7 top API security tools for 2023
Connecting digital services and transferring data, APIs are critical for any modern technology business. But securing them has proven to be a challenge for developers and security managers alike, with many high-profile security incidents in recent years. According to Gartner, 90% of web-enabled applications already have a larger surface area in exposed APIs than in the user interface.
In this article we’ll look at the most common API security risks and vulnerabilities, how to test for them with the right API penetration testing tools, and how to choose the best API security tool to protect your APIs – wherever you are in your CI/CD pipeline.
What can go wrong with APIs?
API breaches have the potential to expose large amounts of sensitive data or give attackers access to your systems. But where do you start? Firstly, you should focus your security efforts on the most common vulnerabilities listed in OWASP’s API Security Top 10.
These include broken authentication, misconfigurations and injection attacks, all of which can lead to serious breaches and data disclosure, like when Freepik fell victim to a SQL injection blunder that compromised the accounts of 8.3 million users in 2021. Want to know more? Deep dive into these vulnerabilities and more in our ultimate guide to API security.
How can you secure your APIs?
Similar to web application security, API security testing tools send a variety of requests designed to safely mimic attacks of would-be hackers to produce a report listing any vulnerabilities or bugs. API security testing aims to ensure that API security vulnerabilities like the ones above have been identified and fixed prior to releasing or changing your API.
Best API security testing tools
It’s important to choose an API security testing tool that fits your needs as a developer, penetration tester or security team. It should also help you identify or defend against as much of the OWASP Top 10 as possible, and work with your current tech stack to continuously monitor your APIs from current and emerging threats. What’s safe today may not be safe tomorrow. Now you know what to test for and why it’s important, here’s our list of recommended API security tools to cover a variety of scenarios:
Best API security tools for DevSecOps
Designed with simplicity in mind, Intruder’s fully informed API security scanning runs comprehensive scans against every endpoint listed in an API schema, helping customers looking to secure APIs with Single Page Applications (SPAs) who struggle to get meaningful results from traditional application vulnerability scanning. Its Dynamic Application Security Testing (DAST) scanner is easy to integrate into your CI/CD pipeline to find so you can resolve issues early in the DevOps lifecycle. Get a feel for our API scanning tool and how easy it is to run API security scans with our interactive demo below.
Probely is designed to integrate into software development processes and CI/CD pipelines to automate and scale security testing. Its automated web app vulnerability scanner has fully featured API scanning capabilities to help detect vulnerabilities and provide actionable advice on how to fix them. But beware, as with Burp Suite, its free plan has limited functionality.
As its name suggests, AppCheck provides in-depth automated testing that allows ad-hoc, scheduled and continuous API security testing, including full OWASP Top 10 vulnerability coverage. Developed and maintained by security experts, it’s easy to use and highly configurable, supporting all forms of authentication via a scriptable browser interface and integration with bug tracking platforms like JIRA, and custom integration via JSON API.
Best API security tools for enterprise
A more recent entrant to the market with an enterprise focus is Firetail, whose mission is to provide a single API security platform for application layer visibility and real-time, inline inspection and blocking of malicious API calls. Flexible and configurable, users can define triggers to generate push notifications which leverage configuration and inventory data. It also integrates with notification systems from email to Slack and Teams.
Best for pentesters and bug bounty hunters
Burp Suite is a comprehensive set of testing tools developed for pentesting and running API security scans for vulnerabilities. An all-in-one tool that supports a multitude of ways to inspect, modify, and replay HTTP requests, it’s popular among developers, web app security researchers, engineering teams and bug bounty hunters. It’s easy to use compared to other tools, although the free ‘community edition’ has significantly limited functionality.
Best for developers
Postman is used by pentesters and developers worldwide to allow QA and Application Support teams to make it easier to test APIs. The GUI is straightforward and user friendly and their API platform can check for vulnerabilities beyond the OWASP API Top 10. This provides clear security guidelines to developers on the same platform that they use to design, build, test, and deploy their APIs. However, it can add headers to a request, regardless of your authorization, and this can lead to an error response from backend APIs.
Best for post-deployment
Cloudflare is a suite of solutions designed to make everything you connect to the internet secure, private, fast, and reliable. Designed for pros and newbies alike, its API Gateway discovers and monitors API endpoints to prevent application DDoS and brute-force attempts, provide authentication, and validate OpenAPI schemas. It stops volumetric API abuse through anomaly detection, prevents data leaks by continuously scanning response payloads for sensitive data, and provides a central API catalogue for a single baseline of organizational APIs.
Why you need to take API security seriously
APIs are a critical part of most mobile and web applications. Knowing where your APIs are, and understanding how attackers can exploit them, is more important than ever. Frequent API security scans help to secure your application by identifying weaknesses so you can fix them before they're exploited.
Intruder's dynamic application security testing (DAST) scanner scales API vulnerability scanning to meet the needs of your growing business. Read more in our guide to API security or find out more about our approach to API scanning here. Why not put Intruder through its paces with a free trial?
- Raw CVE Coverage
- Risk Rating Coverage
- Remote Check Types
- Check Publication Lead Time
- Local/Authenticated vs Remote Check Prioritisation
- Software Vendor & Package Coverage
- Headline Vulnerabilities of 2021 Coverage
- Analysis Decisions
Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.
Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.
Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
The likelihood that exploitation in the wild is going to be happening is steadily increasing.
Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
We’re starting to lose some of the benefit of rapid, automated vulnerability detection.
Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
Any detection released a month after the details are publicly available is decreasing in value for me.
Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.
With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:
- Have CVSSv2 rating of 10
- Are exploitable over the network
- Require no user interaction
These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.
We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.
In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.
While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.
So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.
I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.
What can we take away from Figure 12?
- We can see that between 2011 and 2014 Greenbone’s release delay was better than that of Tenable, by between 5 and 10 days.
- In 2015 things reverse and for 3 years Tenable is considerably ahead of Greenbone by a matter of weeks.
- But, then in 2019 things get much closer and Greenbone seem to be releasing on average about a day earlier than Tenable.
- For both the trendline over an 11-year period is very close, with Tenable marginally beating Greenbone.
- We have yet to have any data for 2021 for OpenVAS checks for critical show-stopper CVEs.
With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.
The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.