Exam CS0-002 topic 1 question 75 discussion

Answer is D - Using effective authentication and authorization methods (option B) is important for ensuring that only authorized users can access the API, but it does not specifically address the issue of insecure API parameters.

I think all of them are good recommendations, but B is more important for me due to with a proper authorization and authentication mechanism you are ensuring that only trusted sources/destinations get involved with the exchange of information. After this, you can set other security controls such as validate the incoming data and establish a secure channel with TLS. Reference: https://www.techtarget.com/searchapparchitecture/tip/10-API-security-guidelines-and-best-practices

Access related attack would require authentication as a mitigation measure Parameter attacks like an injection requires code validation as a security measure Answer is D

ChatGPt: 1. Implement Input Validation 2. Implement Output Encoding

Jason dion says whenever you see input validation, it's the answer. Can't say no to Jason.

https://blog.hubspot.com/website/api-security#best-practices

If you actually look at the owasp top 10, the number one security issue is "Broken object property level authorization" my vote is for B

Validating all incoming data would be the BEST parameter mitigation recommendation for an insecure API. This is because validating incoming data helps to prevent injection attacks, such as SQL injection or cross-site scripting (XSS), by ensuring that the data is in the expected format and does not contain malicious code or unexpected characters. While TLS, authentication and authorization methods, and parameterized queries are also important security measures, they do not specifically address parameter validation and would not be the BEST parameter mitigation recommendation in this case.

The question says "parameter mitigation", which I admit is not very clear, but makes me want to choose D instead of B. Of course B is always required when building an API, but I don't think that is what the question is asking for. Also: https://www.esecurityplanet.com/applications/how-to-control-api-security-risks/

Answer is B other question sites.

Enough said!!! https://blog.hubspot.com/website/api-security#:~:text=API%20Security%20Best%20Practices%201%201.%20Implement%20authentication.,activity.%20...%208%208.%20Conduct%20security%20tests.%20

I would have gone for A if the question referenced REST API but B seems correct

API Security Top 10 2019 Here is a sneak peek of the 2019 version: API1:2019 Broken Object Level Authorization APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be considered in every function that accesses a data source using an input from the user. Read more. API2:2019 Broken User Authentication Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising a system’s ability to identify the client/user, compromises API security overall. Read more.

Authentication and Authorization Both authentication and authorization are core to the security of APIs. They play different roles but together they ensure that the right legitimate consumer has the right permissions to access an API.

Use TLS for data exchanges

One common reason is that access to the APIs is often uncontrolled; insufficient permissions or authentication may be involved in accessing the API by unauthorized personnel. Broken object-level authorization Failure to authorize access on an object basis • Broken user authentication Failure to account for all the different ways a user could authenticate to the API, such as through other applications https://learning.oreilly.com/library/view/comptia-cysa

Why does it seem like C should be the answer?