With the evolution of modern applications to a microservice, container, or serverless computing model (and many times a combination of any of those architectures), API services or endpoints have become a vital component.
APIs have become a central building block for nearly every business or enterprise in the world. Adding the ever-changing regulatory, privacy, and security requirements almost necessitates API penetration testing to protect these methods. At a high level, any business that exposes API endpoints externally that handle sensitive data should consider utilizing penetration testing companies.
Scope for API Penetration Testing
API penetration testing is no different than nearly every other pen testing service. A business could expect the same delivery pattern of scoping, contract, project kick-off, reconnaissance, vulnerability identification, exploitation, or proof of concept, reporting, and close-out meetings.
Scoping of the engagement during the contract is key, this will allow the consulting company to better understand the complexity, design, and key goals of the test for the business. During this step, the business should identify what is allowed and not allowed during the engagement.
- Can the tester validate in production?
- Are they to work during off-hours?
- What API endpoints are to not be tested?
- What parts of the web application are in scope?
- Should a network penetration test be conducted too?
- What type of vulnerabilities are you most concerned about (access control, authentication, injection, etc.)?
Clearly define expectations, targets, time box, and expectations with the consulting firm to ensure you get the most out of the engagement and manage the penetration test cost.
NOTE: If you’re considering an API pentest, our free tool below matches you with top-rated pentest firms that fit your budget.)
API Pen Test Cost Benchmarking
Due to the many factors of a pen test, you can expect to spend somewhere between $15,000 and $30,000 per test.
Ultimately, penetration testing costs are determined using is a time-boxed approach, where total cost is based on the total time that you would like to devote to the testing service. Each test is a customized quote and provides flexibility to adjust the overall price of the project by adding or removing time allocated.
Every testing provider will scope the overall effort and cost based on the following factors and will have a minimum amount of time they are willing to devote to a test to back their work product. In the following section, we will break down some of the primary factors in determining the cost of the pen test.
Cost Factor #1: Web Application and API Size
The number of endpoints and number of dynamic pages in the web application to be tested is the largest driver of cost for testing. Simply put, the more endpoints and pages with forms that are included will require more time as these factors add more manual penetration testing time.
For most companies, there is not a linear relationship between endpoints and total effort but rather can be better represented by logarithmic growth.
As more endpoints are added, the effort per endpoint is often decreased as it becomes less effective and unrealistic to continue a linear approach. As more endpoints are added, coverage is emphasized over the depth of testing.
Cost Factor #2: Testing Complexity
While the number of endpoints can directly relate to the overall complexity of the test other factors also impact it.
Adding or removing complexity has a direct impact on testing time. For instance, providing the WSDL and postman testing scripts can lower the complexity as the tester can gain a better understanding of the API endpoints. This is considered a white box penetration test, as opposed to a black box testing where no information is provided and the tester needs to conduct a full reconnaissance effort. A black box test often can take days to complete the initial reconnaissance before transitioning into exploitation.
Another layer that can add complexity and cost of a pentest is a SaaS or multi-tenant application. Increasing the number of user roles, or service roles in scope requires additional testing for vulnerabilities related to access control, authentication, and injection attacks across accounts and tenants.
Cost Factor #3: Consultant/Consulting Company
Did you choose a highly technical boutique shop? Or maybe a name-brand large testing company? How about an independent consultant that does testing on the side? While it would be ideal to have a standard rate for testers and companies, that is not the case in consultancy services. Company brand, reputation, and expertise result in a higher hourly or weekly rate for the same service as a company that is just being established. Add in that there are multiple levels of expertise in consultancy, and rates can range from $150 to $450 an hour!
Sometimes it is worth paying the higher rates for brand recognition with a client-facing test. However, it is important to focus on the skill sets of the tester you are engaging. You can often find a penetration tester in a lesser-known company that is just as skilled as the big 4 for a significant price reduction.
Cost Factor #4: Reporting and Retesting
When scoping and attaining quotes for penetration testing services, keep in mind that most companies offer one report at the end. This report will be detailed and, typically, provide examples and reproduction steps for exploitation. So, if you are wanting to share the results with customers, partners, and clients, decide if this detailed report will be acceptable. If not, you will want to ask for an attestation letter or a summary report, which will add a small cost increase to the project. While considering what details you want to share, consider if you want to have findings retested to limit the reported findings or to show that your business has remediated the findings. Adding a retest to the project will certainly add more time to the effort which will have a direct cost impact. There are a few companies that offer retesting as part of their service but the majority charge extra and require retesting to be completed within a set period, typically no more than 6 months.
How Much do Costs Vary From One Vendor to The Next?
Earlier in the article, we already touched on how the hourly rate can differ from one consultancy to another based on reputation and brand. While brand recognition is one of the selling points that alter price from one pentest vendor to another, it is not the only one. Before getting into some of the other drivers, it is important to understand how consultancy companies may price an engagement and how that will affect the bottom line.
There are three common pricing models in penetration testing, fixed price, time & material, and credit-based.
