Menu Icon
< back to main
 • 3 min read

Pentesting in the Era of APIs and Microservices

Pentesting in the Era of APIs and Microservices
Joe Sechman
Joe Sechman

Early in his professional career, Joe realized he had a knack for thinking like an attacker; uncovering and exploiting flaws in the security mechanisms employed by software, networks, physical buildings, and human behavior. He's been fortunate to work alongside some of the brightest minds in the industry and strive to build off that experience by continuing to invent novel approaches to solving security problems.

Want to see the platform in action?
get a demoArrow Right
Want to see the platform in action?
get a demoArrow Right

EraofAPIs

Software development practices are going through an evolution with cybersecurity trends constantly changing. Today, large monolithic applications are falling out of favor, being quickly replaced by loosely coupled and modular microservices that are easier to develop, test, and scale. These services may be outwardly exposed as part of a software-as- a-service or other API offering.

Much like any other digital asset, these exposed API surfaces are open to attack. Organizations concerned with security will certainly want to ensure these APIs are included in all various security testing activities. Yet when approaching these APIs for their first assessment, many pentesting teams quickly learn their web assessment methodologies and security scanning tools don’t quite work due to surface differences. This typically results in testing teams having to fall back to manual pentesting methods and custom scripting, which impact assessment velocity and scaling — leading to poor coverage and missed potential risk.

Pentesting teams should take a serious look at their assessment capabilities to determine if their methodologies or tools have gaps; specifically in the handling of microservice, B2B, and mobile API assessment needs.

One key area to consider is how to locate, or discover, the APIs to assets. APIs are often decoupled from web properties, so web assessment tools like web crawlers and browsing proxies will be ineffective. APIs also may involve various non-HTTP protocols and data formats, such as gRpc, Thrift, Avro, etc. — tools may need to support these interaction protocols/transports before an assessment can occur. Authentication and authorization mechanisms also widely vary, ranging from static values to various dynamic tokens provided in any manner of HTTP headers, query, or path parameters.

Security teams should expect to make tool adjustments or ad-hoc implement custom handlers for authenticated session access. Once the security testing team can properly interact with the API, things will start to feel familiar. APIs and microservices are subject to many of the typical web vulnerabilities, a la OWASP Top 10; methodologies to assess for certain vulnerability types, such as SQL injection, will generally still work after some mild accommodation. More importantly though are certain attacks more particular to APIs and microservices, that are not commonly covered in standard web assessment methodologies. API-particular DDoS attacks, rate limiting/throttling bypasses, custom authentication and authorization mechanism weaknesses, and binary deserialization/parsing attacks are examples of vulnerabilities more frequently encountered in APIs compared to traditional web targets. It’s important that security assessment methodologies properly prioritize these attack types.

Overall, testing APIs and microservices does align to typical security testing processes once the proper investment is made in tool adjustments and methodology accommodation. Be sure to inquire with your third-party security assessors regarding how they approach APIs differently than typical web security assessments.

To learn more about security testing APIs, check out Jeff Forristal’s Guide to API Security Testing.

Cybersecurity InsightsSecurity Team Blog

Related Stories

Cybersecurity Statistics for 2021
Cybersecurity Statistics for 2021
What's new in ransomware, social engineering, and many other security threats
Read moreArrow Right
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
Each year, we publish The State of Pentesting report to provide a detailed overview of vulnerabilities and identify the trends and hazards that impact the cybersecurity community.
Read moreArrow Right
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
What better group to turn to for advice than security leaders who have worked on the front lines of risk and uncertainty?
Read moreArrow Right
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
Find out more about the role of pentesting in your company’s compliance effort.
Read moreArrow Right

Never miss a story

Stay updated about Cobalt news as it happens