White-box testing is also known as structure-testing, open-box, clear-box, and glass-box testing. The white-box pen test is a comprehensive testing methodology, as you get a whole range of information about the schema, source code, models, and so on, before starting the testing. White-box tests are intended to scrutinize the code and catch any design and development errors. They are simulations of internal security attacks.

API pen tests rely on white-box testing for the following reasons:

• The tests run on all of the independent paths of a module
• The tests confirm and verify all logical decisions (true/false) inside the code
• The tests execute syntax checking, and so find typographical errors that are critical to finding code injections and SQL injection attacks
• The tests find design errors caused by a mismatch of the logical flow of the program and the actual execution (design for intent)

There are plenty of open source tools available and commercial versions that can scan code, check for malicious code, find security loopholes using data encryption techniques, and even find hardcoded username and passwords. A few of the tools are listed in the following table (both commercial and open source versions):

Let's summarize this section by stating that pen tests for APIs should expose API vulnerabilities before real attackers find them, and move on to fuzz tests.