How to Improve API Security Testing in Production?

Have you checked if your OAuth provider can use client credential flows? That could let your end-to-end test runner operate with its own account, which means you won't have to deal with SSO and 2FA during tests.

It's really those undocumented endpoints that pose the biggest risk. They can arise from old versions or internal routes that weren't properly cleaned up. Without some monitoring to capture real API traffic and understand what's actually being called, you won't get a complete view, no matter how thorough your CI scans are.

SAST is great for spotting potential issues in code, but it doesn't tell you what’s live and accessible. API testing should focus on both discovering endpoints and managing authentication effectively. If your scanner can’t accurately replay real auth flows, it might miss a lot. Using instrumentation tools at the gateway or service mesh level can help track real traffic and verify what's exposed, even if it isn’t documented.

If you're only using SAST and Postman, you're definitely missing out on visibility in production. Runtime API security is more about understanding what endpoints are out there and who can access them. If your current testing approach keeps running into issues with authentication, it may mean the tools aren’t aligned with the actual setup.

Manual testing through Postman can lead to missed vulnerabilities. A better approach is to use automated DAST tools that handle auth flows seamlessly. Checkmarx DAST, for instance, can identify undocumented endpoints and test both REST and gRPC APIs in production, tackling complex auth processes without manual overhead. It's crucial to catch shadow APIs before they become a target.