Walkthrough of APIware’s Sapience API Security Validation Tool Bill Doerrfeld July 8, 2016 These days, APIs need to be strong. They need to be versatile to change, and must triumph in the face of malicious schemes hackers use to disrupt core systems. But how does a provider consistently maintain security across their API platform, and consistently check to see that security is maintained throughout continuous code deployments? As cyberattacks and improper API usage infiltrate our digital fabric they expose vulnerabilities that could cause severe harm to a platform and its users. It’s the provider’s responsibility to protect their platform, but doing so often requires manual legwork and time-intensive auditing that some teams simply cannot afford. Also, as API lifecycles become more rapid and continuous by nature, security validation is not just a one-time check, it now requires a continuous, watchful eye. Thus, tooling for API monitoring and automated testing has arisen to help API providers continuously check their systems. For this article we set our eyes on a new entrant, Sapience, an API monitoring SaaS by the APIware team that is unique in that it’s the first plug-and-play tool fully dedicated to auditing an API’s security. Within this post we review the Sapience tool to see where it could fit into the API lifecycle; we’ll review an API definition to see what security features Sapience audits, what sort of grades we receive using a sample API definition, and view the type of insights a provider can retrieve from performing their own tests through Sapience. Sapience is currently in a free closed beta, but they’ve shared some invite codes with Nordic APIs. If you’d like to gain access to follow along in this walkthrough, Contact us for an invite code. About Sapience Sapience is a plug-and-play auditing tool that takes an API definition and returns grades for overall security effectiveness. It behaves like a white hat hacker, throttling the API through hell and back to see what vulnerabilities are exposed. Testing for RESTful security best practices, Sapience tries sending all types of malformed requests, injects SQL into JSON, checks things like content type missing, remote file include, misused exception handling, parameter tampering, and more. At the end of a test you receive a security report on potential vulnerabilities and solutions on how to improve. Built and maintained by the APIware API development consultancy co-founded by Kin Lane, it’s their first product release, so we’re excited to see what they came up with. We’ll now walk through each step of the process, from creating an account to retrieving analysis on individual API security pain points. Creating an Account The signup process is simple enough, with a standard email, password, and phone number fields for account creation. [Start signup here]. This process will initiate an account and associated dashboard, from which users can manage their APIs through Sapience. Creating an API Profile Sapience is built to be easy for developers to import their API definitions. It smartly uses API Transformer to enable support for all API definition languages — regardless of whether your API is structured as Swagger 2.0 YAML, API Blueprint, or even WADL, you’re covered. You can code a definition manually, but most likely you’ll want to import an existing definition. Users do so by either specifying a URL location for the API definition, or by manually uploading a file. For this example we’ve imported the Swagger Petstore API definition When your definition is imported, it is parsed, and the API title, description, host endpoint URL and base path are pre-populated. At this point, you simply review and correct if needed, and you edit your resources to ensure the audit pairs each parameter with the right method (GET, POST, PUT, etc). To make authenticated requests to the API with OAuth2, an access_token will be required. The last step in this process is verifying that you are in fact the API owner, which can be done by adding a DNS record or requesting a manual check. Running a Test After ownership is confirmed, tests can be run. When a scan is initiated, many requests are sent to the API on file to test vulnerabilities like SQL injection, server side code injection, parameter tampering, buffer overflow, format string errors, and more; the number of requests depending on the number of API resources and methods. Sapience iteratively scans each resource. Running a test only takes a few minutes, and progress bars guide the way through each step. For the Petstore API the scanner will send about 5,000 requests. Getting the Results The results are in! Sapience generates nicely designed reports for each security scan with links to information on specific findings. Your API dashboard will now look something like this after a scan: User’s Sapience API profile Dashboard For this particular API, we can see that Sapience has found 40 potential issues across 18 resources. For all affected resources, each scan report describes the issue, lists a risk factor determined by the vulnerability magnitude (high, medium, low), the confidence in that assumption, and describes a solution for how to mitigate each security issue — whether it be reviewing the source code, implementing custom error pages, hardening your HTTP response headers with web browser XSS protection, or other solutions. Lastly, the report includes external references for additional related security information. Acting on Your Findings With Sapience, providers can consistently monitor and scan their API definitions throughout their continuous build cycles so that new revisions to your platform are consistently put through the same rigorous security verification checks. To do this you can schedule scans to run automatically in the background every day