Skip to Content
E2E Test AutomationNon-Functional TestingSecurity Testing

Security Testing with Monitoring

๐Ÿ“‹ Overview

Security Testing in E2E Test Automation already lets you create suites and generate test cases targeting vulnerabilities like HTTP headers, CORS misconfigurations, and ID enumeration. With Monitoring integrated into Security Testing, you can now schedule these tests to run automatically, just like regular monitors.

This ensures your APIs are not only functional but also continuously secured against vulnerabilities that might appear over time (e.g., config drift, expired headers, or regressions after deployments).

๐Ÿ”„ How It Works

Process Overview:

  • Security Test Suite โ€“ Define APIs and generate security test cases (via Swagger, Postman import, or API Test Suite)
  • Attach Monitoring โ€“ Create a monitor from that security test suite
  • Scheduling & Configurations โ€“ Use the same scheduling, retry, and notification options as regular E2E monitors
  • Automated Runs โ€“ Security test cases are executed on the configured schedule (every 5 min, hourly, daily, or custom business hours)
  • Results & Health โ€“ Each monitor run logs pass/fail results, graphs of recurring failures, and health indicators

๐Ÿ› ๏ธ Creating a Security Monitor

Step 1: Create a Security Test Suite

Steps:

  1. Go to API Testing Lab โ†’ Security Testing
  2. Click + New Suite, name it, and add AI instructions (e.g., โ€œTest for CORS wildcard misconfigurations and header exposureโ€)
  3. Import APIs (Swagger, Postman, or existing test suites)
  4. Save the suite and generate security test cases

Step 2: Create a Monitor for the Suite

Steps:

  1. In the Security Suite Dashboard, click Create Monitor
  2. Fill in monitor details:
    • Monitor Name (e.g., Production Security Health)
    • Suite: Select the Security Test Suite
    • Environment: Pick environment (Dev, QA, Prod) with correct variable values

Step 3: Configure Schedule

Scheduling Options:

  • Frequency โ€“ Every 5 min, hourly, daily, or custom
  • Start Time โ€“ Exact time to start
  • Days โ€“ Business hours, weekdays, or all days
  • Timezone โ€“ For accurate scheduling

Step 4: Configure Retry Logic

Retry Settings:

  • Enable Retry โ€“ Toggle on
  • Retry Count โ€“ 1โ€“3
  • Retry Delay โ€“ e.g., 30 seconds

Step 5: Set Notifications

Notification Options:

  • Email Alerts โ€“ Send to team inbox
  • Webhooks โ€“ Slack, Teams, or custom system
  • Failure Criteria โ€“ Trigger on assertion failures, timeouts, or missing headers

Save the monitor โ†’ it now executes the security tests on schedule.

๐Ÿ“Š Viewing Results

Result Components:

  • Run History โ€“ See timestamped runs, pass/fail status, and error messages
  • Visual Graphs:
    • Pass vs Fail Trend: Stability of security tests over time
    • Failure Reasons: Grouped by test type (headers, CORS, ID enumeration)
    • Response Times: Spot degradation due to misconfigured headers or slow auth
  • Detailed Logs โ€“ Perโ€‘request logs with failures (e.g., โ€œCORS misconfiguration โ€” Origin: file:// acceptedโ€)

๐Ÿฅ Tracking Security Health

Monitoring adds continuous visibility into API security:

  • Uptime Rate โ€“ % of runs passing all security checks
  • Recurring Issues โ€“ E.g., nightly failures on token expiration headers
  • Weak Points โ€“ Endpoints repeatedly exposing sensitive headers
  • Regression Detection โ€“ If a patch reverts and headers disappear, the monitor flags it immediately

๐Ÿ“– Example Workflows

Example 1: Continuous Header Validation

  • Suite tests for X-Content-Type-Options and X-Frame-Options
  • Monitor runs daily at midnight
  • Alerts trigger if headers disappear after a new deployment

Example 2: Detecting CORS Misconfigs

  • Suite with CORS test cases (Origin = random string, IP, or file://)
  • Monitor runs hourly
  • Alerts if an insecure wildcard rule is reintroduced

Example 3: ID Enumeration Guard

  • Suite tests numeric and UUID ID access patterns
  • Monitor runs every 5 minutes in production
  • Alerts if new endpoints start exposing predictable IDs

โœ… Best Practices

  • Create dedicated monitors per environment (QA, Staging, Prod)
  • Keep suites scoped: separate monitors for headers, CORS, and ID enumeration
  • Use retries to reduce false alarms
  • Integrate alerts with Slack/Teams so the right team sees them instantly
  • Review trends weekly to catch creeping regressions

๐ŸŽฏ Benefits

  • Moves security checks from manual, pointโ€‘inโ€‘time to continuous automated validation
  • Catches regressions immediately after deploys
  • Increases confidence in compliance (e.g., headers always present)
  • Helps DevSecOps teams prevent misconfigurations before users are impacted

โœ… Summary

Security Testing with Monitoring ensures your APIs stay secure continuously, not just when you remember to run a test. By automating security validation on a schedule, you can detect vulnerabilities early, maintain compliance standards, and protect your APIs from common security threats across all environments.

Happy testing! ๐Ÿš€

Robustness TestingEnd-to-End Monitoring
Security Testing | Documentation