Alex - stock.adobe.com
Application programming interfaces are at the core of modern application architecture. Because of their importance and their ability to provide access to data and resources, however, they are often the targets of attackers.
To prevent API vulnerabilities and weaknesses, security testing is critical. API security testing ensures APIs work as designed and can only do what they are intended to.
A variety of API security testing tools are available. The tools below are listed alphabetically rather than ranked, as different use cases will call for different features. A particular tool might be the best choice for one organization but not another, depending on their respective needs. Most of these API security testing tools offer free versions or free trial periods, but enterprise users will likely require paid options or licenses. That said, it is worthwhile to test any tool before committing to it to see how it works for developers and security teams on the ground.
Regardless of which API security testing tools companies choose, the lifecycle of an API involves many different teams and naturally sees rapid iteration. It is important, therefore, to establish who has overall responsibility for testing and maintaining API security on an ongoing basis.
Apache JMeter is a free, open source Java application originally designed as a web application load tester. It expanded its capabilities to test functional behavior and measure performance on static and dynamic resources from any Windows, Linux or Mac OS.
Apache JMeter does not require programming skills. It can handle many different types of applications, servers and protocols, and it supports request chaining. Tests can use CSV files to generate heavy loads of realistic traffic that put APIs under pressure. An integration between JMeter and Jenkins enables admins to build API testing into CI/CD pipelines and to use JMeter for API monitoring.
Aimed at enterprises building large and complex projects, Apigee -- part of Google Cloud -- supports the designing, building, testing, deployment and monitoring of APIs by enabling developers to track traffic, error rates and response times. Users expose their APIs on Apigee via API proxies, which act as managed facades for back-end services. These proxies decouple the app-facing APIs from back-end services so the apps can keep calling the APIs without interruption, despite any code changes on the back end.
Apigee customers can choose from SaaS and hybrid options. In the hosted SaaS version, Apigee maintains the environment. The hybrid version consists of a management plane running in Apigee's cloud, plus a runtime plane installed on premises or in a cloud provider. The hybrid model confines API traffic and data to the enterprise, but it may require significant configuration and customization.
The three main packages are Standard, Enterprise and Enterprise Plus, none of which limit the number of individual APIs or users. Higher tiers, however, offer larger numbers of API calls, topping out at 12 billion calls per year. Apigee's prices are available on request.
Assertible provides simple and powerful API testing and monitoring with turnkey assertions, including JSON schema validation and JSONPath data integrity checks. It integrates with common development and communications tools, including GitHub, Slack, PagerDuty and Zapier, as well as CI/CD services and platforms. It is possible to chain multiple HTTP requests together to test more complicated scenarios via setup steps, which enable test variables to be captured from an HTTP request.
While keeping tests up to date is usually time-consuming, Assertible can automatically sync any changes in API specifications -- such as updates to responses, parameters and headers -- to API tests. Developers therefore no longer have to manually update their tests after adding new parameters or changing the response of an API. There is also a feature called encrypted variables that improves security by securely storing tokens, passwords and other sensitive data fields for API testing.
Customers can choose from four packages, the first being a free personal plan. Paid plans range from $25 to $100 per month and offer tiered increases in the number of tests, test frequency and team members supported.
Insomnia, part of Kong, is an open source API client for creating, organizing, sharing and executing REST, Simple Object Access Protocol (SOAP), GraphQL and gRPC requests from a Mac, Linux or Windows desktop application. It includes a built-in specification editor that lets users instantly preview changes without switching apps or views, and it can generate code for more than 12 different languages.
Insomnia supports the definition and segregation of environment variables for reuse across requests globally or within a public or private environment. Users can create customized API test flows, including chained requests, with Insomnia's test suite scripts. Insomnia's code editor is relatively simple, but it does require some coding skills. Inso, the app's command-line interface, lets users integrate automated Insomnia API tests into their CI/CD pipelines via GitHub, GitLab or Bitbucket.
There is a free license for single users. The addition of end-to-end encryption (E2EE) functionality costs $50 per user per year. The Team version is $120 per user per year and includes E2EE, user management capabilities and priority support.
Karate is an open source framework that combines automated API testing, performance testing and mocking into a single framework. While it is implemented in Java, it doesn't require users to have advanced programming skills. Karate uses a behavior-driven development approach and Gherkin syntax (Given-When-Then) for coding test scripts. Test definitions can also serve as the functional documentation for the API itself. Karate can be integrated with CI/CD tools.
JSON and XML assertions are built in, and tests can run in parallel for improved performance and speed. Admins can test end-user workflows using API call sequences. Additionally, tests can double as performance tests with the addition of Gatling, which verifies if server responses are as expected under load. API test scripts can also be used to automate UI testing, and the Karate debugger can step backward and replay a step during editing. Karate has extensive documentation, a wide range of test examples and an active user community.