or week at specific times. You can monitor historical vulnerability risks over time If your API passes the Sapience security test, the idea is that you will be given a seal to include on your API developer center. Third party badges like TRUSTe or Norton Secured — also called “trust seals” — are very common for brands throughout the web. A seal of approval similar to an SSL certificate but made specifically for API security validation is an intriguing offering as it could establish more credibility for the API provider. Trust seal icons link developer portal visitors to a Sapience page to confirm that the security scan passed. Learn more about the Sapience API Secure seal here. Where Sapience Fits into the API Space Whereas complete API management solutions or gateways may have usage analytics or security audits similar to some of these features, Sapience is beautiful in its refined focus. API monitoring solutions have existed for some time but they have focused more on behavioral monitoring. Until now, the API space has been lacking an auditing tool that specifically addresses security, let alone a badge accepted by the community to verify said API security. Sapience co-founder Alexander Menzheres mentioned that throughout their talks with clients, he’s learned that the majority of API providers still don’t have a dedicated security specialist on their team. Given the high threat of cyberattacks, and the number of ways a public API can be manipulated, security is a mounting issue that deserves a renewed focus, even if it means outsourcing certain components to specialists. Continuous Integration Of course, there is a business objective behind the currently free-to-use beta Sapience tool. Plans will offer more comprehensive subscriptions, more auditing capabilities, hands-on assistance, as well as the ability to schedule recurring tests — a benefit for perpetually testing production endpoints as well as live releases. According to Menzheres: “Strong security is not something you can achieve at once. With continuous development, you need to continuously check for security vulnerabilities. Sapience can thus be used on a daily basis by API Providers to automate their security monitoring process. It can be integrated via webhooks into Jenkins, Github or Jira — and security becomes embedded into the design versus being an afterthought.” Keep in mind Sapience as a tool isn’t to be confused with any sort of real security mechanism itself — automated testing can only go so far, and manual testing is at times necessary. For Sapience, Menzheres envisions that the business could be extended as more of a consultancy, where security experts work performing manual tests against the API for a certain number of hours per month. Areas for Improvement As security is a make or break when it comes to providing a public API, this free initial check could open the eyes of a provider to some drastic faults in their service. Though many features are represented, There are additional REST security practices that are still left out at the moment. Sapience lacks the feature set to audit how delegation of identity is processed throughout enterprise applications — commonly known as Single Sign On (SSO). Upon examining the Sapience feature set, Identity Specialist Jacob Ideskog noted that an area for improvement in further iterations could be incorporating an OAuth Code flow, where the test server obtains an OAuth access token, and uses that to fire requests against protected APIs: “This would require the API owner to also be able to issue client credentials for the Sapience system in order to operate, which isn’t always possible. However if it were, the next step in security testing would also be to see how the API behaves with expired tokens, with tokens that don’t contain the correct scopes, or that aren’t placed in the correct header. It would also be interesting to test if the API can throttle based on the information in the token, such as the client ID (not always present) or the subject (the user),” said Ideskog. Testing an API with those things in mind is of course a lot more complex and requires integrations with more systems, but if done correctly would provide an extremely useful tool. Menzheres acknowledges that widening Sapience’s security checklist feature set will be an ongoing process; “The current beta version focuses more on various injections, input misinterpretation, server and application weaknesses, but we’ll add tests for authentication/authorization as well soon.” Additionally, as creating a DNS record to prove API ownership may be cumbersome for some providers — especially those at large companies — the Sapience team are looking into other methods for authenticating API ownership. Analysis Though their current pricing model may be a bit steep for some, Sapience appears to be a smart arsenal of checkups for an API. Triggering a security scan as part of your continuous integration process seems like an obvious use case scenario for improving the API lifecycle. A seal of approval could also be an alluring benchmark for internal quality assurance teams and engineers who need to somehow demonstrate to upper management that they’ve created a secure API. Sapience, an Old French word derived from the Latin root sapientia equates to “good taste, good sense, intelligence, or wisdom”. The hidden ‘API’ within a word that resembles “science” makes for a nice double entendre, befitting the tool itself. Though English nerds approve, the real test will be in it’s application. Will the Sapience seal of security catch on? Contact us to try it out, and let us know what you think of it below! [Disclaimer: This post was not sponsored by Sapience neither does Nordic APIs endorse or claim any affiliation with Sapience or APIware] The latest API insights straight to your inbox