Title

All defined API elements must be documented. (Cat II impact)

Discussion

All defined API elements and their security-relevant configurations must be documented and enforced, ensuring compliance with the organization's approved security baselines. Identifying all API elements that must be logged is essential for security, monitoring, and threat detection. Documenting and enforcing security-relevant configurations for all defined API elements ensures consistency, reduces misconfigurations, and supports compliance with organizational security baselines. This practice enhances system integrity, simplifies audits, and helps prevent vulnerabilities caused by undocumented or insecure API behaviors.

Check Content

To identify APIs in use: Analyze application code for API calls, URLs, and authentication keys in frontend and backend components. Use network monitoring tools to capture API traffic in real time. Check browser DevTools (Network tab) for active API requests in web applications. Review server and API gateway logs (e.g., AWS CloudWatch, Nginx logs) to track API calls and usage patterns. Inspect configuration files, environment variables, and documentation for references to external or internal APIs. If any defined API elements or their security-relevant configurations are not documented and enforced in accordance with the organization's approved security baselines, this is a finding.

Fix Text

Update the documentation to include all defined API elements and their security-relevant configurations. Ensure each element is properly logged and monitored in accordance with the organization's approved security baselines.

Additional Identifiers

Rule ID: SV-274537r1143570_rule

Vulnerability ID: V-274537

Group Title: SRG-APP-000098

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.