V-274785

Discussion

It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary APIs are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. APIs are capable of providing a variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of nonessential capabilities include, but are not limited to, enabling application features and functions that are not intended to be used programmatically, such as exposing user self-registration.

Check Content

Verify API services identified within the system as unnecessary and/or nonsecure are disabled. 

Review the API documentation and configuration.

Interview the API administrator.

Identify the services, network ports, and protocols used by the API.

Using a combination of relevant OS commands and API configuration utilities, identify the services and TCP/IP port numbers the API is configured to use and is using.

Review the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) at https://cyber.mil/ppsm/cal/.

Verify the ports used by the API are approved by the PPSM CAL.

If the ports and services are not approved by the PPSM CAL, this is a finding.