Fixed price is the most common and comes with some benefits to you as the buyer. The key benefit to you as a buyer is that the price agreed, minus any scope changes are the price you pay no matter the time it requires. Therefore, fixed contracts typically are higher in total contract than the hours multiplied by the hourly rate. A consultancy company will build in a contingency, a certain percent of the total contract, to help cover potential overages as they are taking on all the risk with the project.
Time & material (T&M) you pay for the hours you use. So, if the estimate is for 80 hours of work and you only use 75, you do not pay for the extra 5. The risk is on you to manage the project to the hours estimated and you are responsible for overage even if a scope change does not happen.
The last pricing model is a credit-based model. This can take many forms depending on the consultancy company. The first model is a fixed price per test type and complexity with minimal scoping. The other, which is becoming more common is a price for a credit which equates to several hours per tester. You buy an allotment of credits to be applied to tests as you see fit. If you buy a large number of credits, you may get a discount per credit bringing the testing cost down. So, if you are looking for a partner for a large amount of testing that provides flexibility, looking for a partner that provides a credit model may be best.
When it comes to penetration testing, you rarely need to have the tester on site. This is even more, the case with API penetration testing, where the tester can complete all testing remotely, so this provides an opportunity to help reduce pentest costs. Since the tester should not need to come on-site, outside of preference, engaging a testing company that is outside of the US, Europe or Australia will offer up lower-cost testing resources as well. A resource from Malaysia or India will typically be less than a US-based tester. However, if you are wanting a resource to come on-site, it is highly recommended that you engage with a company that has a tester in your region as it is common for the cost of travel to be passed along in the contract.
How Much Do API Pentest Costs Vary from One Industry to the Next?
When it comes to penetration testing and API penetration testing, the industry typically does not affect the overall cost of the engagement.
At present, the only types of penetration tests that may increase the overall cost of the engagement would be related to IoT or device testing that utilizes API endpoints to communicate. This is due to needing a specialized set of skills to do testing against these devices, along with additional tools and hardware.
IoT or device pen tests that involve API add significant cost and skill requirements. This typically is reserved for the medical, automotive, and electronics verticals. Beyond this, API penetration testing is the same regardless of the type of application or industry the business is in.
Costs of Vendor Testing Vs In House Testing
When does it make sense to hire an internal team versus continuing to engage an external firm for testing? That is a question that many security leaders ask regularly. There is no cut-and-dry answer, especially in the current job market.
One of the reasons to consider engaging an external firm is if you are looking at doing more than just API penetration testing. While penetration testing seems like it will be the same regardless of the type of test conducted, it is not. The skills, knowledge, and tools required to do network are different than application. Just like in technology where you cannot expect a developer to be fully versed in network or infrastructure engineering, you cannot expect penetration testers to be fluent in all types of penetration testing.
Let’s take a deeper dive into the pros and cons of in-house vs. external vendors:
In-House
Pros:
- More flexibility to spend more time testing or conducting retesting
- Better chance to leverage known issues across applications
- More knowledge of the environment, tech stack, and services to expedite service
- On-demand advisor to developers to build security from the start
- Can conduct micro/agile testing (iterative)
- Validation or retesting is not an added expense
Cons:
- Investment in training
- Required investment in tools to conduct testing
- Customers may still require an external firm
- Experience will become limited to your environment, limiting exposure to new exploits or issues
- Can be hard to retain as the penetration tester can get bored
- Penetration testers are typically only interested in testing
- Recruitment can be difficult and if you are not experienced can be hard to gauge accurately the skills and capabilities of the candidate
Outsourced
Pros:
- Typically, can leverage knowledge from other tests to expedite vulnerability identification and validation
- Unique view of the APIs as they are not a part of the design, maintenance, or build
- Easily scale up testing within a short period
- Team-based testing that provides shared knowledge and tools
- Internal developed tools and automation to provide more efficiency
- All tools are included in the engagement
- No investment in training and upskilling
- Consultant retention is not a concern, there are other consultants to perform the test
Cons:
- Not cost-effective at scale may have to pick a very small subset of applications or restrict the scope to manage cost
- Little control over which consultant is testing
- Not flexible, the only way to spend more time on testing is to spend more money
- ·External testers will not trend findings across applications, each test is independent
Costs of API Pen Testing Vs Benefits
When conducting the final evaluation of whether to engage in API penetration testing or any penetration services, it is important to understand that the goal of this service is to identify weak components and systems, how they would be exploited, and what the exposure will be. So, as a business, it is important to consider what the loss would be across reputation, revenue, fines, and recovery.
The average cost per record of personally identifiable information in a breach was $180, while the average cost of a breach in 2021 was $4.24 million. This does not include any fines related to data privacy regulations which are only increasing in dollar amounts.
While completing a penetration test will not guarantee that a breach is avoided, it does help with providing proof of due diligence. Over the last few years, it has become even more important to show that due diligence has been completed to avoid a potential breach and this will help with potential lawsuits. So, compared to a potential cost of $4.24 million, a $25,000 penetration test on your API endpoints seems like a pretty smart investment.