Domain 4 of 6 · Chapter 5 of 7

Verified Secure Software

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • Securing APIs: authenticate, authorize, validate, throttle
  • The OWASP API Security Top 10: authorization is the headline
  • Software supply chain: know what you ship and where it came from
  • Third-party and open-source: vetting, licensing, and escrow
  • Exam-pattern recognition

The three things you verify, and the evidence that makes each trustworthy

Verification targetAPIsSupply chain (dependencies)Third-party and open-source software
What you are acceptingA caller crossing a trust boundaryA delivery channel for someone else's codeAn acquired component or service you will rely on
Primary failureBroken object-level authorization (BOLA) and broken authenticationCompromised build or publish step, malicious or typosquatted packageUnvetted code, license non-compliance, vendor going dark
Reference authorityOWASP API Security Top 10NIST SSDF and CSA supply-chain guidanceISO/IEC 27036 (supplier relationships)
Core controlAuthn, per-request authz, schema validation, rate limitingSBOM, provenance and signature verification, SCAVendor assessment, license management, source-code escrow
Evidence of trustAPI tested against the OWASP API Top 10Signed artifacts traced to a known build, clean SCA scanAssessment report, compatible license, escrow agreement

Decision tree

What are you trusting?software you acquire or exposeAn API call?expose or consumeAn open-source dep?library / packageCommercial vendor?paid third-party softwareAPIopen sourcecommercialAuthn, per-object authz,schema validation, rate limitvs OWASP API Top 10SBOM + provenance + SCA+ license reviewvalidate before adoptingVendor assessment +license mgmt + escrowISO/IEC 27036Always: record the component in an SBOM and re-check it over timetrust is verified, then monitored, never assumed once

Cheat sheet

  • Verify acquired software before you trust it; most of your app is code you didn't write
  • Treat every API as a trust boundary, internal endpoints included
  • Broken object-level authorization is the #1 API risk, and it is an authz failure not injection
  • On API questions, suspect authorization and authentication before injection
  • Broken function-level authorization lets an ordinary user reach admin operations
  • Validate API requests against a strict schema to stop injection and mass assignment
  • Rate limit APIs, because unrestricted consumption is a denial-of-wallet risk in the cloud
  • An API key identifies an app; it is not user authentication
  • Validate responses from APIs you consume; upstream data is untrusted input
  • An SBOM is the inventory that tells you where a vulnerable component ships
  • Provenance proves an artifact came from where it claims, via signatures and pinning
  • SCA runs continuously, because a clean component becomes vulnerable when a CVE is published
  • A dependency pulls in its transitive dependencies, maintainers, and build pipeline
  • Open source is free to use, not free to trust: validate the project, not the download count
  • Distinguish permissive from copyleft licenses, because copyleft can force source disclosure
  • Treat a license as a security and compliance control, not paperwork
  • Assess a vendor's posture before you buy, using attestations and a mapped questionnaire
  • Source-code escrow protects continuity if a critical vendor goes dark
  • SBOM is the list, SCA is the watch, provenance is the proof of origin
  • VEX is the machine-readable attestation of whether a CVE is actually exploitable in your product
  • Fix a vulnerable transitive dependency by upgrading the direct dependency that pulls it in

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. RFC 6749: The OAuth 2.0 Authorization Framework Whitepaper
  2. RFC 7519: JSON Web Token (JWT) Whitepaper
  3. OpenAPI Specification
  4. API1:2023 Broken Object Level Authorization
  5. API2:2023 Broken Authentication
  6. Software Bill of Materials (SBOM)
  7. NIST SP 800-218: Secure Software Development Framework (SSDF) v1.1 Whitepaper
  8. OWASP Top 10 A06:2021 Vulnerable and Outdated Components
  9. ISO/IEC 27036-1:2014: Information security for supplier relationships Whitepaper
  10. OWASP API Security Top 10 (2023)