Cleaner clouds, the rise of API PenTesting

API PenTesting

The rise of Application Programming Interface (API) technologies has continued apace over the last year and is set to do the same throughout 2023 with API PenTesting a hot new topic.

Written to a defined syntax and structure, APIs are of course a means of connecting an application (or one part of a smaller functional element of an application) to another application, component, lower-level (but typically still very powerful) service such as search or maps or other, or to a wider and higher-level operating system.

Given the proliferation of APIs, we clearly need to make sure they are able to work and operate safely and effectively, without the threat of them being ‘penetrated’ by malicious actors or code.

API PenTesting-as-a-Service

Logically then (as this technology is in the cloud and of the cloud at its heart) we have seen the rise of API PenTesting-as-a-Service. Not quite yet referred to as APIPTaaS as a formal acronym, this function has been championed by several vendors including Tel Aviv-based Wib.

A cybersecurity startup in API security, Wib recently announced an API PenTesting-as-a-Service (which the company shortens to PTaaS) designed to help organizations proactively cover the latest PCI-DSS 4.0 mandates for testing application security, APIs and vulnerabilities in business logic.

Magical analyst house Gartner suggests that 90% of web-enabled applications will expose more attack surface via APIs than in the user interface (UI) and API abuses will become the most-frequent attack vector. In recognition of this changing attack landscape, Wib’s PTaaS solution supports the evolving requirements for frameworks such as PCI DSS as they adapt to the realities of modern web security, where API traffic is already 91% of web traffic, but API coverage in penetration testing is often lacking.      

According to Chuck Herrin, CTO of Wib and team, for organizations covered by PCI-DSS’ requirements for application penetration testing, which as of version 4.0 specifically includes API abuse and attacks on business logic, Wib’s offering provides on-demand API Pen Testing specifically designed to provide solid validation of API security posture to support assertions of compliance for PCI and other frameworks and regulations such as GDPR, CCPA, SOC-2, ISO, NIST, and others.

The best offense is defense

“We’ve always said that your defense should be informed by the offense, and with Wib’s world-leading team of API Penetration Testers, we’re uniquely positioned to provide validation of the security posture of APIs and the applications that use them from the same lens as the external attacker,” said CTO Herrin. “That is a critical piece we often find missing, and our team is built to fill this gap so our customers can find, understand and protect their APIs as they race to secure their evolving attack surface. Our goal is to make it safe to innovate and help our customers ensure the security, risk, and compliance of the  API ecosystems powering their business.”

Wib’s service is designed to be unintrusive and hassle-free. It simulates attacks against APIs without ever having to connect to customers’ systems. 

When combined with the Wib platform, it provides visibility, an automatic inventory, auto-generated API documentation and simulated attacks against test and/or production systems. 

From source code, through to production

The trend here paints a picture of cloud computing based code being used and managed on more of a complete pipeline-centric journey i.e. the company is talking about protecting an ‘API ecosystem’ all the way from source code, through production traffic, to professionally validated attacks on API business logic from a professional API hacker’s perspective from the outside. 

When is an API not an API? 

When it’s not part of an API ecosystem with tightly managed API business logic with an API PenTesting-as-a-Service layer, right?