The OWASP Application Security Verification Standard is used in the development of web applications.
Ensure secure implementation and management of APIs and web services to prevent data leaks and unauthorized access. For example, enforce authentication and authorization for API endpoints, apply rate limiting to prevent abuse, and validate all incoming and outgoing data; Secure API communications with TLS and implement proper access controls for sensitive operations; Continuously monitor API traffic, log access attempts, and audit security controls to detect and mitigate threats.
V13.1 Generic Web Service Security Verification Requirements Authenticate and authorize all users and services accessing the web service, ensuring proper identity and access control mechanisms are in place. Implement encryption for both data in transit and at rest using strong cryptographic protocols (e.g., TLS, AES). Validate all incoming and outgoing data, using input validation, output encoding, and sanitization to prevent common attacks like injection and XSS. Use rate limiting and monitoring to detect and mitigate potential attacks, such as DDoS or abuse of service. V13.2 RESTful Web Service Verification Requirements Ensure statelessness in API design, where each request contains all necessary information, and session management is handled securely. Implement secure authentication methods such as OAuth or JWT for RESTful APIs, ensuring token validation and authorization checks are done at every endpoint. Use CORS (Cross-Origin Resource Sharing) policies to control cross-origin access, enforcing trusted domains for API access. Validate and sanitize JSON data sent via the API, applying strict checks to prevent malicious data injection. V13.3 SOAP Web Service Verification Requirements Secure SOAP-based communication using XML Encryption and XML Signature to ensure confidentiality and data integrity. Validate the integrity of SOAP messages by ensuring WS-Security standards are applied, including the use of secure token exchanges. Use endpoint security controls, such as IP whitelisting, to restrict which clients can access the SOAP service. Implement strict input validation for XML-based data to prevent common XML-based attacks like XXE (XML External Entity) attacks. V13.4 GraphQL and Other Web Service Data Layer Security Requirements Implement fine-grained access control for GraphQL queries, ensuring users can only query authorized fields and data (e.g., based on roles and permissions). Enforce rate limiting for GraphQL queries to prevent complex query abuse that could impact the performance or security of the server. Sanitize and validate all inputs and outputs of GraphQL operations to prevent SQL injection and other data manipulation attacks. Implement authentication and authorization checks at each resolver to ensure that only authorized users can access specific data fields or execute queries. By implementing secure authentication, encryption, input validation, and rate limiting across web service types (RESTful, SOAP, GraphQL), organizations can protect their services from a wide range of attacks while maintaining secure and efficient data exchanges.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-13-01-01 | Ensure api authentication and authorization | Use strong authentication mechanisms such as OAuth 2.0, JWT, or API keys to verify and authorize API users, ensuring that only authenticated and authorized users can access API endpoints. | Development | Security Teams, API Developers |
| SSS-02-11-13-01-02 | Prevent api abuse and rate limiting bypass | Implement rate limiting and request throttling to prevent abuse of API resources and mitigate denial-of-service (DoS) attacks. Ensure proper handling of excessive requests to protect against service overload. | Deployment | Security Engineers, DevOps Teams |
| SSS-02-11-13-01-03 | Ensure secure api data transmission | Enforce secure communication for all API data transmissions by using TLS encryption, ensuring that sensitive data is protected during transit from eavesdropping and tampering. | Development | Security Engineers, IT Operations |
| SSS-02-11-13-01-04 | Prevent insecure direct object references (idor) | Ensure that API endpoints properly validate and authorize access to resources to prevent insecure direct object references, ensuring that users cannot access resources they are not authorized to. | Development | Security Engineers, API Developers |
| SSS-02-11-13-01-05 | Configure cors policies properly | Implement and configure Cross-Origin Resource Sharing (CORS) policies to prevent cross-origin attacks, ensuring that only trusted origins can access the API resources. | Development | Security Teams, API Developers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |