API Risk Scoring
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
Identify gaps in your API Security Design and remediate them to shift your API Security left.
Problem to solve
Security teams are tasked with managing risk across all or their organization's APIs. When vulnerabilities are found, each vulnerability includes a severity score. But managing numerous vulnerabilities at scale across a large organization requires more context. By providing a risk score for each API (rather than only looking only at each vulnerability), teams can more easily prioritize where to focus their risk reduction efforts.
Proposal
Provide a risk score for every API and display the score on a dashboard that can be sorted and filtered.
Scope
Must Have
- Risk score takes into account:
- Sensitivity of response data (names, SSNs, email addresses, passwords, credit card data, HIPPA, PCI, GDPR, etc)
- AuthN issues
- AuthZ issues
- Risk score for each API displayed on API Inventory
- Support for:
- REST
- SOAP
- graphQL
Won't Have
- Insights from runtime analysis
- gRPC support
Intended users
Personas are described at https://about.gitlab.com/handbook/product/personas/