Title

The API must use a gateway. (Cat II impact)

Discussion

API Gateway acts as a centralized point for managing and securing API traffic, enhancing the overall security posture of an API ecosystem. The API Gateway helps protect backend services by abstracting and securing access to APIs, enabling features such as authentication, authorization, rate limiting, and IP whitelisting. It can enforce security policies like SSL/TLS encryption, protect against distributed denial-of-service (DDoS) attacks, and log and audit all requests for compliance and monitoring. It simplifies the management of API keys, tokens, and other credentials, reducing the exposure of sensitive information. By consolidating security functions in the API Gateway, organizations can better manage and enforce consistent security measures across all API endpoints, ensuring a stronger defense against potential threats.

Check Content

Note: The authorizing official (AO) may conduct a risk assessment if not using an API Gateway. The API must be routed through a gateway that enforces protections against denial-of-service (DoS) attacks such as rate limiting, request throttling, and anomaly detection in accordance with organization-defined thresholds. If the API does not use a gateway, this is a finding.

Fix Text

Build or configure the API to use a gateway.

Additional Identifiers

Rule ID: SV-274707r1143741_rule

Vulnerability ID: V-274707

Group Title: SRG-APP-000435

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.