API should be checked for the following from a Security perspective:
1. Denial of Service Attack https://owasp.org/www-community/attacks/Denial_of_Service
2. OWASP A6- Security Misconfiguration https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html
2. IP Access Control https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c7-enforce-access-controls.html
3. MITRE CWE 250 Unnecessary Privileges - Basic Authentication
4. Ensure no direct access to database.
5. Access token authentication - e.g. OAuth* 2 with JWT for user authentication and authorization.
5. API Key Generation & Validation - API providers should expose secure methods to provide authorization code or access tokens on demand.
No comments:
Post a Comment