Sarcouncil Journal of Engineering and Computer Sciences

Abstract: In modern software products, APIs (Application Programming Interfaces) play a critical role in enabling seamless communication between systems. However, their widespread use also makes them a prime target for cyberattacks. This study evaluates the effectiveness of pentesting and secure code reviews in strengthening API security by analyzing 50 APIs from various industries. The results reveal that injection flaws (32%) and broken authentication (24%) are the most prevalent vulnerabilities, with RESTful APIs being the most affected (65%). Critical and high-severity vulnerabilities constitute 15% and 35% of the total, respectively, highlighting the need for targeted mitigation strategies. Pentesting and secure code reviews significantly reduce vulnerabilities, with the mean number of vulnerabilities per API decreasing by 54.9% (p = 0.003). Regular secure code reviews show a strong negative correlation (r = -0.72) with vulnerabilities, emphasizing their importance in proactive risk management. APIs deployed in cloud environments exhibit fewer vulnerabilities (mean = 5.1) compared to on-premises deployments (mean = 9.8), underscoring the security advantages of cloud platforms. The study highlights the importance of integrating pentesting and secure code reviews into the development lifecycle, adopting a multi-faceted approach to API security, and fostering a culture of security awareness among developers. These practices not only reduce vulnerabilities but also enhance the resilience of APIs in an evolving threat landscape.