web analytics

API Security Checklist

Rate this post

Object level authorization – OWASP – A1

  1. Verify that implement authorization checks with user policies and hierarchy
  2. Verify that API implementation is not rely on IDs sent from client, instead API should check IDs stored object in the session.
  3. Verify that server configuration is hardened as per the recommendation of the application server and framework in use.
  4. Verify that , API implementation check authorization each time there is a client request to access database.
  5. Verify that API is not using random guessable IDs ( UUIDs)

Brocken authentication – OWASP – A2

  1. Verify all possible ways to authenticate all APIs
  2. Verify password reset APIs and one-time links also allow users to get authenticated and should be strictly protected.
  3. Verify API implements standards authentication, token generation, password storage and Multi factor authentication.
  4. Verify , API uses short lived access token.
  5. Verify that , API uses stricter rate-limiting for authentication, implement lockout polices and weak password checks.

Excessive data exposure – OWASP – A3

  1. Verify that , API is not relying on client to filter data.
  2. Verify API responses and adapt response to what the API consumers really need.
  3. Verify API specification define schemas of all request and responses.
  4. Verify error API responses are clearly defined.
  5. Verify that all the sensitive or PII information are used with clear justification.
  6. Verify APIs enforced response checks to prevent accidental data and exception leaks.

Lack of resources and rate limiting – OWASP – A4

  1. Verify that , rate limiting is configured considering API method , client and addresses.
  2. Verify payload limit is configured.
  3. Verify compression ration while implementing rate limiting.
  4. Verify rate limiting in the context of computing / container resources

Brocken functional level authorization – OWASP – A5

  1. Verify , by default all access are denied
  2. Verify that , API is not relying on App to enforce admin access
  3. Verify , all the unnecessary features are disabled.
  4. Verify rate limiting in the content of computing/container resources
  5. Ensure roles are granted only based on specific role.
  6. Verify authorization are implemented correctly in API.

Mass assignment- OWASP – A6

  1. Verify API is not automatically bind incoming data and internal objects.
  2. Verify API is not explicitly define all the parameters and payload you are expecting.
  3. Verify that , for object schemas use the readOnly set to true for all properties that can be retrieved via APIs but should never be modified.
  4. Verify that APIs are precisely define at design time the schemas, types, patterns you will accept in the requests and enforces them at runtime.

Security misconfiguration – OWASP – A7

  1. Verify that APIs implementation are repeatable & hardening and patching activities are incorporated in development process
  2. Verify that API ecosystem has automated process to locate configuration flaws.
  3. Verify that , platform disabled unnecessary features in any API.
  4. Verify that , platform restrict administrative access.
  5. Ensure , define and enforce all outputs including errors .
  6. Verify authorization are implemented correctly in API.

Injection OWASP – A8

  1. Verify that , API are not trusting your API consumers even if internal.
  2. Verify API are strictly define all input data : schemas , types , string patterns – and enforce them at runtime.
  3. Verify that APIs are validating, filtering & sanitizing all incoming data.
  4. Verify that APIs are define , limit and enforce API outputs to prevent data leaks.

Improper asset management – OWASP – A9

  1. Verify platform capability document / inventory all API hosts.
  2. Verify platform limit access to anything that should not be public.
  3. Verify platform limit access to production data. Saggregate access to production and non-production data.
  4. Verify , architecture implement additional external controls such as API firewall.
  5. Verify that a process is considered for properly retire old versions or backport security fixes
  6. Verify architecture implements strict authentication , redirects , CORs etc.

Insufficient Logging & Monitoring OWASP – A10

  1. Verify API Log failed attempts , denied access , input validation failure any failure in security policy checks.
  2. Verify platform ensure that logs are formatted to be consumable by other tools.
  3. Verify that platform protects logs as highly sensitive.
  4. Verify that platform include enough details to identify attackers.
  5. Verify platform integrate with SIEM and other dashboards, monitoring alerting tools.
API_Security_Checklist__1684863761Download

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Joas Antonio
ChatGPT for Cybersecurity by Joas Antonio dos Santos – malwareanalysis #reverseengineering
ChatGPT for Cybersecurity by Joas...
CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

