Back

Configure Application Programming Interfaces in accordance with organizational standards.


CONTROL ID
12170
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure Application Programming Interfaces to enforce authentication., CC ID: 12172
  • Configure Application Programming Interfaces to employ strong cryptography., CC ID: 12171


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Application programming interfaces (APIs) enable various software applications to communicate and interact with each other and exchange data. Open APIs are publicly available APIs that provide developers with programmatic access to a software application or web service. FIs may collaborate with FinT… (§ 6.4.1, Technology Risk Management Guidelines, January 2021)
  • Security standards for designing and developing secure APIs should be established. The standards should include the measures to protect the API keys or access tokens, which are used to authorise access to APIs to exchange confidential data. A reasonable timeframe should be defined and enforced for a… (§ 6.4.4, Technology Risk Management Guidelines, January 2021)
  • Verify that user-submitted filename metadata is not used directly by system or framework filesystems and that a URL API is used to protect against path traversal. (12.3.1, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify API URLs do not expose sensitive information, such as the API key, session tokens etc. (13.1.3, Application Security Verification Standard 4.0.3, 4.0.3)
  • Security controls for the use of application programming interfaces (API). (V Action Summary ¶ 2 Bullet 8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implements API security tools and gateways with controls for requests and responses. (App A Objective 13:6i Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)