Security testing is a huge topic in it’s own right, but the intersection between API and security is an important one to consider. It can be overwhelming since there is a lot of specialist knowledge required. The truth is the majority of us do not have the ability to do a deep dive on security testing when we are testing APIs, but I think there are a few simple things that we can consider as testers.
One of the simplest things is to try out API paths with different credentials. For example, if you have an API path that allows you to edit something that is meant for admins, make sure you can’t access it as a ‘regular’ user. Another similar check to this is to try a different user’s credentials on endpoints that give back private information.
Another quick and dirty test that anyone should be able to do in API testing is try different API paths that give back the same information. Often there are multiple ways to access something in an API. For example you might have a direct endpoint that lets you get information for a particular resource. You might also be able to get to that information by using search functionality on another part of the API. Checking that the search functionality does not give you more information than it should based on your permission is something anyone can do without needing a lot of security training.
There are also system level issues to consider. Does the way your API is setup encourage or make it easy for people to accidentally expose data? Considering API design and how it interacts with human behaviour is another important place where you can provide security insights without needing security certifications.
There will be the need for security experts who are trained in the intricacies of technical security testing to take a look at your APIs, especially if they are public, but don’t let that stop you from digging in and doing your own security testing!