Chenxi Wang

The second aspect of forming an API security strategy¹—after the discovery of APIs in your environment—involves assessing whether the API endpoints conform to your security architecture/design requirements and policies.

Of course, this assumes that you have an API secure design policy. Such policies should cover these considerations:

Authentication

Does the API access have authentication? What kind of authentication?

API secrets management

Are the API tokens/keys managed? Do they have an expiration date? Should secrets be rotated and refreshed periodically?

Decommissioning of APIs

Should obsolete APIs be decommissioned? What is the decommissioning process?

Vulnerability management policy

What happens when a critical vulnerability is found associated with an API? Do we report? Do we block its use? Do we mitigate threats by enacting an API filter? When do you have to remediate this vulnerability to be compliant with policies and any relevant SLAs?

Once you have a policy, you can detect violations such as unauthenticated API endpoints, obsolete APIs, or those with high or critical vulnerabilities. This step also allows you to understand your risk exposure, which is critical to being able to manage or mitigate API-related risks.

To assess risk and detect errors and violations, ...