Title

The API must audit execution time and performance metrics. (Cat II impact)

Discussion

The API must audit execution time and performance metrics to ensure optimal operation, detect bottlenecks, and maintain a high level of service reliability. Monitoring and logging execution time allows the API to track how long each request takes to process, helping to identify slow endpoints or inefficient processing. By auditing performance metrics, the API can detect patterns that indicate potential issues, such as sudden spikes in latency or resource consumption, which may be early signs of performance degradation or impending system failures. Along with knowing when an event occurred, monitoring execution time can highlight unusual patterns, such as denial-of-service (DoS) attacks, where the API is deliberately slowed down by an overwhelming number of requests.

Check Content

Verify the API audits execution time and performance metrics. 1. Inspect the API's logs to ensure they capture execution times, request latency, and other performance metrics. 2. Simulate various requests and verify execution time and performance metrics are logged correctly. 3. Verify the API is configured to track and log performance data, including response times and throughput. 4. Review the API's documentation to ensure execution time and performance auditing is enabled. If the API is not auditing execution time and performance metrics, this is a finding.

Fix Text

Build or configure the API to track and log performance data, including response times and throughput.

Additional Identifiers

Rule ID: SV-274532r1143561_rule

Vulnerability ID: V-274532

Group Title: SRG-APP-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.