Google
We’re All in this Together
We’re All in this Together
CyberSN
U.S. Cybersecurity Job Posting Data Report
U.S. Cybersecurity Job Posting Data...
CISA | Cybersecurity and Infrastructure Security Agency
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
UNDERSTANDING AND RESPONDING TO DISTRIBUTED...
McKinsey & Company
Transforming risk efficiency and effectiveness
Transforming risk efficiency and effectiveness
Arnold Antoo
Zero Trust Security Model
Zero Trust Security Model
Richea Perry
Your Cybersecurity Toolkit
Your Cybersecurity Toolkit
IGNITE Technologies
Wireless Penetration Testing
Wireless Penetration Testing
Joas A Santos
Windows API for Red Team #101
Windows API for Red Team...
Economic Research Working Paper
Artificial Intelligence and Intellectual Property
Artificial Intelligence and Intellectual Property
CASOS DE USO APLICABLES EN UN SIEM
CASOS DE USO APLICABLES EN...
IGNITE Technologies
Burp Suite for Pentester
Burp Suite for Pentester
The Institute of Internal auditors
Auditing Risk Culture
Auditing Risk Culture

More Latest Published Posts

cisco
Cyber Incident Response
Cyber Incident Response
CSR Cyber Security Council
EVERY BUSINESS HAS DUTIES OF CARE IN THE FIELD OF CYBER SECURITY
EVERY BUSINESS HAS DUTIES OF CARE IN THE FIELD OF CYBER SECURITY
SYBEX
Cybersecurity ESSENTIALS
Cybersecurity ESSENTIALS
Agency for Digital Government
Cyber security in supplier relation ships
Cyber security in supplier relation ships
RINKU
Curso de introducción KALI LINUX PARA HACKERS ÉTICOS
Curso de introducción KALI LINUX PARA HACKERS ÉTICOS
CNIL
PRACTICE GUIDE GDPR
PRACTICE GUIDE GDPR
FERMA
THE ROADMAP TO STRATEGIC RISK MANAGEMENT
THE ROADMAP TO STRATEGIC RISK MANAGEMENT
ENISA-EUROPA
Cyber Resilience Act Requirements Standards Mapping
Cyber Resilience Act Requirements Standards Mapping
CYTAD
Essential Data Privacy Checklist
Essential Data Privacy Checklist
SF-ISAC
Digital Operational Resilience Act
Digital Operational Resilience Act
SYNGRESS
DIGITAL FORENSICS WITH Open Source TOOLS
DIGITAL FORENSICS WITH Open Source TOOLS
IT REVOLUTION DEVOPS ENTERPRISE FORUM
DevOps Automated Governance Reference Architecture
DevOps Automated Governance Reference Architecture
SANS GIAC CERTIFICATIONS
Detecting Attacks on Web Applications from Log Files
Detecting Attacks on Web Applications from Log Files
EUROPEAN DATA PROTECTION SUPERVISOR
ANNUAL REPORT 2023
ANNUAL REPORT 2023
TechTarget
IT Disaster Recovery Plan Template
IT Disaster Recovery Plan Template
Opstune
IOC Scan Framework v2.0
IOC Scan Framework v2.0
Federal Office for Information Security
Indirect Prompt Injections
Indirect Prompt Injections
the Department of the Environment Climate and Communications
Guidelines on CyberSecurity Specifications
Guidelines on CyberSecurity Specifications
Edelman
INCIDENT RESPONSE REFERENCE GUIDE
INCIDENT RESPONSE REFERENCE GUIDE
Security METRICS
Security Metrics Guide to PCI DSS Compliance
Security Metrics Guide to PCI DSS Compliance
SOC TIPS Cybersecurity
Guia de Resposta a Incidentes de Segurança para LGPD
Guia de Resposta a Incidentes de Segurança para LGPD
CDCP
FIREWALL Audit CHECKLIST
FIREWALL Audit CHECKLIST
GitGuardian
Secrets Management Maturity Model
Secrets Management Maturity Model
MegaCorp One
Sample Penetration Test Report
Sample Penetration Test Report
FORTINET
Routing in FortiGate
Routing in FortiGate
FUTURE OF PRIVACY FORUM
Risk Framework Body Related Data (PD) Immersive Tech
Risk Framework Body Related Data (PD) Immersive Tech
ENISA
Remote ID Proofing Good Practices
Remote ID Proofing Good Practices
Google
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems