Verified Secure Software
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.
Included in this chapter:
- Securing APIs: authenticate, authorize, validate, throttle
- The OWASP API Security Top 10: authorization is the headline
- Software supply chain: know what you ship and where it came from
- Third-party and open-source: vetting, licensing, and escrow
- Exam-pattern recognition
The three things you verify, and the evidence that makes each trustworthy
| Verification target | APIs | Supply chain (dependencies) | Third-party and open-source software |
|---|---|---|---|
| What you are accepting | A caller crossing a trust boundary | A delivery channel for someone else's code | An acquired component or service you will rely on |
| Primary failure | Broken object-level authorization (BOLA) and broken authentication | Compromised build or publish step, malicious or typosquatted package | Unvetted code, license non-compliance, vendor going dark |
| Reference authority | OWASP API Security Top 10 | NIST SSDF and CSA supply-chain guidance | ISO/IEC 27036 (supplier relationships) |
| Core control | Authn, per-request authz, schema validation, rate limiting | SBOM, provenance and signature verification, SCA | Vendor assessment, license management, source-code escrow |
| Evidence of trust | API tested against the OWASP API Top 10 | Signed artifacts traced to a known build, clean SCA scan | Assessment report, compatible license, escrow agreement |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- RFC 6749: The OAuth 2.0 Authorization Framework Whitepaper
- RFC 7519: JSON Web Token (JWT) Whitepaper
- OpenAPI Specification
- API1:2023 Broken Object Level Authorization
- API2:2023 Broken Authentication
- Software Bill of Materials (SBOM)
- NIST SP 800-218: Secure Software Development Framework (SSDF) v1.1 Whitepaper
- OWASP Top 10 A06:2021 Vulnerable and Outdated Components
- ISO/IEC 27036-1:2014: Information security for supplier relationships Whitepaper
- OWASP API Security Top 10 (2023)