.

, or Financial Data Exchange, a non-profit industry, is the main organization that has stepped in to create an API standard for the U.S. and Canada. They are the creators of the , “a common, interoperable and royalty-free technical standard for user-permissioned financial data sharing”. The FDX API is free to access and use.

Members of FDX are financial service stakeholders that drive the APIs co-chair working groups and task forces and make decisions about how to build and implement the FDX API. Members include over 100 fintech firms and fintech stakeholders, nine of the top ten U.S. banks and all six of the top Canadian banks.

As of October 2022, 42 million consumer accounts were using FDX API for open finance data sharing, up from 32 million in June 2022.

The Future of API Testing Standards

Standards for API testing are beneficial to development teams, because standardized APIs work across software systems and organizations and can be built once and reused many times. They are also beneficial to users, because they provide safer data transfer and a consistent user experience.

These benefits will likely lead companies to adopt common API standards even without legal regulation, as has already happened in the financial and automotive industry.

API Testing Made Easy

​​Mayhem automatically creates and runs thousands of API tests that can help you ensure you’re complying with industry best practices. Mayhem works within a single platform to find, filter, and prioritize any found vulnerabilities for your team. Try Mayhem for free for 30 days , and see how you can have complete API security quickly and easily.

Originally published at https://forallsecure.com.

When API Testing Is Required and Industry-Specific API Standards was originally published in Mayhem by ForAllSecure on Medium, where people are continuing the conversation by highlighting and responding to this story.

APIs share data and enable communication between everything connected to the internet. API testing ensures that these connections work as intended and that the information carried by APIs remains secure.

What is API testing?

API testing is a type of software testing that tests application programming interfaces (APIs). API testing helps developers identify bugs within the API and optimize its performance, functionality, reliability, and security.

What is an API?

API stands for application programming interface. APIs share data and enable communication between different applications and software systems within set parameters.

APIs connect and carry information between everything connected to the internet, from your smartphone to your car. Many everyday digital actions include the use of APIs, from checking the weather within your weather app to making purchases. Any time you ask one application or website to call information from another website, it is an API that pulls that information.

One example of an API at work is when you “log in with Google” or “log in with Facebook” to an outside website. An API provides information to identify you to the website without giving it your Google log-in information.

Similarly, it is APIs that allow you to pay for online purchases with third-party payment methods like PayPal. When you “pay with PayPal”, an API communicates your user information, the amount owed, and confirms your purchase with PayPal and communicates back to the site you’re buying from that you’ve paid.

Why API Testing Is Important

Api testing is critical to ensure that connections between platforms are reliable, safe, and scalable. API testing validates that the API performs as expected, and, more importantly, doesn’t act in unexpected ways that may increase the risk of an exploit.

API testing is especially important because if an API breaks due to undetected errors, you run the risk of not only breaking your app, but an entire chain of software that uses it. Undetected API errors create bad user experience across the software chain and open the door for malicious actors to gain access to sensitive data carried by the API.

API testing checks for bugs such as duplicate functionality, improper messages, incompatible error handling, and security, reliability, and performance issues. API testing involves running multiple types of tests which check for different issues, including:

Validation testing

Validation testing checks that the API behaves as expected and runs efficiently.

Functional testing

Functional testing ensures that the API returns the right response for a given request and makes sure that it handles certain scenarios well within the planned parameters.

Reliability testing

Reliability testing ensures the API produces consistent test results and can be connected to consistently.

Load testing

Load testing measures how many calls an API can handle and monitors the API’s performance at expected normal and peak conditions.

Security testing

Security testing checks that the API is secure against external threats. Security testing methods include fuzz testing and penetration testing. Security testing also includes steps like validation of encryption methodologies and API access control.

Runtime and error detection testing

This type of testing evaluates the actual running of the API, focusing on monitoring, execution errors, resource leaks, or error detection

Benefits of API Testing

Overall, investing time into API testing is beneficial for both development teams and their customers. API testing creates a better user experience and improves software security.

Improved Reliability and Customer Satisfaction

By identifying any flaws or bugs in an API before it goes live, teams can provide a better experience for their users from day one and reduce unexpected downtime which could otherwise have a negative impact on customer experience.

Improved Security

API security testing is especially important because of the increasingly important user data carried by APIs. API testing can reveal vulnerabilities in the application’s architecture, allowing development teams to fix them before malicious actors can exploit them and gain access to sensitive data.

When should you API test?

API testing should begin early in the development cycle and be conducted as a continuous process throughout development. By testing APIs throughout the development process, teams can ensure that what they’re building works as intended and is of a high quality. This method of testing software earlier in the development cycle is known as shifting left.

When API testing is shifted left, the benefits are even greater , saving developers time and money. The benefits of early API testing include:

Ship Software Faster

Having automated tests in place early on allows teams to quickly identify what needs to be addressed or changed in the API and perform fixes before code is released to production.This helps to speed up development cycles.

Time may also be saved in the future by testing APIs regularly and ensuring they are able to scale effectively as usage increases and new features are added over time.

Reduce Costs

Early API testing allows teams to fix bugs before they become serious problems. The earlier in the process an error is found, the less expensive and more quickly it is able to be dealt with. If issues can be fixed before UI testing begins, they won’t affect production, so conducting API testing early saves development teams money in the long run.

Mayhem for API Testing

The easiest way to conduct API testing throughout the development process is by using an automated API testing tool like Mayhem. Mayhem automatically creates test cases and integrates seamlessly into your continuous integration pipelines, making it easy to conduct API testing at speed and scale.

Get Mayhem for API Free

Originally published at https://forallsecure.com.

What Is API Testing and Why Is It Important? was originally published in Mayhem by ForAllSecure on Medium, where people are continuing the conversation by highlighting and responding to this story.