The OWASP API Security Top 10 are mitigated in the development of web APIs.
Ensure APIs enforce limits on resource consumption to prevent excessive usage leading to service disruption or increased operational costs. For example, implement rate limiting and throttling to restrict the number of requests per user or IP, preventing abuse and denial-of-service attacks; Apply quotas and cost controls for APIs that trigger expensive operations, such as sending SMS, emails, or biometric validations; Use circuit breakers and timeout mechanisms to prevent long-running requests from exhausting system resources; Continuously monitor API usage patterns to detect anomalies and mitigate potential exploitation of resource-intensive operations.
Ensure resource consumption is controlled and excessive usage is mitigated to prevent service disruption or increased operational costs. For example, use containerization or serverless solutions (e.g., AWS Lambda) to enforce automatic limits on memory, CPU, process counts, and restarts, preventing resource exhaustion; Define and enforce maximum data sizes for incoming requests, including string lengths, array sizes, and file upload limits, regardless of storage location; Implement rate limiting to control how often clients can interact with APIs within a specific timeframe, adjusting thresholds based on business needs; Restrict high-impact operations, such as OTP validation or password recovery requests, to prevent abuse by limiting retries; Apply strict server-side validation to control the number of records returned per request, preventing excessive data retrieval; Configure spending limits for API integrations and service providers, or set up billing alerts when usage monitoring is required instead.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-15-04-01-01 | Limit resource consumption using containers/serverless | Use technologies like containers or serverless code (e.g., Lambdas) to limit resource consumption such as CPU, memory, and storage. These solutions can help enforce resource limits on the backend. | Development | DevOps Teams, IT Operations |
| SSS-02-15-04-01-02 | Define maximum size for incoming data | Set limits on the size of incoming data, such as maximum string lengths, the number of elements in arrays, and the maximum file upload size. This prevents excessive resource usage by large payloads. | Development | Security Engineers, Backend Developers |
| SSS-02-15-04-01-03 | Implement rate limiting | Apply rate limiting to control how frequently clients can make requests to the API. This protects the system from high resource usage and abuse while maintaining normal service levels. | Development | Security Engineers, Backend Developers |
| SSS-02-15-04-01-04 | Fine-tune rate limiting based on business needs | Customize rate limiting for specific API endpoints based on the business needs. Some endpoints, such as critical authentication or payment services, may require stricter rate-limiting policies. | Development | Product Managers, Security Engineers |
| SSS-02-15-04-01-05 | Limit and throttle client operations | Implement limits and throttling on specific actions, such as limiting how often a client can request password recovery or validate an OTP, to avoid unnecessary resource consumption and prevent abuse. | Development | Backend Developers, Security Engineers |
| SSS-02-15-04-01-06 | Validate query parameters and request bodies | Ensure proper server-side validation for parameters in the query string and request body, especially parameters that affect the volume of data returned (e.g., pagination limits) to avoid excessive load on the server. | Development | Backend Developers, Security Engineers |
| SSS-02-15-04-01-07 | Configure spending limits and billing alerts | For third-party service providers or APIs (e.g., SMS, email services), configure spending limits and set up billing alerts to monitor costs and prevent unexpected charges due to excessive resource consumption. | Post-deployment | IT Operations, Financial Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1851) OWASP Top 10 API Security Risk OWASP Top 10 API Security Risk |