APIs and microservices play essential roles in the applications. APIs (application programming interfaces) define and facilitate data exchange between different software components and change the way we interact with applications. On the other hand, microservices, which are smaller, independent units or containers in the applications with few and closely related jobs, facilitate the building, functioning and maintenance of the applications. Both APIs and microservices can be vulnerable to cyberattacks. When either of them are part of or constitute an application, they represent multiple potential attack vectors for malicious hackers. Therefore, each of these elements should be evaluated continuously, considering every line of their code, ideally from the early development stages.
Here is where we come in to act in favor of microservice and API security. Our team of ethical hackers uses diverse techniques, among which, for these cases, SAST, DAST and Manual Pentesting stand out. Interactions between microservices, their functions, business logic and the public exposition of APIs on the networks have to be tracked and attacked to find vulnerabilities that can be exploited by cybercriminals. The scanning and testing procedures pay attention to running applications’ behavior, covering authentication, authorization and encryption functions, among others, always taking into account more vulnerabilities than those usually publicly highlighted, for instance by the OWASP Top 10.