The OWASP API Security Top 10 are mitigated in the development of web APIs.
Ensure all API endpoints, versions, and hosts are properly documented and managed to prevent security risks from outdated or exposed services. For example, maintain an up-to-date API inventory to track all deployed endpoints, versions, and dependencies, reducing the risk of forgotten or vulnerable APIs; Enforce lifecycle management by deprecating and securely removing outdated API versions to prevent attackers from exploiting legacy functionality; Restrict access to debug and test endpoints, ensuring they are not exposed in production environments; Continuously monitor API deployments to detect shadow APIs and unauthorized endpoints that could introduce security risks.
Ensure comprehensive API security by maintaining a structured inventory, enforcing access controls, and applying security measures across all API environments. For example, document and track all API hosts by categorizing them based on environment (e.g., production, staging, test, development) and defining network access permissions (e.g., public, internal, partners) to prevent unauthorized access; Inventory all integrated services, documenting their role, data flows, and sensitivity to understand security risks; Maintain detailed API documentation covering authentication, error handling, rate limiting, CORS policies, and endpoint specifications, ensuring clarity for authorized users; Automate API documentation generation using open standards and integrate it into the CI/CD pipeline, restricting access to only authorized users; Protect all API versions—not just production—by using API security solutions to prevent unauthorized access or data leaks; Avoid using production data in non-production environments, or if necessary, apply the same security controls as production systems; When updating APIs with security improvements, assess risks in older versions and determine whether backporting is viable or if deprecating outdated versions is necessary to enforce secure adoption.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-15-09-01-01 | Inventory all api hosts | Maintain a comprehensive inventory of all API hosts, documenting key details such as the environment (e.g., production, staging, test, development), network access levels (public, internal, partners), and API version. | Development | Security Engineers, DevOps Teams |
| SSS-02-15-09-01-02 | Inventory integrated services | Document all integrated services, detailing their roles in the system, the data they exchange, and the sensitivity of that data. This helps in managing access control and monitoring potential vulnerabilities. | Development | Security Engineers, IT Operations |
| SSS-02-15-09-01-03 | Document all aspects of the api | Ensure that every aspect of the API is documented, including authentication mechanisms, error handling, redirects, rate limiting, CORS policies, and endpoint details (parameters, requests, responses). | Development | API Developers, Product Managers |
| SSS-02-15-09-01-04 | Automate api documentation generation | Adopt open standards for API documentation and integrate the documentation generation into the CI/CD pipeline to ensure it is always up to date and accessible. | Development | DevOps Teams, API Developers |
| SSS-02-15-09-01-05 | Restrict api documentation access | Make API documentation available only to authorized users, ensuring that sensitive information is not exposed to unauthorized parties. | Post-deployment | Security Engineers, IT Operations |
| SSS-02-15-09-01-06 | Implement api protection measures for all versions | Use external protection measures (e.g., API security solutions) for all exposed API versions, not just for the current production version. This ensures that older and deprecated versions are also protected. | Development | Security Engineers, IT Operations |
| SSS-02-15-09-01-07 | Avoid using production data in non-production environments | Prevent the use of production data in non-production environments to mitigate the risk of data exposure. If using production data is unavoidable, ensure the security of non-production endpoints is equivalent to that of production. | Development | Security Engineers, QA Teams |
| SSS-02-15-09-01-08 | Perform risk analysis for api version updates | When introducing security improvements in newer API versions, conduct a risk analysis to determine whether backporting is feasible or if older versions should be deprecated and all clients moved to the latest version. | Development | Security Engineers, Product Managers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1851) OWASP Top 10 API Security Risk OWASP Top 10 API Security Risk |