Day 27 of 60
·
Dynamic, fuzz & dynamic security
API fuzzing from spec
Your endpoints will be hit with payloads you've never imagined. From your own OpenAPI spec, a fuzzer will hit them first.
ProblemEndpoints handle unexpected inputs the team never considered.
How it works
Generate test cases from your OpenAPI/AsyncAPI spec; throw malformed, boundary, and adversarial payloads at every endpoint; assert on schema conformance and 5xx rate.
What it catches
Spec/code drift, unhandled input combinations, server crashes on malformed payloads, missing validation. Cheapest way to find 5xx bugs at the API surface.
Tools
Schemathesis · OSS RESTler (Microsoft) · OSS Dredd · OSS
Verdict by project size
Small
Opt
Medium
Rec
Large
Must
Extra-large
Must
Cost
| Project size | Setup | Maint / mo | Tool / mo | CI / run |
|---|---|---|---|---|
| Small <10k LOC | 4h | 0.5h | $0 | +1m |
| Medium 10–100k LOC | 2d | 3h | $0 | +3m |
| Large 100k–1M LOC | 8d | 10h | $200 | +8m |
| Extra-large >1M LOC | 25d | 40h | $1k | +15m |
Setup = engineer-days to first useful run ·
Maint = engineer-hours / month at steady state ·
Tool = out-of-pocket $ / month ·
CI = minutes added (or saved) per pipeline run
Lifecycle & ownership
When in lifecycle
Build Test
Per merge · Runs after merge to main; nightly heavy jobs.
Who owns it
Security / AppSec
SAST, DAST, threat modelling
Collaborates with: Developer
Reference implementations
-
Schemathesis examples
API fuzzing from OpenAPI schemas with CI-ready workflows.
-
RESTler
Microsoft REST API fuzzing engine driven by OpenAPI specifications.
-
Dredd
API description testing that validates implementation behavior against specs.
Quick check
API fuzzing from spec is the cheapest way to find…
One question. Pick the best answer. Your streak is saved locally on this device.
Save the lesson
Download SVG ↓
Screenshot for a 1:1, drop it in Slack, or download the SVG.