Automate API Security Testing

Published April 28, 2025 | Last modified May 28, 2025

Objective

This guide provides instructions on how to set up and configure API testing for detecting vulnerabilities in your APIs before they reach production. This guide covers credential management, environment configuration, and viewing test results within the F5® Distributed Cloud Services platform.

Prerequisites

  • A valid F5 Distributed Cloud Account. If you do not have an account, see Getting Started with Console.

  • One or more applications deployed with configured services

  • An active HTTP load balancer configured for your application.

  • API endpoints that need to be tested.

  • Valid credentials for testing.

Note: Supported authentication types include API key, basic authentication, JWT bearer token, and login endpoint.

Procedure

Step 1: Enable API testing.

  • In the Multi-Cloud App Connect service, navigate to your load balancer configuration.

  • Click ... > Manage Configuration > Edit Configuration.

  • Navigate to the API Protection section.

  • From the API Testing drop-down menu, select Enabled.

Figure: Enable Testing

Figure: Enable Testing

Step 2: Configure testing environment.

  • Under the API Testing section, locate Testing Environments.

  • Click Add Item.

Figure: Add Test

Figure: Add Test

  • In the Testing Environments wizard:
    • Select domain from suggested domains (only domains from the load balancer can be added).
Figure: Add Domain for Testing

Figure: Add Domain for Testing

  • Choose whether to run destructive methods. Pay attention if you are running the API testing on a testing environment. This is recommended.
Figure: Add Destructive Methods

Figure: Add Destructive Methods

  • To configure credentials (minimum of three sets required: two standard roles, and one admin role), click Add Item.
  • For each credential, add the name and select the credential type and provide the required information:
    • API Key: key and value fields.
    • Basic Authentication: username and password.
    • Bearer Token: Token value.
    • Login Endpoint: Path, method, JSON request payload, and token response key (as in “token”, “userToken”).
    • Assign roles to each credential set.
Figure: Add Credentials

Figure: Add Credentials

  • Click Apply to save the environment configuration.
Figure: Save Credentials

Figure: Save Credentials

Step 3: Optionally, add customer headers.
  • Under the Testing Environment section, configure the header value:
    • Key: x-f5-apitesting-identifier.
    • Add custom value.
Figure: Add Header

Figure: Add Header

Step 4: Set up testing schedule.
  • Under the Frequency of Test section, select the desired frequency:
    • Every Day
    • Every Week (default)
    • Every Month
Figure: Add Testing Schedule

Figure: Add Testing Schedule

Step 5: View testing results.
  • Access the Security Dashboard.
  • Navigate to the API Endpoints tab.
  • Enable the Last Tested column by selecting the gear icon and then selecting Last Tested to view test execution times.
Figure: View Testing Results

Figure: View Testing Results

  • Click on the endpoints to view:
    • The Security posture tab
    • The vulnerabilities detected by API testing
    • The vulnerability source and details
Figure: View Testing Scores

Figure: View Testing Scores

Testing Limitations

  • Advanced authentication mechanisms (OAuth) are not included
  • Users cannot select specific tests to run
  • A minimum of 3 credential sets is required for testing (2 users and 1 admin) to test complex authorization scenarios.
  • Only domains from the load balancer can be added for testing
  • Authentication support is limited to:
    • API Key authentication
    • Basic authentication
    • JWT Bearer Token
    • Login Endpoint
  • Credentials of types: API Key, Basic, JWT; must not expire within the testing period

Feature Concepts

  • Testing Environment: Configuration of domains and credentials where API tests will be executed.
  • Credentials Management: System for managing authentication details used during API testing. All credentials are saved as secrets with the option for users to blindfold them.
  • Custom Headers: Special HTTP headers that identify API testing traffic.
  • Testing Schedule: Automated testing cycle that can be set to daily, weekly, or monthly frequencies.
  • Vulnerability Source: Indicates how a vulnerability was detected (API Testing or Traffic Analysis).

Troubleshooting

Below are some common issues and proposed solutions.

Last Tested Column Shows N/A for All Endpoints

Issue: This indicates that no tests have been initiated.

Resolution:

  • Validate that all credentials are correctly configured.
  • Delete any existing credentials.
  • Add credentials again.
  • Save the configuration.
  • Wait up to one (1) hour for tests to initiate.
  • If tests are still not showing after 1 hour, open a support ticket.
Tests Not Running on Schedule

Issue: Weekly tests not executing as expected.

Resolution:

  • Verify that credentials have not expired.
  • Ensure testing environment is properly configured.
  • Check if the domain is still valid and accessible.
Authentication Failures

Issue: Tests failing due to authentication issues.

Resolution:

  • Verify that credentials have not expired.
  • Confirm credential format matches the authentication type.
  • Ensure credentials have appropriate permissions.

When to Contact the Distributed Cloud Support Team

Open a support ticket if:

  • Tests are not showing within 1 hour after configuration.
  • Persistent authentication failures despite valid credentials.
  • Unexpected test results or system behavior.

Concepts

On this page: