A photo of a laptop computer keyboard. (Navy)

Israeli API company Wib on Wednesday announced a new API Pentesting-as-a-Service offering that integrates with its software-as-a-service app and has been designed to help organizations comply with the latest PCI-DSS 4.0 mandates for testing application security, APIs, and vulnerabilities in business logic.

Chuck Herrin, chief technology officer at Wib, explained that what's new here is Wib’s focus on APIs and that they are targeting ongoing relationships rather than a “one and done” transaction approach.  

“As APIs change rapidly, so does the attack surface, so we want to provide an ongoing line-of-sight into the attack surface they're missing today,” Herrin said. “Also important is that Wib’s SaaS platform can provide the inventory and documentation needed for the testing, and the testing can give the specific feedback for the security and dev teams on exactly what to fix, as well as validation that it's completed. They're complementary in that way, but can be stand alone if the customer prefers.”

Melinda Marks, a senior analyst at the Enterprise Strategy Group, said Wib has taken an interesting approach to the growing concern for API attacks and a need for solutions focused on API security that she's found in her recent research.

“Wib is one of the security vendors focused on API security, helping organizations gain visibility with an inventory of APIs, and identify and remediate issues to prevent them from being susceptible to attack, or to quickly respond if there’s an incident,” said Marks. “This Pentesting-as-a-Service approach is interesting because it emphasizes that hackers are attacking the APIs themselves, compared to attacking the web application components. Organizations typically use pentesting tools to stay ahead of attackers and fill in any gaps they may have missed with whatever security solutions they have in place. So this could be a useful service for organizations concerned about API security.”

Michelle Abraham, a research director in IDC’s security and trust group, added that APIs are critical in today’s applications, but they can present a weak link in an application’s security posture, allowing attackers access to private information.

“Including APIs as part of PTaaS solutions will help organizations find those potential exposures before attackers do,” Abraham said.