I'm studying for the CCSP exam and one part of the training material stuck out.
It behooves the cloud customer to formalize a policy and process for vetting, selecting, and deploying only those APIs that can be validated in some fashion -- a method for determining the trustworthiness of the source and the software itself. This process should be included in the organization's acquisition and development program, as well as the change management effort.
OK, that makes sense... sorta. The training material didn't go into any detail and stopped there. It seems to me though that this process is subjective and that one cloud customer could consider an API totally safe while another cloud customer could consider an API awful.
So my questions are:
Are there broadly-accepted and documented industry standards or governing bodies that dictate the requirements for lower-risk and viable cloud-based APIs?
In the absence of that, are there at least general guidelines on what cloud customers should look for in an API? For example, I feel like this is something that OWASP would have but I didn't see this on their web site.