Alex - stock.adobe.com
10 API security testing tools to mitigate risk
Securing APIs properly requires testing throughout their design lifecycle. Explore 10 leading API security testing tools for automated, continuous security testing.
APIs are at the core of modern application architecture. Because of their importance and their ability to provide access to data and resources, however, they are often the targets of attackers.
The API security market is composed of both cloud-based inline protection services and those that can be integrated into development and runtime environments. Strong API security tools should detect API integration misconfigurations, sensitive data exposure, security vulnerabilities, improper handling of authentication and authorization credentials and tokens, and much more. Many tools or services can also act as a prevention measure that shields malicious queries and interactions with APIs.
The API security testing tools below are listed alphabetically rather than ranked because different use cases call for different features. A particular tool might be the best choice for one organization but not another, depending on their respective needs. Most of these API security testing tools offer free versions or free trial periods, but enterprise users will likely require paid options or licenses. That said, it is worthwhile to test any tool before committing to it to see how it works for developers and security teams on the ground.
Regardless of which API security testing tools companies choose, the lifecycle of an API involves many different teams and naturally sees rapid iteration. It is important, therefore, to establish who has overall responsibility for testing and maintaining API security on an ongoing basis.
Apache JMeter
Apache JMeter is an open source Java application originally designed as a web application load tester. It expanded its capabilities to test functional behavior and measure performance on static and dynamic resources from any Windows, Linux or Mac OS.
Apache JMeter does not require programming skills. It can handle many different types of applications, servers and protocols, and it supports request chaining. Tests can use CSV files to generate heavy loads of realistic traffic that put APIs under pressure. An integration between JMeter and Jenkins enables admins to build API testing into continuous integration/continuous delivery (CI/CD) pipelines and to use JMeter for API monitoring.
Note, however, that JMeter does not have the ability to dynamically execute scripting and other browser functions, making it a limited option for thorough testing.
Apigee API Management
Aimed at enterprises building large and complex projects, Apigee API Management, part of Google Cloud, supports the designing, building, testing, deployment and monitoring of APIs by enabling developers to track traffic, error rates and response times. Users expose their APIs on Apigee via API proxies, which act as managed facades for back-end services. These proxies decouple the app-facing APIs from back-end services so the apps can keep calling the APIs without interruption, despite any code changes on the back end.
Apigee customers can choose from SaaS and hybrid options. In the hosted SaaS version, Apigee maintains the environment. The hybrid version consists of a management plane running in Apigee's cloud, plus a runtime plane installed on-premises or with a cloud provider. The hybrid model confines API traffic and data to the enterprise, but it could require significant configuration and customization.
The three subscription packages are Standard, Enterprise and Enterprise Plus, none of which limit the number of individual APIs or users. Higher tiers, however, offer larger numbers of API calls. Organizations can also opt to use Apigee's pay-as-you-go model, which charges based on number of API calls, deployable environments used per hour and number of proxy deployments. Apigee's prices are available on request.
Assertible
Assertible provides simple and powerful API testing and monitoring with turnkey assertions for domain-specific testing, including JSON schema validation and JSONPath data integrity checks. It integrates with common development and communications tools, including GitHub, Slack, PagerDuty and Zapier, as well as CI/CD services and platforms. It is possible to chain multiple HTTP requests together to test more complicated scenarios via setup steps, which enable test variables to be captured from an HTTP request.
While keeping tests up to date is usually time-consuming, Assertible can automatically sync any changes in API specifications -- such as updates to responses, parameters and headers -- to API tests. Developers, therefore, no longer have to manually update their tests after adding new parameters or changing the response of an API. Assertible includes a feature called encrypted variables that improve security by securely storing tokens, passwords and other sensitive data fields for API testing.
Customers can choose from four packages, including a free personal plan. Paid plans range from $25 to $100 per month and offer tiered increases in the number of tests, test frequency and team members supported.
Insomnia
Insomnia, part of Kong, is an open source API client for creating, organizing, sharing and executing REST, Simple Object Access Protocol (SOAP), GraphQL and gRPC requests from a Mac, Linux or Windows desktop application. It includes a built-in specification editor that lets users instantly preview changes without switching apps or views, and it can generate code for more than 12 different languages.
Insomnia supports the definition and segregation of environment variables for reuse across requests globally or within a public or private environment. Users can create customized API test flows, including chained requests, with Insomnia's test suite scripts. Insomnia's code editor is relatively simple, but it does require some coding skills. Inso, the app's CLI, lets users integrate automated Insomnia API tests into their CI/CD pipelines via GitHub, GitLab Jenkins, Vercel and other platforms.
There is a free license for single users. Kong offers paid tiers of Individual at $5 per user per month, Team at $12 per user per month and Enterprise at $45 per user per month for additional features, such as unlimited collaborators and organizations, native Git support and more.
Karate
Karate is an open source framework that combines automated API testing, performance testing and mocking into a single framework. While it is implemented in Java, it doesn't require users to have advanced programming skills. Karate uses a behavior-driven development approach and Gherkin syntax (Given-When-Then) for coding test scripts. Test definitions can also serve as the functional documentation for the API itself. Karate can be integrated with CI/CD tools.
JSON and XML assertions are built in, and tests can run in parallel for improved performance and speed. Admins can test end-user workflows using API call sequences. Additionally, tests can double as performance tests with the addition of Gatling, which verifies if server responses are as expected under load. API test scripts can also be used to automate UI testing, and the Karate debugger can step backward and replay a step during editing. Karate has extensive documentation, a wide range of test examples and an active user community.
