It’s Time for Agencies to Embrace API and Static Application Security Testing

The Importance of API Testing

API testing typically involves sending requests to API endpoints and validating the responses against expected outcomes.

"This process can be used for various use cases, each with its own benefits," says Scott Gerlach, cofounder and chief security officer at StackHawk.

For example, functionality testing ensures the API functions as intended, load testing checks its performance under high loads, and security testing verifies its resistance to attacks. These tests can be performed manually by automated tools such as Postman or with continuous integration and continuous deployment (CI/CD) tooling.

API security testing discovers and fixes API vulnerabilities before their deployment.

"If done properly, API security testing can complement runtime protection to significantly enhance the security posture of APIs to critical business applications," says Lebin Cheng, vice president of API security at Imperva.

App testing is often separated into three categories: dynamic application security testing (DAST), interactive application security testing (IAST) and SAST.

DAST is specifically designed for continuous testing throughout the software development process; its primary capability is to send various iterations of data to an input and check outputs for responses that might indicate a vulnerability at run time. SAST can’t do that.

SAST and IAST are less successful in the real world due to the heterogeneous app environment and the increasingly fast pace of development cycles, Cheng says.

"In addition, SAST and IAST are especially limiting in discovering security risks in application behavior driven by the input and output of many subcomponents, which is the case in modern microservice-driven mesh architecture," he says.

While useful, conventional DAST is limited by often incomplete, out-of-date API specifications.

Static Application Security Testing Catches Coding Errors

SAST tools can examine an app's or API's code to identify patterns or code constructs linked with security vulnerabilities — such as buffer overflows, SQL injection or cross-site scripting — without running anything. The tools generate detailed reports on identified vulnerabilities, specifying their severity and potential impact.

This form of testing is vital because it can detect potential coding errors and design flaws that may lead to security breaches, before the app is deployed, saving time and resources.

LEARN MORE: This is how agencies should respond to cyberbreaches.

"Applying SAST principles to API development is important because modern applications are built with APIs," Schwake says.

SAST occurs very early in the software development lifecycle and generally covers 100 percent of the codebase.

"The effective deployment of SAST tools can greatly improve the overall quality of code that makes it through the CI/CD pipeline and into production," says Glen Deskin, head of engineering and cybersecurity evangelist for Check Point Software.

Agencies must choose a particular SAST toolset that is compatible with their apps in development. Once a toolset is procured and deployed, it may need to be customized to achieve the desired results.

"Beyond that, applications or code projects are onboarded, and dedicated resources can begin to analyze and remediate reported issues," Deskin says.

Challenges Remain to Full Implementation of App Testing

Various factors are responsible for agencies’ slow adoption of API and SAST testing.

"Legacy systems, not originally designed with modern API security in mind, present a significant challenge," Schwake says.

The Market Connections survey estimated that 60 percent of the federal IT budget was spent maintaining such systems.

Meanwhile, the complexity of modern apps, with their numerous APIs, makes comprehensive testing daunting.

MORE FROM FEDTECH: So you have technical debt? Get in line.

"Agencies may also struggle with limited resources and lack the budget, personnel or expertise to implement and maintain robust testing programs," Schwake says. "Additionally, cultural barriers and resistance to change can hinder the adoption of new testing methodologies and tools."

APIs haven’t traditionally been considered an IT asset, leading some IT leaders to deem their security less important, he says.

Agencies that conduct only API testing, and not SAST, usually add it to their general penetration testing process, Cheng says. 

EXPLORE: Purple teams add power to penetration testing.

How Agencies Take App Testing to the Next Level

Shifting security testing to a point earlier in the development lifecycle is a common goal for most modern software development organizations.

"As more organizations adopt DevSecOps culture and structure, testing security earlier in the development lifecycle will be paramount," Deskin says.

Agencies handle sensitive citizen data and critical operations that are high-value targets for bad actors, but API security and testing are newer, evolving technologies.

“APIs are increasingly becoming the primary interface to critical business applications," Cheng says.

API testing must be bolstered to stay ahead of bad actors looking to exploit business logic implementation vulnerabilities left in apps when they are released, and that requires agencies to allocate resources accordingly, Schwake says.

"Automation through API and SAST testing tools can streamline the testing process and improve efficiency," he says.

UP NEXT: Look beyond the usual solutions to cybersecurity.

Investing in training to develop staff expertise in API and SAST testing is also important.

"Additionally, adopting API posture governance solutions can provide visibility into the API landscape, identify and remediate security risks, and ensure continuous compliance with security or regulatory standards," Schwake says.