API SECURITY TESTING

Pinpoint where API attacks really succeed… not just the areas that may be susceptible to attacks. Validate authentication, encryption, and access controls.

Understand the risk posed to you, and your customers, by the vulnerabilities present in the API/message layer and web UI level of your applications.

API SECURITY: A HYBRID APPROACH

Throughout the API penetration testing process, automated, as well as comprehensive manual testing, will be used to identify existing vulnerabilities at the API / message layer of your applications. At MainNerve, all of our API security tests go beyond national standards such as OWASP, and come with a detailed final report that includes an executive summary, a listing of risk ratings, remediation recommendations, and more.

IDENTIFY API VULNERABILITIES AND EXPOSURES

When it comes to API security testing, there are a number of things to consider. So here at MainNerve, we perform API security testing by analyzing both request and response. This is done in order to discover and fix security vulnerabilities earlier in the software development cycle. Whether you’re using REST, SOAP, or a mix of both, we’ve got your APIs covered. Further, a detailed analysis of JSON and XML are performed as part of our API security testing process.

Data Injection

Improper
Authorization

Data Injection

Weak
Authentication

Data Injection

Broken Authentication /Session Management

Data Injection

Input Validation

Data Injection

Output Encoding

Data Injection

Cryptography

Data Injection

Message Integrity

Data Injection

HTTP Return Code

Data Injection

Data Encryption

THE MAINNERVE PROCESS

Here at MainNerve, our API security testing process involves a comprehensive, risk-based approach to manually identify critical API vulnerabilities. Throughout the API security process, a number of professional tools will be utilized to perform an in-depth test. These tools include: BurpSuite, RestClient, SOAPUIPro, and more. Following the conclusion of the API penetration test, MainNerve will provide a detailed final report that details all findings associated with the test.

Computer chip

UNDERSTANDING THE APPLICATION

The first phase of the API penetration test is critical to the success of the test. It is very important that the team understands all of the features and functions of the application. The team does this by browsing through the application, going through the user manuals or, if required, a walkthrough of the application along with the application owner or developers. We work with you to ensure we are fully aware of its aims, functions, etc.

Computer chip

CREATING THE THREAT PROFILE/TEST PLAN

The threat profile comprises a list of potential threats against the application that we have identified. (For example, an online trading application Threat Profile might identify 20-40 threats). The threat profile is the starting point for all subsequent tests We share this with you, and ask for your feedback, to ensure that we have not overlooked anything, nor exaggerated a threat. From this point, the final threat profile drives the test plan. We map each threat in the threat profile to specific pages on your site. For example, the threat of an adversary viewing the portfolios of other users might be mapped to the “View Portfolio” page. The test plan then identifies all the attacks we need to carry out on those pages to assess that specific threat. For example, on the “View Portfolio” page, we might carry out a variable manipulation attack and a SQL Injection attack to see if we can view the portfolios of other users.

Computer chip

MANUAL AND AUTOMATED TESTING

Once the test plan and test cases are prepared and approved by a senior member of the team, the AP penetration testing begins. This will comprise a combination of manual and automated checks that adhere to the test plan. During the course of testing the security engineer may identify additional tests or attacks to perform, in which case the test case will be updated and subsequent tests performed. The team takes up the threats one by one and starts performing the tests. If a test case is successful it is marked as unsafe in the test plan.

Computer chip

REPORTING

At MainNerve, we consider the final phase of the API penetration testing process, reporting, to be the most crucial and instrumental step. Once the team is through with the API testing, the reporting process begins. The detailed report delineates each vulnerability discovered as well as the method of discovery. Potential solutions to each finding are also included. The report is made available to the client after it has been reviewed internally.

WANT TO LEARN MORE?

VALUE-ADDED SERVICES

Checklist

Web App Penetration Testing

Web application penetration testing is designed to assess and test the state of your web-facing applications, and provide actionable remediation recommendations for enhancing your security. Ensure that your web applications are protected from malicious cyber threat actors. MainNerve web app pen tests are designed to review all types of web servers.

Checklist

Compliance Solutions

MainNerve’s compliance solutions are designed to help fill one of the biggest challenges for businesses: staying in alignment with the exhaustive list of Governance, Risk Management, and Compliance (GRC) requirements. From PCI DSS and HIPAA, to CJIS and FINRA, MainNerve can help your business navigate the GRC landscape with specialized penetration tests.

Checklist

Social Engineering

Social engineering, in the context of information security, is commonly defined as the of persuasion and/or manipulation techniques in order to influence people into performing actions or divulging confidential information. Ensure that your business is secure by testing and evaluating your employees against general phishing and “spear-phishing” attacks.