Quite often clients ask me “Which API Security Tool should I buy?”, and as you might have guessed I answer “It depends”, then proceed to ask them a dozen questions. Recently I asked a colleague at Semgrep if they felt this process might be of value to my readers, and Chinmay said “Absolutely!” and here we are with a new blog post.
If you are in charge of securing the software at your organization it is likely you have quite a few APIs under your purview, and that you might feel overwhelmed with the huge list of products on the market right now. Since 2021, this market has exploded with several new API security tools. In this article I am going to stress that what matters most when selecting a tool is what you need from them. There are several different functionalities that might interest you, depending upon your AppSec program, how invested the developers are, your SDLC methodology (waterfall, agile, DevOps, something else), your development environment (and the level of freedom your developers have), and your percentage of new types of applications (API/micro service) versus older types (enterprise, monolith).
Note: I’m going to speak about tools that work with the OpenAI/Swagger protocol in this article. For those using SOAP, your toolset will be significantly more limited than this, and some of these tools will not work for you. I gently suggest that for all new APIs you develop going forward that you use OpenAPI, as you will have significantly more options.– Tanya
Common API Security Tooling Features:
- Inventory – Finding all of your live APIs is VERY VALUABLE. There’s huge potential for there to be one or more APIs that you might have missed, living on your network, unprotected. Sometimes they call this feature enumeration.Fuzzing or dynamic automated testing, made for APIs (not web apps). Interacting with your API, sending it requests, and looking for problematic responses.
- Web Application Firewall (WAF) for APIs, blocks malicious requests and responses.
- API Gateway (a must have if you are putting your API on the internet!) Performs authentication and authorization, throttling, resource quotas, and more. If you want to fight bots, this is your #1 defense.
- “Context” This is a new one that several vendors list as a feature, which means telling you more information about the API to help you prioritize what to fix, and what can be safely ignored. I’m not exactly sure how each of these work, but it’s a promise some of them make. You need to investigate exactly what this means before buying.
- Static analysis (you can use a normal automated SAST tool for everything but the OpenAPI/Swagger file to find vulnerabilities in written code). No need to get a special tool.
- API Linters help with code quality, but they can also be security-focused. Finding one that can open your OpenAPI file and find help you ensure your definition file (sometimes called a schema) can save you lots of bug-fixing time down the road.
- Regular (non-API-specific) automated dynamic testing tools (DAST) are not very good at scanning APIs, even if the vendors tell you they are good. Unless it is a web proxy, and it’s in the hands of a Penetration Tester, assume they are not worth your time. Get an API-specific dynamic testing tool instead, which can understand your API, rather than older tools that were made for web apps.
- Software composition analysis (SCA): APIs have dependencies too, but it’s the same as web apps, so use the same one you use for all your apps. No need to get a special tool.
I suggest an API gateway for every company, full stop. Ideally you are already doing SAST and SCA for your regular web apps with tools you already own/use, keep doing that for your APIs. For Dynamic scanners, you need an API specific one unless you want to spend many engineering hours making it work properly (time you could spend fixing bugs instead). There are also quite a few IDE plugins, but the key here is: which things are you concerned about? Go from there and you will find the right product. Most of these companies have 2-4 different functionalities. Figure out which one(s) you want, then do a proof of concept exercise (POC) with the finalists. After that, pick the winner!