How penetration testing bolsters API security

Last year, Gartner predicted that API attacks would become the most-frequent attack vector in 2022. While it remains unclear whether this is the case, when considering that the exploitation of Twitter’s API vulnerability exposed the data of 5.4 million users, it’s clear they’re devastatingly effective. 

In an attempt to help security teams address these threats, today, cybersecurity startup Wib announced the launch of what it claims is the industry’s first API PenTesting-as-a-service (PTaaS), which is designed to test for application security, API, and business logic vulnerabilities. 

Wib recently announced raising $16 million in funding and enables users to generate a complete inventory of APIs, generate documentation, and enhance visibility over the attack surface. 

In this instance, penetration testing provides security teams with a more accurate view of their organization’s API security posture so they can identify and mitigate potential entry points before cybercriminals can exploit them. 

Playing catchup with API security 

The announcement comes as attacks on APIs continue to increase, with research showing that 94% of organizations have experienced security problems in production APIs. 

To make matters worse, many security teams are in the dark about how to respond to these threats, with 61% lacking any API security strategy or having only a basic plan. 

The truth is that many organizations are playing catchup with API security after embracing cloud computing and microservices. 

“Most of these blind spots are exposed as firms embrace an API-first methodology and shift to a microservice-based architecture, which changes their attack surfaces, but their defenses weren’t designed for this structure and have not yet evolved to cover it,” said Chuck Herrin, CTO of Wib. “Adoption always outpaces security, and this time is no different. What is different this time is that API traffic is already 91% of web traffic, while most defenders are blind to APIs as an attack vector,” Herrin said. 

By offering a purpose-built penetration testing service, Wib provides organizations with access to the expertise and technologies they need to detect API-level threats. 

After each test, security teams receive a full assessment report of identified vulnerabilities alongside a risk severity score based on NIST’s cyber matrix calculator and a remediation road map plan with recommendations on how to mitigate vulnerabilities. 

Reviewing the API security market 

Wib is just one of many providers in the global API security market, which researchers valued at $783.9 million in 2021 and anticipate will reach a value of $984.1 million in 2022. 

The organization is competing against a range of competitors in the market including Salt Security, which raised $140 million in series D funding earlier this year, and offers an artificial intelligence (AI) and machine learning (ML)-driven platform for inventorying APIs and exposed data with OAS analysis capabilities. 

Another significant competitor is NoName Security, an API security platform that identifies vulnerabilities and misconfigurations while providing security teams with automated detection and response capabilities. NoName Security most recently raised $135 million as part of a series C funding round in December 2021. 

However, Herrin argues that WIB’s versatile penetration testing approach and lack of reliance on API traffic to spot threats is what differentiates it from these existing tools. 

“Both of these “unicorns” focus on a production traffic-based view, which is a useful lens, but is insufficient to find blind spots like zombie APIs (APIs exposed but with no normal traffic) or APIS that don’t communicate across expected traffic paths,” Herrin said.