As an open source program, Karate is free for users. Organizations can opt for one of its paid tiers -- Plus at $100 per year per user, Pro at $640 for per year per user or Ultimate at $1,400 per year per user -- for additional features, including calling HTTP APIs, syntax and debugging support, and more.
Katalon Studio
Katalon Studio is a popular test automation tool for APIs, as well as web, mobile and desktop applications. It runs on Windows, Linux and macOS. Katalon Studio supports SOAP and REST requests and provides multiple parameterization features and commands, with support for multiple data sources for data-driven testing.
Test scripts are written in the Apache Groovy language, but a dual-editor interface lets users switch between script and manual editing modes. The manual mode enables those with limited programming skills to generate tests via a drag-and-drop interface. Katalon Studio has a Quick Start Wizard and a record and playback tool. Users can also chain tests.
Katalon Studio is free, as are many of its plugins. The Premium version starts at $175 per user per month and includes extended features, private plugins and help desk support. The Runtime Engine add-on, priced at $140 per session per month, enables CI/CD integration and lets users schedule and run tests in parallel. An Ultimate version offers additional analytics and AI capabilities; pricing is available on request.
Postman
Postman is a widely used platform for building and testing APIs that reports having over 30 million users across 500,000 organizations. Originally a Chrome plugin, it's now available as a SaaS platform or a desktop app, compatible with Windows, Linux and macOS.
In Postman collections, teams can organize, group, reuse and share API requests and examples, which enables collaboration, automated testing and request chaining. By attaching monitors to collections, users can schedule automated API tests to run as frequently as every five minutes, flagging potential problems via alerts.
Postman offers a number of video tutorials and solid documentation. It also has particularly strong community support, with many users publishing APIs, collections and workspaces to help others with training and development.
Four different plans are available, starting with a free version for up to three users and a Basic version for $14 per user per month. Professional- and Enterprise-level paid versions -- $29 and $49 per user per month, respectively -- include private workspaces where users can store API artifacts and fellow team members can access them, as well as mocking capabilities, identity and access management, and enhanced reporting and analytics.
Sauce Labs Platform for Test
Sauce Labs Platform for Test, previously Sauce Labs API Testing and Monitoring, is a comprehensive platform for web services and REST API testing, monitoring, error reporting and debugging. Built from the ground up for compressed DevTest workflows, Sauce Labs Platform for Test enables admins to auto generate tests from payloads or specification files and then edit them in either an integrated development environment or a simple drag-and-drop test composer. Functional tests can be reused in the test composer to efficiently create dynamic, data-driven and end-to-end API flow tests, with many options to increase observability and validate real-world scenarios.
Users also have the option to reuse API tests as monitors, which they can deploy in any environment, including production, through integration with a CI/CD pipeline or Sauce's onboard autoscheduler. Running in the background, the functional monitors can provide alerts and detailed reporting to help accelerate debugging. By unifying all API tests and monitors on a centralized platform, management has a single version of API health, along with visibility into ongoing testing.
Platform for Test is available in three models, all of which include unlimited users and unlimited testing minutes. Live Testing starts at $49 per month, Virtual Cloud starts at $199 per month and Real Device Cloud starts at $249 per month. Enterprise support is also offered; contact for pricing.
SoapUI and ReadyAPI
SoapUI, created in 2006 by SmartBear, was the first open source SOAP and REST API testing tool. It is available as a desktop app for Windows, Linux and macOS. The self-described "Swiss-Army knife of automated functional and regression testing," SoapUI enables users to create and run functional tests, from simple to complex, with straightforward drag-and-drop actions. The generated scripts can be reused and support request chaining.
A paid pro version called ReadyAPI offers additional features, including data-driven performance testing, service virtualization, mocking and CI/CD pipeline integration, with support for GraphQL, Java Message Service and Java Database Connectivity. It comes in three modules: API Test Module starting at $900 per license per year; API Performance Module at $6,455 per license per year; and API Virtualization Module for $1,215 per license per year. Customers also have the option of purchasing all three modules as a bundle for a reduced customized cost.
Swagger
Swagger, maintained by SmartBear, is an easy-to-use suite of open source tools for designing, building, testing and documenting APIs. The Swagger Specification, the basis for the suite of tools, became the OpenAPI Specification in 2016.
The suite includes Swagger Editor, which visualizes an API specification and enables real-time user interaction and feedback. Swagger Codegen generates server stubs in more than 20 different languages and client SDKs in over 40 different languages so end developers can easily integrate with live APIs. Swagger UI enables anyone to visualize and interact with an API's resources without having access to its implementation logic. Other tools in the suite enable mock responses for unimplemented methods and publication of an entire API project to any Node.js platform.
Swagger is free for use. The SwaggerHub platform, which integrates the Swagger suite with additional features, is available in Team or Enterprise packages. The Team plan, at $84 per month for three designers, includes additional integrations, reusable domains and collaboration capabilities. The Enterprise plan, available on-premises or as a SaaS option, includes priority support and API standardization. Enterprise pricing is available upon request.
Dave Shackleford is founder and principal consultant at Voodoo Security, as well as a SANS analyst, instructor and course author, and GIAC technical director.
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 20 years of experience in the IT industry.