Katalon Studio is a popular test automation tool for APIs, as well as web, mobile and desktop applications. It runs on Windows, Linux and macOS. Katalon Studio supports SOAP and REST requests and provides multiple parameterization features and commands, with support for multiple data sources for data-driven testing.
Test scripts are written in the Apache Groovy language, but a dual-editor interface lets users switch between script and manual editing modes. The manual mode enables those with limited programming skills to generate tests via a drag-and-drop interface. Katalon Studio also has a Quick Start Wizard and a record and playback tool. Users can also chain tests.
Katalon Studio is free, as are many of its plugins. The Enterprise version is $839 per license per year and includes extended features, private plugins and help desk support. The Runtime Engine add-on, priced at $599 per license per year, enables CI/CD integration and lets users schedule and run tests in parallel.
Postman is a widely used platform for building and testing APIs that reports having over 17 million users across 500,000 organizations. Originally a Chrome plugin, it's now available as a SaaS platform or a desktop app, compatible with Windows, Linux and macOS.
In Postman collections, teams can organize, group, reuse and share API requests and examples, which enables collaboration, automated testing and request chaining. By attaching monitors to collections, users can schedule automated API tests to run as frequently as every five minutes, flagging potential problems via alerts.
Postman offers a number of video tutorials and solid documentation. It also has particularly strong community support, with many users publishing APIs, collections and workspaces to help others with training and development.
Four different plans are available, starting with a free version for up to three users and a basic version for $12 per user per month. Professional- and enterprise-level paid versions -- $29 and $99 per user per month, respectively -- include private workspaces where users can store API artifacts and fellow team members can access them, as well as mocking capabilities, identity and access management, and enhanced reporting and analytics.
Sauce Labs API Testing and Monitoring
Sauce Labs API Testing and Monitoring, formerly API Fortress, is a comprehensive platform for web services and REST API testing, monitoring, error reporting and debugging. Built from the ground up for compressed DevTest workflows, Sauce Labs API Testing and Monitoring enables admins to auto-generate tests from payloads or specification files, and then edit them in either an integrated development environment or a simple drag-and-drop test composer. Functional tests can be reused in the test composer to efficiently create dynamic, data-driven and end-to-end API flow tests, with many options to increase observability and validate real-world scenarios.
Users also have the option to reuse API tests as monitors, which they can deploy in any environment, including production, through integration with a CI/CD pipeline or Sauce's onboard auto-scheduler. Running in the background, the functional monitors can provide alerts and detailed reporting to help accelerate debugging. By unifying all API tests and monitors on a centralized platform, management has a single version of API health, along with visibility into ongoing testing.
Sauce Labs has said it will soon roll out contract testing, load performance testing and mocking capabilities on the platform in a beta release. Users will be able to build API mocks manually, or the software can auto-generate them from recorded traffic.
Plan costs depend on total monthly test executions. The first 15,000 test executions per month are free. Paid Sauce plans to increase monthly testing and monitoring executions include enterprise tiers with custom services and support.
SoapUI and ReadyAPI
SoapUI, created in 2006 by SmartBear Software, was the first open source SOAP and REST API testing tool. It is available as a desktop app for Windows, Linux and macOS. The self-described "Swiss-Army knife of automated functional and regression testing," SoapUI enables users to create and run functional tests, from simple to complex, with straightforward drag-and-drop actions. The generated scripts can be reused and support request chaining.
A paid pro version called ReadyAPI offers additional features, such as data-driven performance testing, service virtualization, mocking and CI/CD pipeline integration, with support for GraphQL, JMS and JDBC. It comes in three separately priced modules: API Test Module for $759 per license per year; API Performance Module for $5,639 per license per year; and API Virtualization Module for $1,060 per license per year. Customers also have the option of purchasing all three modules as a bundle for a reduced customized cost.
Swagger, maintained by SmartBear, is an easy-to-use suite of open source tools for designing, building, testing and documenting APIs. The Swagger Specification, the basis for the suite of tools, became the OpenAPI Specification in 2016.
The suite includes Swagger Editor, which visualizes an API specification and allows real-time user interaction and feedback. Swagger Codegen generates server stubs in more than 20 different languages and client SDKs in over 40 different languages so end developers can easily integrate with live APIs. Swagger UI enables anyone to visualize and interact with an API's resources without having access to its implementation logic. Other tools in the suite allow mock responses for unimplemented methods and publication of an entire API project to any Node.js platform.
Swagger is free for use. The SwaggerHub platform, which integrates the Swagger suite with additional features, is available in Team or Enterprise packages. The Team plan, at $75 per month for three users, includes additional integrations, reusable domains and collaboration capabilities. The Enterprise plan, available on premises or as a SaaS option, includes priority support and API standardization. Pricing is available upon request.