Skip to Content
E2E Test AutomationNon-Functional TestingSecurity Testing with Monitoring

ATA Security Testing with Monitoring — Product Documentation

1) What This Feature Is

Security Testing in ATA already lets you create suites and generate test cases targeting vulnerabilities like HTTP headers, CORS misconfigurations, and ID enumeration. With Monitoring integrated into Security Testing, you can now schedule these tests to run automatically, just like regular monitors.

This ensures your APIs are not only functional but also continuously secured against vulnerabilities that might appear over time (e.g., config drift, expired headers, or regressions after deployments).

2) How It Works

  • Security Test Suite: Define APIs and generate security test cases (via Swagger, Postman import, or API Test Suite).
  • Attach Monitoring: Create a monitor from that security test suite.
  • Scheduling & Configurations: Use the same scheduling, retry, and notification options as regular ATA monitors.
  • Automated Runs: Security test cases are executed on the configured schedule (every 5 min, hourly, daily, or custom business hours).
  • Results & Health: Each monitor run logs pass/fail results, graphs of recurring failures, and health indicators.

3) Creating a Security Monitor

Step 1: Create a Security Test Suite

  1. Go to API Testing Lab → Security Testing.
  2. Click + New Suite, name it, and add AI instructions (e.g., “Test for CORS wildcard misconfigurations and header exposure”).
  3. Import APIs (Swagger, Postman, or existing test suites).
  4. Save the suite and generate security test cases.

Step 2: Create a Monitor for the Suite

  1. In the Security Suite Dashboard, click Create Monitor.
  2. Fill in monitor details:
    • Monitor Name (e.g., Production Security Health).
    • Suite: Select the Security Test Suite.
    • Environment: Pick environment (Dev, QA, Prod) with correct variable values.

Step 3: Configure Schedule

  • Frequency: Every 5 min, hourly, daily, or custom.
  • Start Time: Exact time to start.
  • Days: Business hours, weekdays, or all days.
  • Timezone: For accurate scheduling.

Step 4: Configure Retry Logic

  • Enable Retry: Toggle on.
  • Retry Count: 1–3.
  • Retry Delay: e.g., 30 seconds.

Step 5: Set Notifications

  • Email Alerts: Send to team inbox.
  • Webhooks: Slack, Teams, or custom system.
  • Failure Criteria: Trigger on assertion failures, timeouts, or missing headers.

Save the monitor → it now executes the security tests on schedule.

4) Viewing Results

  • Run History: See timestamped runs, pass/fail status, and error messages.
  • Visual Graphs:
    • Pass vs Fail Trend: Stability of security tests over time.
    • Failure Reasons: Grouped by test type (headers, CORS, ID enumeration).
    • Response Times: Spot degradation due to misconfigured headers or slow auth.
  • Detailed Logs: Per‑request logs with failures (e.g., “CORS misconfiguration — Origin: file:// accepted”).

5) Tracking Security Health

Monitoring adds continuous visibility into API security:

  • Uptime Rate: % of runs passing all security checks.
  • Recurring Issues: E.g., nightly failures on token expiration headers.
  • Weak Points: Endpoints repeatedly exposing sensitive headers.
  • Regression Detection: If a patch reverts and headers disappear, the monitor flags it immediately.

6) Example Workflows

Example 1: Continuous Header Validation

  • Suite tests for X-Content-Type-Options and X-Frame-Options.
  • Monitor runs daily at midnight.
  • Alerts trigger if headers disappear after a new deployment.

Example 2: Detecting CORS Misconfigs

  • Suite with CORS test cases (Origin = random string, IP, or file://).
  • Monitor runs hourly.
  • Alerts if an insecure wildcard rule is reintroduced.

Example 3: ID Enumeration Guard

  • Suite tests numeric and UUID ID access patterns.
  • Monitor runs every 5 minutes in production.
  • Alerts if new endpoints start exposing predictable IDs.

7) Best Practices

  • Create dedicated monitors per environment (QA, Staging, Prod).
  • Keep suites scoped: separate monitors for headers, CORS, and ID enumeration.
  • Use retries to reduce false alarms.
  • Integrate alerts with Slack/Teams so the right team sees them instantly.
  • Review trends weekly to catch creeping regressions.

8) Benefits

  • Moves security checks from manual, point‑in‑time to continuous automated validation.
  • Catches regressions immediately after deploys.
  • Increases confidence in compliance (e.g., headers always present).
  • Helps DevSecOps teams prevent misconfigurations before users are impacted.

Security Testing with Monitoring ensures your APIs stay secure continuously, not just when you remember to run a test.

Robustness Testing with Monitoring