Page 1417 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1417

APIs, such as those that allow checking weather forecasts or product
               inventory, may be available to the general public and not require any

               authentication for use. Other APIs, such as those that allow modifying
               information, placing orders, or accessing sensitive information, may
               be limited to specific users and depend on secure authentication. API
               developers must know when to require authentication and ensure that
               they verify credentials and authorization for every API call. This
               authentication is typically done by providing authorized API users
               with a complex API key that is passed with each API call. The backend

               system validates this API key before processing a request, ensuring
               that the system making the request is authorized to make the specific
               API call.



                             API keys are like passwords and should be treated as very


                  sensitive information. They should always be stored in secure
                  locations and transmitted only over encrypted communications
                  channels. If someone gains access to your API key, they can
                  interact with a web service as if they were you!



               APIs must also be tested thoroughly for security flaws, just like any
               web application. You’ll learn more about this in the next section.


               Software Testing


               As part of the development process, your organization should
               thoroughly test any software before distributing it internally (or
               releasing it to market). The best time to address testing is as the
               modules are designed. In other words, the mechanisms you use to test
               a product and the data sets you use to explore that product should be
               designed in parallel with the product itself. Your programming team

               should develop special test suites of data that exercise all paths of the
               software to the fullest extent possible and know the correct resulting
               outputs beforehand.

               One of the tests you should perform is a reasonableness check. The
               reasonableness check ensures that values returned by software match
               specified criteria that are within reasonable bounds. For example, a
   1412   1413   1414   1415   1416   1417   1418   1419   1420   1421   1422