|
Work item:
|
X.APIRSD
|
|
Subject/title:
|
Technical requirements for public API runtime security risk detection
|
|
Status:
|
Under study
|
|
Approval process:
|
AAP
|
|
Type of work item:
|
Recommendation
|
|
Version:
|
New
|
|
Equivalent number:
|
-
|
|
Timing:
|
2027-Q3 (Medium priority)
|
|
Liaison:
|
-
|
|
Supporting members:
|
-
|
|
Summary:
|
Application Programming Interface (API) allows software applications to interact with each other and has been widely used in modern software and systems. However, the widespread use of APIs has also introduced numerous security risks. Technical vulnerabilities, logic flaws, improper access controls, and weak authentication are all potential sources of API security issues. This is particularly concerning given that many APIs are accessible over the internet, significantly increasing their risk exposure. In 2023, OWASP released its updated Top 10 API Security Risks to address evolving API threats. This list provides crucial insights into the key security challenges in today's complex API ecosystem.
API security refers to the protection of APIs from misuse, malicious attacks and other threats through a series of strategies, techniques and methods. API security encompasses the entire lifecycle of an API, from planning to deprecation. Although APIs have passed security testing before deployment, security risks still exist during runtime due to issues such as version upgrades and configuration errors.
This proposal focuses on detecting public API security risks during API runtime phase through two techniques: active detection and passive monitoring. These techniques identifying security risks by discovering API, validating authentication and authorization, identifying vulnerabilities, monitoring abnormal behaviours, and detecting data leakage. Active detection techniques work by actively constructing API requests and interacting with APIs to identify potential API runtime risks. Passive monitoring techniques work by monitoring API requests from real traffic to detect runtime risks and malicious behaviours.
|
|
Comment:
|
-
|
|
Reference(s):
|
|
|
Historic references:
|
|
Contact(s):
|
|
| ITU-T A.5 justification(s): |
|
|
|
|
First registration in the WP:
2025-04-17 13:54:38
|
|
Last update:
2025-04-17 13:57:20
|
|
