Kingdom: Environment

This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.

Information Discovery: Undocumented API

Universal

Abstract

Undocumented or limited documentation for API endpoints can provide attackers with an attack surface that is usually not sufficiently tested for security vulnerabilities.

Explanation

APIs usually outgrow their initial scope. New features, breaking changes, security patches, and bug fixes are required regularly. Versioning helps to provide newer features and keep the existing features for backward compatibility or for users that are not ready to upgrade. Without a proper deprecation policy and thorough documentation, older API endpoints might still be accessible. If all versions of supported APIs are not included in relevant specification files (e.g., Swagger), or managed lists (e.g., API gateway), then they are likely not covered in relevant quality and security evaluation procedures; resulting in reduced attack surface testing.

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 1059

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002617

[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation

[6] Standards Mapping - OWASP API 2023 API9 Improper Inventory Management

[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.1.4 Secure Software Development Lifecycle (L2 L3)

[8] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities

[9] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components

[10] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.4 - Secure Defaults, Control Objective C.1.1 - Web Software Components & Services

[11] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002610 CAT II

[12] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002610 CAT II

[13] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002610 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002610 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002610 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002610 CAT II

desc.dynamic.xtended_preview.information_discovery_undocumented_api