3 reasons why QA people should get into API hacking

Why QA people should be hacking APIs

You remember the movie The Dark Knight Rises, right? There is a quote at the end of that movie explaining who Batman was that very much explains what good API security testers are like

“Because he can take it. Because he’s not a hero. He’s a silent guardian, a watchful protector. A dark knight.”

Commissioner Gordon in The Dark Knight

All software has bugs. In this day and age of the modern application backed by APIs, we must have silent guardians watching for those security vulns that put us all at risk.

Even as we continue to shift left and empower developers to be more test-driven, the fact is the deeper, more complex application logic bugs that affect the safety and security of resources are best caught by those testing the systems before release. You know, by those people typically in a QA role.

In this article, I want to explore some key reasons why QA people should reshape their mindset around API security testing and cover why they should start thinking more offensively about hacking APIs.

You should stick around if you aren’t in a QA role too. Understanding why QA people are the dark knights of the software development process helps you better understand (and respect) what they could and should be doing.

Let’s get started.

Reason #1: You’ll deliver more value

Traditionally, people in the role of quality assurance (QA) or quality control (QC) are tasked with verifying that the product being built meets the pre-defined requirements. This might mean verifying a user story is accurate or that a feature is implemented to spec.

As agile development shifts more left, testing is no longer a QA-only activity. Developers are now responsible for writing unit tests and doing their own self-testing.

So, if you’re a QA person, you might think your role is diminishing. After all, why do we need QA people anymore if everyone else on the team is responsible for quality?

The answer is quite simple – your skill set is still very much in demand, but the value you can provide has shifted.

You see, as a QA person, you have always been focused on how the software works. But with the rise of APIs, how the software works has changed. Now, when we talk about quality in software development, we are not just talking about if the software works as expected. We are also talking about security.

With the rise of APIs comes the increase in API hacking. And that’s where you come in.

As a QA person, you have always been focused on finding bugs. But now, with the shift to API development, you can focus on finding security bugs. You can become the silent guardian that protects our applications from attack.

You can deliver more value to your team and your company by becoming an API hacker. In other words, you will start thinking and acting like the villain, making the software do things it’s not supposed to, and then document and report it so it can be fixed before your adversaries can exploit it.

Reason #2: Becoming the villain turns you into the hero

One of the best ways to find bugs is to think like the bad guy. In other words, you need to start hacking APIs.

If you want to find all the possible ways an attacker could exploit your API, you need to start thinking like one. You need to understand how they operate and what their goals are. Only then will you be able to find potentially impactful vulnerabilities in your system.

Becoming the villain might sound a bit extreme, but it’s really not. It’s just a different way of thinking about testing. Instead of trying to verify that the software works as expected, you are now trying to break it.

And becoming the villain has its perks. For starters, it makes you the hero. Because now you are the one responsible for finding security bugs before they make it into production.

Developers don’t always like it when you find flaws in their code or otherwise criticize their work. However, they would rather have you find a security bug in testing before it’s exploited in the wild in production. It’s a small but important mental shift and attitude alignment. Devs WANT API security testers on their teams.

It also makes you more marketable. Companies are always looking for people with a security focus. And as a QA person with API hacking experience, you will be in high demand. In fact, I’ve written before about how appsec SDETs and pentesters make significantly more money than people in the typical QA role.

So let’s see… you will be wanted more, paid more, and respected more. As the villain. In no time you’ll be able to afford to buy that supervillain cat.

Reason #3: Security is everyone’s responsibility

One of the biggest misconceptions about security is that it’s someone else’s job. That it’s the job of the security team or the network administrator. But that simply isn’t true.

Security is everyone’s responsibility. And as a QA person, you have a unique opportunity to help make your company’s software more secure.

You see, most people think about security as something that is added on at the end. But that’s not how it works. Security needs to be built into the system from the beginning. And as a QA person, you can help make that happen.

You can help ensure that security is considered at every stage of the development process. You can help review requirements and design documents for security holes. You can help write unit tests that check for security vulnerabilities. And you can even help with penetration testing.

A few months back, I talked about how you can leverage OWASP’s Application Security Verification Standard (ASVS) as part of your API security testing blueprint. The whole idea is to improve your organization’s appsec maturity by standardizing how you go about testing APIs. Heck, section 13 of ASVS has explicit guidance on web services and APIs that helps you to verify that:

  • You have adequate authentication, session management, and authorization on all web APIs.
  • You properly handle input validation of all parameters that transit from a lower to a higher trust level.
  • You maintain effective security controls for all API types, including cloud and Serverless API

What’s nice is that OWASP describes clearly how to test for this and links it to the corresponding Common Weakness Enumeration (CWE) number published by Mitre. This means you can leverage the detailed insights from Mitre right inside your bug reports to improve the experience developers have with you as they review and fix vulnerabilities you find during your API security testing.

Remember that whole villain vs. hero discussion earlier? Ya… that. Give developers operational insights into the vulns so they can understand the impact, the criticality, and how best to approach fixing it.

Becoming an API hacker is a great way to deliver more value to your team and your company. It’s a great way to become the hero instead of the villain. And it’s a great way to show that security is everyone’s responsibility.


If you’re a QA person who is looking to add more value, become more marketable, and gain more respect, then you should seriously consider getting into API hacking. It’s a great way to improve your skills and help make your company’s software more secure.

What do you think? Are you convinced yet? Or do you have more questions? Let me know. And if you’re looking for more information on other online resources for API security testing, be sure to check my free ebook, The Ultimate Guide to API Hacking Resources.

Dana Epp