Findings

Missing global security

Updated: June 19, 2025

findings design based findings api finding

Description

An endpoint was found that is not protected by any security scheme.

Remediation

Your API should be protected by a `security` rule either at global or operation level. All operations should be protected especially when they use HTTP methods like `POST`, `PATCH`, `DELETE` and `PUT`. This is done with one or more non-empty `security` rules. Determine if authentication is needed and implement accordingly.

Security Frameworks

OWASP API 2023

API2:2023 Broken Authentication

Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising a system's ability to identify the client/user, compromises API security overall.

OWASP API 2019

API2:2019 Broken User Authentication

Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising the system's ability to identify the client or user, compromises API security overall.

CIS API Security Guide

CIS-ASG-1.2.1: CIS 1.2.1: Define Authentication and Authorization Requirements

Decide if the API requires authentication and authorization mechanisms along with deciding on the tools to be used. Role-based access controls will be implemented with user roles defined as user, admin, and superadmin, each having specific permissions and access levels to different data and functions within the API.

Rationale

Defining API authentication and authorization requirements provides a structured plan from the outset, outlining how user identity and access will be managed, which helps with risk mitigation by implementing appropriate security controls. This approach ensures compliance with regulatory laws and standards governing data protection and privacy, safeguarding against potential legal and compliance risks associated with API usage.

Remediation
  • Assess current authentication and authorization mechanisms.
  • Conduct aGgap analysis between the existing mechanisms and the compliance standards' mechanisms.
  • Define authentication methods (for example, SSO, OAuth, API key, JWT).
  • Establish user and entity-specific authorization controls (for example, user, admin).
  • Document requirements.
Audit
  • Review the documentation and the requirements provided by the development team and the compliance standards to ensure alignment and completeness.
  • Evaluate compliance with requirements using VAPT and/or automated solutions across various use cases, including normal scenarios and situations where low-privilege users attempt to access high-privilege data or data belonging to other users.
  • Ensure the current state complies with compliance standards.
  • Ensure proper and secure management of secrets and tokens, employing solutions like encrypted vaults to safeguard sensitive information.

Need help?

Contact FireTail support

Previous (Findings - Design based findings)
Missing authentication
Next (Findings - Design based findings)
Missing global security