The OWASP API Security Top 10 are mitigated in the development of web APIs.
Ensure APIs securely handle data received from third-party integrations to prevent indirect attacks. For example, treat third-party API responses as untrusted input by validating and sanitizing data before processing it; Enforce strict authentication and authorization for external API integrations to prevent unauthorized access; Implement rate limiting and monitoring on third-party API calls to detect anomalies and mitigate abuse; Regularly audit third-party dependencies and security policies to ensure they meet security standards and are not introducing vulnerabilities; Continuously monitor and log interactions with external APIs to detect potential security threats.
Ensure robust security when integrating third-party APIs by implementing strict validation, secure communication, and controlled interactions. For example, assess the API security posture of service providers before integration to verify compliance with best practices; Enforce secure communication channels (TLS) for all API interactions to prevent data interception and tampering; Validate and sanitize all incoming data from external APIs to eliminate potential injection risks before processing; Maintain a whitelist of trusted redirection destinations, ensuring that your application does not blindly follow unverified redirects, reducing the risk of phishing or malicious rerouting.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-15-10-01-01 | Evaluate api security posture of service providers | When selecting third-party service providers, thoroughly assess their API security posture to ensure that they adhere to strong security practices and meet your security requirements. | Preparation | Security Engineers, Product Managers |
| SSS-02-15-10-01-02 | Ensure secure communication with integrated apis | Ensure that all interactions with third-party APIs happen over secure communication channels (e.g., TLS) to protect the integrity and confidentiality of the data exchanged. | Development | Security Engineers, API Developers |
| SSS-02-15-10-01-03 | Validate and sanitize data from integrated apis | Validate and properly sanitize all data received from integrated third-party APIs before using it in your application, preventing malicious or unexpected data from being processed. | Development | Security Engineers, Backend Developers |
| SSS-02-15-10-01-04 | Maintain allowlist for api redirects | Maintain an allowlist of trusted locations to which integrated APIs may redirect your application. Avoid blindly following redirects to ensure that data is not sent to malicious destinations. | Development | Security Engineers, API Developers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1851) OWASP Top 10 API Security Risk OWASP Top 10 API Security Risk |