Applications
API Interfaces
APIs are frequently used to query sensitive data or start processes and need to be secured against attackers.
APT Simulation, MITRE ATT&CK
Do you have questions about your selection or are you unsure? Please feel free to contact us!
APIs are frequently used to query sensitive data or start processes and need to be secured against attackers.
During this assessment, our ethical hackers evaluate your API regarding vulnerabilities and misconfigurations.
The test can be conducted on premises or remotely.
Exemplary test objects:
We use Postman and Swagger collections to accumulate typical API requests and subsequently test them for vulnerabilities.
We import your WSDL data model and subsequently conduct a vulnerability assessment.
The research company Gartner estimates that until 2022 API attacks will be the most prevalent attacks. ¹
An average company administers around 360 APIs. API security is therefore an important risk factor. ²
Modern applications are becoming increasingly complex and enhanced by a wide variety of API interfaces to retrieve or generate data and content from anywhere at any time. As a result, APIs are a critical component of modern mobile, SaaS, and web applications and can be found in a wide variety of areas such as banking, retail, or Internet of Things (IoT). The importance of providing consistent application security is steadily increasing as APIs often become the target of hacking attacks. This involves attempts to steal sensitive data such as passwords or personal data.
By ordering an API penetration test, we subject the API interfaces defined with you in the project scope (e.g. SOAP or REST) to a comprehensive security analysis at network and application level. Using the
Our network-level tests include an automated vulnerability scan as well as a manual analysis of all network services provided by the API from the perspective of an external attacker (black-box). The application-level tests are performed using a semi-manual approach, with and without valid user credentials (grey-box).
Testing as an external attacker without additional information
Testing with valid credentials
Testing with credentials and access to the source code