Continuous security testing in the ever-evolving API Landscape PDF Free Download
1 / 19/19
100%
Dimitrios Papadimas, Panagiotis Saltaferas
03/04/2025
Continuous security testing
in the ever-evolving
API Landscape
Would you ever go to sleep with
your doors and windows
unlocked?
Probably not.
Then why would you leave your APIs exposed
without proper security?
Agenda Introduction & Industry Landscape
Problem Statement & Relevance
Proposed Solution & Methodology
Technical Deep Dive
Use Cases & Practical Implementation
Conclusion & Key Takeaways
Importance of APIs & Industry Growth –1/2
Backbone of Digital Transformation –
APIs enable seamless communication
between applications, powering cloud
computing, mobile apps, and IoT.
Rapid Adoption –85% of businesses see
API integration as essential for digital
transformation and innovation.
APIs as Critical Infrastructure –Industries
such as healthcare, finance, and
manufacturing rely on APIs.
Importance of APIs & Industry Growth –2/2
High-Stakes Security Risks –API flaws can trigger
breaches, fraud, and operational failures (e.g., supply
chain, IoT threats).
Regulatory & Compliance Pressure –Compliance with
GDPR, ISO 27001, NIS2, and PCI-DSS makes API security a
business priority.
Growing Complexity & Attack Sophistication –Legacy
tools can’t keep up; modern APIs demand automated,
scalable protection.
Security issues with APIs
•Expanded Attack Surface – APIs expose business logic and
sensitive data, making them prime attack targets.
•Authentication & Authorization Flaws – Weak
authentication and improper access controls (BOLA, BFLA)
can lead to data leaks and privilege escalation.
•Injection & Input Validation Risks – Poor validation
enables attacks like SQL injection and SSRF.
•Excessive Data Exposure – APIs may return more data than
needed, increasing information disclosure risks.
•Lack of Rate Limiting – Missing throttling allows brute-
force attacks, scraping, and denial-of-service (DoS).
•…
(Based on OWASP API Security Top 10)
Sensitive
Our approach: API Security Testing at Scale
Adaptive & Scalable Testing – Utilizing Python scripting to dynamically adjust test cases, ensuring
comprehensive coverage of all possible API endpoints.
Context-Aware Security – Leveraging OpenAPI specifications to enhance accuracy, enabling intelligent
scanning based on API structure and expected behavior
Seamless CI/CD Integration – Embedding Nuclei into the development pipeline to enable continuous,
automated API security scanning without disrupting workflows.
Key Features of Nuclei Framework
Modular approach:
Adaptable across
different CI/CD
platforms
Customizable
scan policies:
Flexible for
different
security needs
Scalability: Security
validation for scale
Open Source: Nuclei is free
and has an active
community
Fast and Efficient: Enables
fast automated regression
testing
Rate Limiting: Controls number of
requests per second and number
of concurrent threads
Nuclei Framework Main Components
Extraction of API Endpoints from OpenAPI specifications
Python scripts for common actions such as
fetching endpoints and payloads in Nuclei tests
Injecting malicious data in endpoints and payloads
Cheat sheet files containing pre-defined malicious payloads tailored for various
attack scenarios
Property files for handling of static test data and sensitive information per test
environment
Utility scripts to facilitate various operations such as parsing the properties
Templates
Workflows
Endpoints & Payloads
Python Script
Cheat sheet files
Template
Workflow
How We Integrated Nuclei into CI/CD
Vulnerability Detection
Key Takeaways
APIs Are Mission-Critical – As the backbone of digital
transformation, APIs require robust security to protect
business operations and sensitive data.
Evolving Threat Landscape – API attacks are increasing in
sophistication, demanding automated, scalable, and
proactive security solutions.
Strategic Approach – By integrating Nuclei into CI/CD,
leveraging Python-driven dynamic testing, and utilizing
OpenAPI for context-aware security, we enable
continuous, efficient, and precise vulnerability detection.
Expand API security automation with continuous
improvements and adaptability.
Enhance detection capabilities by refining attack
simulations and payload coverage.
Drive adoption across teams to establish security as a
shared responsibility.
Next Steps
Questions ?
Netcompany.com
Thank you for your attention!
