New NowSecure API Security Testing Reduces Mobile App RiskPosted by Brian Reed
NowSecure recently added API Security Testing to its portfolio of automated mobile application security testing solutions. Based on the OWASP API Security Top 10, the new capabilities enable app development and security teams to dynamically discover API risks and vulnerabilities and address them quickly before software release.
APIs are critical to modern app architectures, yet can present significant risk. Application developers rely on APIs to connect mobile apps to back-end resources and provide functionality to complete key tasks. But if not properly architected, secured and tested, both official APIs and unapproved shadow APIs leave an organization vulnerable to attacks.
A typical mobile app leverages between 5 – 10 distinct back-end API services ranging from crash and performance analytics, monetization and cloud to traditional brower web APIs. Security teams often lack automated tools to discover and understand the breadth of mobile app APIs. As a result, mobile API observability presents a critical gap.
“Attackers routinely collect reconnaissance information to fingerprint back-end servers by observing authentication credentials such as JWT, Basic Authorization and by understanding the types of APIs being used in an application such as REST or modern GraphQL interfaces,” says NowSecure Chief Technology Officer David Weinstein. “NowSecure Mobile API Security testing enables our customers to better address the full breadth of the mobile application attack surface starting with the mobile application itself through to and including the security posture of internally coded back-end APIs, third-party API service providers and software development kits (SDKs) back-end services.”
NowSecure announced the availability of NowSecure API Security Testing at the virtual DevOps World by CloudBees 2020 conference. “Over the past decade we have evolved our security testing capabilities to meet the needs of changing mobile architectures, mobile operating systems and industry tool preferences,” said NowSecure CEO Alan Snyder. “Adding API Security Testing and aligning with industry standards such as OWASP makes it easy for our customers to protect their mobile apps and connected APIs and ensure that there is an objective measure of acceptable risk.”
NowSecure API Security Testing taps the NowSecure advanced dynamic test engine to discover and generate a list of all mobile-connected APIs; warn of any mobile-connected APIs that may violate OWASP API Top 10 and recommend further action; and help users identify unapproved “shadow APIs” that put their organizationes at risk.
NowSecure API Security Testing is available across the NowSecure suite of mobile app security and mobile risk management solutions including NowSecure Platform for fully automated Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Interactive Application Security Testing (IAST) and NowSecure Workstation for analyst-driven testing.
To see the power of API Security Testing in NowSecure Platform and NowSecure Workstation, reach out for a demo today.