Use the Postman and APIsec EthicalCheck Integration for Better Security Practices
This is a guest post written by Intesar Shannan Mohammed, founder and CTO at APIsec.
EthicalCheck from APIsec is a free and instant API penetration testing service. It is offered as self-service, fully automated, and requires no signup. And, it’s user-friendly with an intuitive web UI, an API, and a GitHub action to integrate API security testing in dev workflows. One way we can simplify the API security test journey is by leveraging Postman to make it easier to test your API elements that are built and managed in the Postman API Platform.
Historically, security testing was an afterthought, and most organizations opted for bi-annual and semi-automated penetration testing. As dev teams push new releases out faster, the legacy security testing model falls short of delivering secure APIs before reaching production. Dev teams need to radically change how they build and release APIs, which means they need to include continuous and automated security testing workflows into their DevOps practices. APIsec introduced EthicalCheck to help developers work toward these better practices.
Postman and EthicalCheck integration
Most organizations use Postman to build APIs and create collections to document and write tests for their APIs. As the shift-left mentality grows, dev teams increasingly want to run security scans of their API elements managed in Postman before deployment. EthicalCheck addresses this by allowing users to take a Postman Collection and run it against hundreds of API security tests across the OWASP API security list. These tests cover modern attack types like authentication, authorization, access-control, OAuth 2.0, JWT, and more. This approach saves developers time and resources and instantly enables security testing as they build and change APIs in Postman.
How to get started
Here’s how you can leverage this new integration today:
1. Go to the EthicalCheck web UI here.
2. Submit your Postman Collection in the fields provided on the EthicalCheck home page.
You can submit your Postman Collection’s public URL or upload a private collection. In addition to Postman Collections, EthicalCheck supports the OpenAPI specification as a starting point for automated API security testing.
If you want to try this out using a sample Postman Collection, check out APIsec’s sample Netbanking API. This API is a banking API that has features like accounts, transactions, and more. It has many known security vulnerabilities across authentication, authorization, and logic flaws.
3. Do security testing with reporting.
Once a Postman Collection is successfully submitted, the EthicalCheck will first introspect the Postman Collection file. It then creates a map of API endpoints and automatically writes hundreds of security tests covering the OWASP API list. After running the tests, EthicalCheck generates an API penetration test report and emails it to you.
4. Identify and resolve vulnerabilities.
Every vulnerability report includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities. Vulnerabilities are automatically triaged for you, which means every vulnerability will have a severity, CVSS score, endpoint information, OWASP tag, etc. This saves you time and resources. You can identify, fix, and retest the security bug in the code.Be sure to use the Postman API-first workflow where revisions made to code can be reflected in the imported API specification (via Git integration). That, in turn, will allow you to get notifications of changes on synced collections. You can review differences and update the Collection with a few clicks, quickly getting you back to the testing stage, where you can retest with EthicalCheck. Simply repeat until all vulnerabilities are resolved.
Note: As an alternative, you can also get started with APIsec’s GitHub Action here.