API Penetration Testing
An API pen test is designed specifically to ensure the security of all endpoints within an API. With API’s making up more and more of the backend of applications, it is extremely important to ensure their security, especially customer data and system processes that can all be exposed and taken advantage of by a malicious hacker.
API Testing Methodology
We test a wide range of attack vectors including the OWASP API Top 10 2019, as well as our own specific testing methodology to ensure the best results. Much of what is tested for is to ensure the security of the application and its data, but also the security of other applications which may rely on the API for data or services. Authentication, authorisation and injection as well as rate-limiting are just a small part of how we ensure the security of an API.
Top 10 API Security Risks
Broken Object Level Authorization Broken User Authentiaation Excessive Data Exposure Lack of Resources & Rate Limiting Broken Function Level Authorization
Mass Assignment Security Misconfiguration Injection Improper Assets Management Insufficient Logging & Monitoring
What are the risks?
API’s have increasingly become a target for hackers and malicious users over the years. Improper security can lead to massive data breaches and loss of user data which can go undetected due to the API being abused in a way that seems normal.
Not only are API’s becoming more of a target, but they are also given a lot more functionality of an application meaning that vital processes which may have been protected previously, can now be vulnerable to SQL injection, Cross-Site Scripting or other dangerous vulnerabilities which could be used to compromise the system or user data.
How we can help
Our tests help remove the risks inherent in many web applications and prevent data breaches before an attacker has the chance to act. We offer comprehensive web application penetration testing With help from our expert testers and comprehensive reports, we can help detect and fix issues before they are ever abused by an attacker. We work with companies to ensure the highest level of security for the API’s and offer remediation to ensure that the issues we find are fixed quickly and correctly.
The Sencode Way
Contact a member of our consulting team either by phone, email or pidgeon post. We will then discuss whether we can help you and arrange a scoping meeting to discuss your requirements.
Scoping & Proposal
In the scoping meeting our expert consultants will discuss and finalise which digital assets you need testing. We will then put together a project proposal and quote based on the requirements and agree on a schedule for conducting the security assessment.
The testing starts. A member of our penetration testing team will liase with a member of your company throughout the entire testing process. If we have any questions or concerns, you will be the first to know.
Report & Remediate
A penetration test is useless without a well written report. Our reports are written in plain english, concise and thoroughly documented. Each report will detail an executive summary, risk ratings, a business risk summary and all of the issues we found throughout the engagement.
Frequently Asked Questions
APIs are used for some of the most mission-critical operations in any company, and because they frequently handle personal data, it is crucial that they are as safe and resilient as possible. An API penetration test simulates an attack on an API in order to test its security. A security researcher will test a variety of attack approaches in order to compromise user data or API functionality that a hacker may utilise. Once the test is done, the security researcher will deliver a report to the firm detailing the issues discovered and recommendations for how to resolve those concerns.
All types of penetration testing differ in methodology and price. There are a number of factors that go into setting a price for a penetration test, including expenses for the tester and the types of asset being tested. A smaller application will take considerably less time than a large, complex commercial application. We aim to make our pricing as flexible as possible. Sencode will provide our best judgement via accurately scoping your digital assets and making a determination based off experience testing similar scale assets. Once we have accurately scoped your project, we can provide a project proposal and a quote which will be costed properly.
Example 1: An API endpoint assessment, comprised of 45 endpoints. 3 days of penetration testing. £2000-£3000
Example 2: An external infrastructure penetration test comprised of 10 unique IP addresses. 2 days of penetration testing. £1000-£2000
Example 3: An internal penetration test on 80 IP addresses, 7 days of penetration testing. £5500 – £6500
These prices are variable based upon Number of IP Addresses, Retesting requirements, After-hours Testing and skills required to conduct the engagement
A penetration test should be performed on any API that handles user data. It is the obligation of the organisation in charge of that data to keep it secure. GDPR and other data requirements can result in significant penalties and fines for businesses that fail to secure their data, and the best way to do it is via a penetration test.
Get a free, no obligation quote from one of our expert staff.