The OWASP API Security Top 10 are mitigated in the development of web APIs.
Ensure APIs enforce strict function-level authorization to prevent unauthorized access to privileged actions. For example, implement role-based access control (RBAC) or attribute-based access control (ABAC) to restrict access to administrative and sensitive functions based on user roles; Enforce server-side authorization checks for all API endpoints to prevent privilege escalation; Clearly separate regular user functions from administrative functions, ensuring that access to high-privilege actions requires explicit authorization; Regularly audit API permissions and access logs to detect and remediate unauthorized access attempts.
Ensure a centralized and consistent authorization module is enforced across all business functions to prevent unauthorized access. For example, implement default-deny access control, requiring explicit role-based grants for every function to prevent unintended privilege escalation; Regularly review API endpoints to detect function-level authorization flaws, ensuring alignment with business logic and user group hierarchies; Enforce strict inheritance for administrative controllers, requiring all admin functionalities to derive from an abstract controller that enforces role-based access control (RBAC); Ensure authorization checks are applied within regular controllers for administrative actions, validating user roles and permissions before execution; Continuously audit and refine access control policies to detect and mitigate potential misconfigurations.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-15-05-01-01 | Implement a consistent authorization module | Create a consistent, easy-to-analyze authorization module that is invoked by all business functions. This centralizes access control logic, reducing complexity and potential gaps in protection. | Development | Security Engineers, Software Developers |
| SSS-02-15-05-01-02 | Enforce default deny policy | Implement an enforcement mechanism that denies all access by default. Only explicitly grant access to specific roles for each function, ensuring strict control over who can access what. | Development | Security Engineers, Backend Developers |
| SSS-02-15-05-01-03 | Review api endpoints for function level authorization flaws | Regularly review API endpoints for function-level authorization flaws, considering the business logic and user groups/hierarchies. Ensure that sensitive functions are properly protected based on roles and permissions. | Development | Security Engineers, API Developers |
| SSS-02-15-05-01-04 | Use administrative controllers with role-based authorization | Ensure that all administrative functions inherit from an abstract administrative controller, which implements role-based authorization checks for the user's group/role. | Development | Backend Developers, Security Engineers |
| SSS-02-15-05-01-05 | Implement authorization checks in regular controllers for admin functions | Ensure that administrative functions in regular controllers also implement role-based authorization checks to prevent unauthorized users from accessing administrative functionality. | Development | Security Engineers, Backend Developers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1851) OWASP Top 10 API Security Risk OWASP Top 10 API Security Risk |