API Security Checklist

API-Security-Checklist

Object level authorization – OWASP – A1

  1. Verify that implement authorization checks with user policies and hierarchy
  2. Verify that API implementation is not rely on IDs sent from client, instead API should check IDs stored object in the session.
  3. Verify that server configuration is hardened as per the recommendation of the application server and framework in use.
  4. Verify that , API implementation check authorization each time there is a client request to access database.
  5. Verify that API is not using random guessable IDs ( UUIDs)

Brocken authentication – OWASP – A2

  1. Verify all possible ways to authenticate all APIs
  2. Verify password reset APIs and one-time links also allow users to get authenticated and should be strictly protected.
  3. Verify API implements standards authentication, token generation, password storage and Multi factor authentication.
  4. Verify , API uses short lived access token.
  5. Verify that , API uses stricter rate-limiting for authentication, implement lockout polices and weak password checks.

Excessive data exposure – OWASP – A3

  1. Verify that , API is not relying on client to filter data.
  2. Verify API responses and adapt response to what the API consumers really need.
  3. Verify API specification define schemas of all request and responses.
  4. Verify error API responses are clearly defined.
  5. Verify that all the sensitive or PII information are used with clear justification.
  6. Verify APIs enforced response checks to prevent accidental data and exception leaks.

Lack of resources and rate limiting – OWASP – A4

  1. Verify that , rate limiting is configured considering API method , client and addresses.
  2. Verify payload limit is configured.
  3. Verify compression ration while implementing rate limiting.
  4. Verify rate limiting in the context of computing / container resources

Brocken functional level authorization – OWASP – A5

  1. Verify , by default all access are denied
  2. Verify that , API is not relying on App to enforce admin access
  3. Verify , all the unnecessary features are disabled.
  4. Verify rate limiting in the content of computing/container resources
  5. Ensure roles are granted only based on specific role.
  6. Verify authorization are implemented correctly in API.

Mass assignment- OWASP – A6

  1. Verify API is not automatically bind incoming data and internal objects.
  2. Verify API is not explicitly define all the parameters and payload you are expecting.
  3. Verify that , for object schemas use the readOnly set to true for all properties that can be retrieved via APIs but should never be modified.
  4. Verify that APIs are precisely define at design time the schemas, types, patterns you will accept in the requests and enforces them at runtime.

Security misconfiguration – OWASP – A7

  1. Verify that APIs implementation are repeatable & hardening and patching activities are incorporated in development process
  2. Verify that API ecosystem has automated process to locate configuration flaws.
  3. Verify that , platform disabled unnecessary features in any API.
  4. Verify that , platform restrict administrative access.
  5. Ensure , define and enforce all outputs including errors .
  6. Verify authorization are implemented correctly in API.

Injection OWASP – A8

  1. Verify that , API are not trusting your API consumers even if internal.
  2. Verify API are strictly define all input data : schemas , types , string patterns – and enforce them at runtime.
  3. Verify that APIs are validating, filtering & sanitizing all incoming data.
  4. Verify that APIs are define , limit and enforce API outputs to prevent data leaks.

Improper asset management – OWASP – A9

  1. Verify platform capability document / inventory all API hosts.
  2. Verify platform limit access to anything that should not be public.
  3. Verify platform limit access to production data. Saggregate access to production and non-production data.
  4. Verify , architecture implement additional external controls such as API firewall.
  5. Verify that a process is considered for properly retire old versions or backport security fixes
  6. Verify architecture implements strict authentication , redirects , CORs etc.

Insufficient Logging & Monitoring OWASP – A10

  1. Verify API Log failed attempts , denied access , input validation failure any failure in security policy checks.
  2. Verify platform ensure that logs are formatted to be consumable by other tools.
  3. Verify that platform protects logs as highly sensitive.
  4. Verify that platform include enough details to identify attackers.
  5. Verify platform integrate with SIEM and other dashboards, monitoring alerting tools.
API_Security_Checklist__1684863761Download
Facebook
Twitter
LinkedIn
Pinterest
Constanza Rodriguez

Constanza Rodriguez

All Posts »

Leave a Reply

Your email address will not be published. Required fields are marked *

Top Recommended Posts

Top 10 Open Source Security Testing Tools for Pentesters by Uendi Hoxha
Top 10 Open Source Security Testing Tools for Pentesters by Uendi Hoxha
SECURING THE SOFTWARE SUPPLY CHAIN – RECOMMENDED PRACTICES GUIDE FOR DEVELOPERS
SECURING THE SOFTWARE SUPPLY CHAIN – RECOMMENDED PRACTICES GUIDE FOR DEVELOPERS
Wireshark for Network Forensics – An Essential Guide for IT and Cloud Professionals by Nagendra Kumar Nainar & Ashish Panda – Apress
Wireshark for Network Forensics – An Essential Guide for IT and Cloud Professionals by Nagendra...
The Red Team Guide by Peerlyst – A practical guide for Red Teams and Offensive Security
The Red Team Guide by Peerlyst – A practical guide for Red Teams and Offensive...
PCI DSS Quick Reference Guide – Understanding the Payment Card Industry – Data Security Standar version 3.2.1
PCI DSS Quick Reference Guide – Understanding the Payment Card Industry – Data Security Standar...
7 CEO CYBERSECURITY ACTIONS – START WORKING ON IT TODAY , DON´T WAIT !!!
7 CEO CYBERSECURITY ACTIONS – START WORKING ON IT TODAY , DON´T WAIT !!!
Top 50 Security Threats by Splunk
Top 50 Security Threats by Splunk
ChatGPT for Cybersecurity by Joas Antonio dos Santos – malwareanalysis #reverseengineering
ChatGPT for Cybersecurity by Joas Antonio dos Santos – malwareanalysis #reverseengineering
Things of the Internet Global Cyber Domain Report by DNSSense – H2 – 2022 Report
Things of the Internet Global Cyber Domain Report by DNSSense – H2 – 2022 Report
Quick Start Guide to Penetration Testing with NMAP , OpenVAS & Metaexploit by Sagar Rahalkar – Apress
Quick Start Guide to Penetration Testing with NMAP , OpenVAS & Metaexploit by Sagar Rahalkar...