0

I'm studying for the CCSP exam and one part of the training material stuck out.

It behooves the cloud customer to formalize a policy and process for vetting, selecting, and deploying only those APIs that can be validated in some fashion -- a method for determining the trustworthiness of the source and the software itself. This process should be included in the organization's acquisition and development program, as well as the change management effort.

OK, that makes sense... sorta. The training material didn't go into any detail and stopped there. It seems to me though that this process is subjective and that one cloud customer could consider an API totally safe while another cloud customer could consider an API awful.

So my questions are:

  • Are there broadly-accepted and documented industry standards or governing bodies that dictate the requirements for lower-risk and viable cloud-based APIs?

  • In the absence of that, are there at least general guidelines on what cloud customers should look for in an API? For example, I feel like this is something that OWASP would have but I didn't see this on their web site.

Mike B
  • 3,336
  • 4
  • 29
  • 39

1 Answers1

1

I'm not aware of any standard that would apply specifically to an API. I think the assessment of whether it's good enough will need to be driven by the purpose of the API. If the API is used to gather local date, time, weather information, etc. it will require very different security controls than one which retrieves credit card transactions or shares your own company's protected information (for whatever value of "protected" your company has defined).

In any event, there's not much magic to an API -- it is essentially an external programmatic connection to another service. The way you assess or secure that will be similar to the way you would do so with your own addition of code, library, or functionality that involves exchanging data with a third party.

jth
  • 726
  • 6
  • 10