Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

API Security Control Selection and Justification: A Comprehensive Guide, Assignments of Computer Networks

A detailed guide to selecting and justifying api security controls. It includes a problem statement, identification of alternative security controls, qualitative analysis of risks, and a risk matrix chart. The document also includes a system diagram and a justification for the chosen security control, api gateway with security features integrated. Valuable for students and professionals in cybersecurity, it, and software development who are interested in learning about api security best practices.

Typology: Assignments

2024/2025

Available from 02/17/2025

Milestonee
Milestonee 🇺🇸

4.4

(22)

3.5K documents

1 / 22

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16

Partial preview of the text

Download API Security Control Selection and Justification: A Comprehensive Guide and more Assignments Computer Networks in PDF only on Docsity!

Rubri

c

Criteria

Include problem statement from previous deliverable

Total

Identification of two alternative security controls 20

Qualitative analysis of risks 20

Security control selection and justification 30

Risk matrix chart (See Appendix A) 20

Total 100

Alternative Security Controls

Administrative Controls

API Security Governance Policy
API Security Training for IT Staff and
App Developers

Technical Controls

API Gateway with Security Features
Integrated
Automated Vulnerability Scanning
on APIs

Physical Controls

Restrict access to Servers Hosting
APIs

Qualitative Analysis (Administrative

  • (^) API Security (^) Controls) Governance Policy
    • (^) Effectiveness

      • Establishes a Governance Structure Ensures all API management and development processes follow best security practices
    • (^) Operation
      • (^) Requires a clear written policy with guidelines
      • (^) Enforcement of authentication standards
      • (^) API development with Audits/Compliance
    • (^) Availability (High)
      • (^) Enforced across the organization
    • Cost (Low)

      • Drafting written policies Providing training Revisions to keep up to
    • Implementation^ date Issues
      • (^) Resistance from departments may occur when policy disrupts existing workflows
    • (^) Overall Benefit
      • (^) Promotes security awareness
      • (^) All future API development minimize the risk of potential security vulnerabilities

Qualitative Analysis (Technical Controls)

  • (^) API Gateway with Security Features Integrated
    • (^) Effectiveness
      • (^) Centralized Security Policies
      • (^) Detect and Block Insecure Traffic
    • (^) Operation
      • (^) Monitors Traffic and Applies Security Rules
      • (^) Ensures Legitimate Requests Reach API
    • (^) Availability (High)
      • (^) Redundancy and Fault Tolerance (Deployed with Cloud or Hybrid Solution)
    • Cost (Moderate-High)

      • Cloud Based Solution On-Premise Solution
    • Implementation Issues
      • (^) Significant Setup and Integration Efforts
      • (^) Continuous Management and Configuration updates
    • Overall Benefit
      • (^) Comprehensive Protection against common API vulnerabilities and attacks

Qualitative Analysis (Technical Controls)

  • (^) Automated Vulnerability Scanning on API’s
    • (^) Effectiveness
      • (^) Identify potential vulnerabilities within API’s before they can be exploited
    • (^) Operation
      • Scan APIs at Regular Intervals
      • (^) Identify Risks and Suggest Remediations
    • (^) Availability (High)

      • Scans can be scheduled to run automatically Available in both Open-Source and Commercial Software
    • Cost (Low-Moderate)
      • (^) Dependent on the Software used
    • Implementation Issues
      • (^) False Positives
      • (^) Manual Validation
    • (^) Overall Benefit
      • (^) APIs remain secure during and after development
      • (^) Minimize the risk of Unauthorized Access or Data Breaches

Security Control Selection - (API Gateway with Security Features Integrated)

  • (^) Internal Network Connection
    • (^) API Gateway sits between the internal network and external users/systems
    • (^) API Gateway connects to Application Servers using secure protocols (HTTPS, TLS)
    • (^) Routes Valid API requests to Microservices to Authenticate, Authorize, and Encrypt

the traffic before it enters the internal network

  • (^) Gateway will communicate with monitoring systems to log activity and detect issues

with traffic patterns

Security Control Selection - (API Gateway with Security Features Integrated)

  • (^) Internet Connection
    • (^) API Gateway acts as a secure access point for External Consumers
    • (^) All External API requests are filtered through the Gateway
      • (^) Traffic Inspection
      • (^) Rate Limiting
      • (^) Authentication
    • (^) Data Encryption between VS&CO’s APIs and External Consumers (SSL/TLS)

Security Control Selection - (API Gateway with Security Features Integrated)

  • User Access
    • (^) External Users (Customers, External Services)
      • (^) Secure API Calls via Internet
      • (^) API Gateway Authenticates and Authorizes all Traffic
    • (^) Internal Users (IT Staff, Developers)
      • (^) Web-based Interfaces
      • (^) CLI
      • (^) Multi-Factor Authentication
    • (^) Security Teams
      • (^) Integration with internal security tools

Cyber Security

System

Diagram

CIA Triad

Security Control API Security Policy Confidentiality High Integrity Medium Availability High Security Training Medium Medium High API Gateway High High High Vulnerability Scanning Medium High High Physical Access Control High High High

Risk Matrix Chart

Risk Likelihood (1-5) Impact (1-5) Overall Risk (Likelihood x Impact) Data Breach 4 5 20 Unauthorized Access 5 5 25 Service Disruption/Downtime 4 4 16 Data Integrity Compromise 3 5 15 Reputational Damage 5 5 25 Legal/Compliance Penalties 4 5 20

Mitigating Risk (API Gateway)

  • (^) Rate Limiting
  • (^) DDoS Protection
  • (^) Load Balancing Service Disruption/Downtime
  • (^) Input Validation
  • (^) Traffic Monitoring
  • (^) Data Verification Data Integrity Compromise

Mitigating Risk (API Gateway)

Reputational Damage

Prevents the following events from occurring
causing public reaction
  • (^) Data Breaches
  • (^) Service Outages
  • (^) Unauthorized Access Legal/Compliance Penalties
Enforce Security and Compliance Standards
  • (^) Data Encryption
  • (^) Secure Authentication