This article describes the main factors we take into account when estimating the cost of an API penetration test.
API or microservice penetration testing is different from other application penetration testing because it lacks the context that a user interface provides. Here are the main factors that influence the effort to test an API or microservice:
Documentation
Good documentation can have a significant impact on how smoothly the test runs. The documentation must include clear steps on how to establish and maintain authentication. In addition, the documentation should consist of valid sample payloads for each API request. We highly recommend having the development team build a PostMan collection or similar mechanism before scheduling an API penetration test. The collection or similar mechanism should clearly demonstrate or describe each parameter and its expected value(s).
All API penetration testing should be considered white box tests. Without documentation, the effort needed to discover how each API endpoint functions and experiment with payloads is significant. Be sure to tell us if you do not have sufficient documentation in place.
Function Count
The function count is simply a count of all the API endpoints. It should be divided into two separate metrics as follows:
- Queries: any functions that retrieve data and are often associated with the verb Get.
- Mutations: any functions that submit data and are often associated with the verbs Post, Put, or Delete
Function Complexity
The number of parameters in a function can impact the number of permutations that are needed to test it, and therefore the total effort. For estimation purposes, we assume the average function will take five or fewer parameters. Be sure to tell us if your APIs or microservices take large numbers of parameters so we can scope enough time to test them.