Embracing Test-Driven Development for API Security : A Blueprint for Shifting Left

In today’s fast-paced agile world, software teams are already using Test‑Driven Development (TDD) to drive high-quality code. But what if we could bring this discipline to API security? Imagine writing security tests before releasing your API—and running them continuously—to ensure your security posture always improves. That’s the core idea: TDD for API security.

‍Meet the Expert: José from APSec

José Haro Peralta, a senior engineer at APSec and author of Microservice API (2023) and the forthcoming Secure APIs, leads the discussion. He’s the brains behind APSec’s testing platform, invites feedback via GitHub, Twitter (now X), LinkedIn, email, and YouTube. Attendees at his presentation even had a chance to win one of five free e‑book copies of Secure APIs—plus a 45% discount on both titles.

Why Shift Left on API Security?

• Catch issues early: According to the State of DevOps reports, integrating testing and security early cuts defects, accelerates delivery, and reduces costs. Results talk—up to 50% of security issues surface late, forcing teams into heavy lift and patchy “bolt-on” solutions.
• Avoid late-stage fire drills: Tackling SQL injection or broken authorization after deployment typically means making cosmetic fixes—and missing deeper design flaws.

The solution? Start with proper design: when defining your API (e.g. an endpoint parameter sort_by), limit its values upfront (e.g. “price” or “review”) rather than fixing vulnerabilities later.

Threat Modeling: Your Roadmap to What to Test

With hundreds of APIs and endpoints, where do you start?

Step 1: Threat modeling
Tools like STRIDE and community frameworks (e.g. the Threat Modeling Manifesto) help identify real-world risks:

• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of Service
• Elevation of privilege

Use tools like the OAS “Card Game” or STRIDE workshops to train teams—frontend, backend, SREs, and stakeholders—to think like the attacker.

Step 2: Identify the most impactful threats and design tests to cover them—this becomes your minimum viable security tests.

Quick-Win Security Tests You Can Write Today

1. Broken Authentication Tests
   📌 Write a test for each authenticated endpoint to ensure unauthenticated requests are rejected. Surprise—about 50% of APIs leak in weird edge cases.
2. SQL Injection / Input Validation
   📌 Add tests that intentionally send malicious SQL payloads via input parameters. This enforces proper input constraints early.
3. Broken Object-Level Authorization (BOLA)
   📌 Can User A access User B’s resources? Automate tests for resource ownership boundaries. APSec’s experience shows nearly 30% of APIs have issues here.

These minimum viable tests are quick (5–10 minutes per endpoint) and yield solid bang-for-buck in security coverage.

Tackling Business Logic Flaws with Flow-Based Tests

Many API breaches aren’t from a single flaw—they occur through chained vulnerabilities across business flows. Consider these scenarios:

• Non‑authenticated endpoint leaks user data
• That data enables further access elsewhere
• Cross‑endpoint chaining amplifies the breach

To guard against this, map your user flows (e.g. browsing products → adding items → placing an order → checking out → returns/refunds) — and test them end to end.

Use tools like OpenAPI Workflows (OAS-flavored) to define and automate these multi-step functional‑security tests.

Takeaways to Apply Today

StepWhat to Do1.Repeatable Security: Build security testing into your CI pipelines so they run on every build.2.Threat Model First: Identify your most critical API risks early using STRIDE, T-M Manifesto, or card‑game methods.3.Start with Low-Hanging Fruit: Implement quick win tests for auth, SQLi, BOLA.4.Secure Business Flows: Automate and test realistic user journeys, protecting against chained threats.5.Stay in Contact: Connect with José at APSec via GitHub, X, LinkedIn, or his YouTube channel—not to mention the awesome deal on his books!

Final Thoughts

TDD for API security doesn’t slow you down—it speeds you up. By building tests first, you deliver more secure, stable APIs faster. You’ll catch issues early, save costs later, and reduce reliance on hasty post-deployment fixes. Start with threat modeling, automate simple yet impactful tests, and grow towards holistic flow-based security. You're already on the path to stronger, smarter API development.

Call to Action:
Want templates or starter kits for security testing? Looking for sample threat‑modeling cards or OpenAPI workflow definitions? Just reply, and I’ll share tools and resources from APSec’s toolkit (and José’s upcoming Secure APIs book too!).

‍