API security posture assessment workflow
eight-layer record, one engagement

A current list of REST, GraphQL, gRPC behind HTTP, and webhook APIs in scope, each bound to an owning team, an environment tier (production, staging, development), an exposure class (public, partner, internal), and a verified domain or repository on the workspace. Estate inventory without ownership binding is a spreadsheet that nobody updates; estate inventory with ownership binding is a queryable record that drives every downstream queue.

Comparison of the documented inventory against what is actually reachable on the verified domains and repositories. New endpoints discovered on production that are not on the inventory enter the shadow API queue; deprecated endpoints still reachable on production that should have been retired enter the zombie API queue. The discipline is a continuous reconciliation rather than a one-shot audit.

A held record of the OpenAPI, GraphQL SDL, gRPC proto, or AsyncAPI specification for each API in the inventory. Specifications without a version held on the workspace are unreviewable. The governance layer captures the current spec, the prior spec, the named author, the named reviewer, the framework citations the spec carries, and the cross-reference to the engagement that produced the latest review.

For every API in the inventory, the authenticated scan coverage running on documented credentials (cookie, bearer, basic, form, mTLS, API key, OAuth client credentials) with each credential held in the encrypted credential vault, scoped to the verified domain, and bound to the engagement that runs the scan. Credential lifecycle (issue, rotate, expire, revoke) is recorded with named actor and timestamp.

The current set of open posture findings on the API estate produced by authenticated scanning, external scanning, code scanning, manual review, imported third-party output, bug bounty intake, and internal disclosure intake. Each finding carries the affected API reference, the OWASP API Security Top 10 mapping or other taxonomy, the calibrated CVSS 3.1 vector, the routing rule, the named owner, the SLA tier, and the framework citation set the finding reads against.

A continuous read of how the estate inventory, the schema corpus, the authenticated coverage, and the finding catalogue change across scan cycles. Seven event classes recur: new API added, API exposure class changed, schema breaking change, endpoint added or removed, authentication mode changed, new finding type observed, finding resolved or regressed. Each event class has a named owner and a documented response window.

Posture findings that the programme accepts as risk, suppresses, defers, or compensates against another control land on the override register with the eight-field decision chain (linked finding, severity, compensating controls, residual likelihood, residual impact, business rationale, expiry, review cadence). Active overrides have a named expiry; expired overrides reopen the finding rather than persisting silently.

Per-cycle metrics (estate currency, shadow detection rate, specification governance currency, authenticated coverage rate, exception coverage, fix verification rate, drift fire rate) and the audit evidence pack the GRC team reads against ISO 27001, SOC 2, PCI DSS, NIST 800-53, NIST CSF 2.0, CIS Controls, NIS2, and DORA assessor fieldwork.

The team runs scans against a static target list while engineering ships new APIs every week. The posture report reads against ninety percent of the estate the assessor expects, and the missing ten percent is where the unauthenticated admin endpoint hides. The fix is opening the estate inventory as a queryable record on the workspace and reconciling it against the verified domains and the connected repositories on a documented cadence so the inventory ages on a clock the team can read.

A new microservice ships, exposes endpoints on the public ingress, and never lands on the inventory. A deprecated v1 endpoint stays reachable while v2 carries the actual traffic, and the v1 path is the one the attacker finds. The fix is a continuous discovery loop on the verified domains that compares observed reachable endpoints against the documented inventory and promotes the gap onto the shadow or zombie queue with a named owner and a documented response window.

The OpenAPI document on the repository was last updated nine months ago. The deployed surface drifted, the security review consumed the wrong spec, and the threat model is based on a behaviour the API no longer has. The fix is holding the current specification per API on the workspace with named author and reviewer, comparing it against the prior version on each review cycle, and promoting unreviewed differences onto a queue rather than asking reviewers to chase the spec.

Scans run against the anonymous surface and assume the authenticated paths are covered by a separate engagement that nobody opened this quarter. Broken Object Level Authorization, Broken Function Level Authorization, mass assignment, and excessive data exposure all hide behind login screens that the scan never reached. The fix is binding authenticated coverage to each API in the inventory, storing the credential in the encrypted credential vault scoped to the verified domain, and producing per-API coverage that names which role tiers and environments the scans actually reached.

Authenticated DAST findings live in one tool, code scanning findings in a second, imported third-party assessment findings in a spreadsheet, and bug bounty submissions on a managed platform. The consolidated read is a slide the security lead authors from memory every quarter. The fix is one workspace that holds findings from every source on a common identity (affected API reference plus finding template plus environment) with the source attribution preserved, so the consolidated read is queryable rather than narrative.

A breaking schema change, a new public endpoint, or a regressed finding lands on the estate and the posture programme reads about it three months later when the audit pack is assembled. The fix is running change-event detection on every cycle (scan, scan-import, schema-upload, code-merge, override-decision) and surfacing the event class onto a queue with a named owner and a documented response window, so the operating loop reads against the change before it accumulates into an audit observation.

A high finding was accepted with a six-month exception two years ago. The decision record sits in an old document, the expiry passed silently, the underlying finding was never reopened, and the assessor reads the override register as a control weakness rather than as a defensible exception lifecycle. The fix is the override register on the workspace with the eight-field decision chain, the named expiry date, the named review cadence, and the automatic reopen when the exception window lapses so the audit reads against a live lifecycle rather than a static spreadsheet.

Authenticated DAST runs against each API in the inventory using credentials held in the encrypted credential vault. The scan reaches login-protected REST endpoints, bearer-protected paths, OAuth-protected resources, basic-auth admin surfaces, and form-login bridges. Findings carry the request, the response, the calibrated severity, and the OWASP API Security Top 10 mapping. Each scan binds back to the API in the inventory and to the engagement that scheduled the cycle.

External scanning reads the public surface of each verified domain that hosts APIs. SSL and TLS posture, HTTP security headers, DNS exposure, port reachability, subdomain enumeration, and technology fingerprinting feed the exposure layer on every API in the inventory. The result is a per-API exposure summary that pairs to the authenticated coverage on the same engagement so the posture read covers both the outside view and the inside view.

Static analysis and dependency analysis run on the repositories that ship each API. Hard-coded secrets, vulnerable dependencies, dangerous patterns, and insecure framework configuration land as findings on the workspace with the affected file path, the rule reference, and the suggested fix. The repository connection ties the code-scanning finding back to the same API in the inventory the authenticated scan reads against.

Business-logic flaws, mass assignment paths, GraphQL introspection abuse, OAuth misconfiguration, JWT trust issues, and API rate-limiting gaps land as manual findings on the engagement with the named reviewer, the proof of concept, the calibrated CVSS vector, and the framework citation. Manual findings sit on the same record as scanner output, so the posture read does not need to reconcile two systems.

Findings from third-party pentests, vendor assessments, partner penetration test deliverables, and historical scanner output (.nessus, Burp XML, CSV with column mapping) ingest onto the workspace with the source attribution preserved. The intake binds each imported finding to the affected API reference, the calibrated severity, and the framework citation so the posture read includes third-party signal without losing provenance.

External researcher submissions on managed bug bounty platforms and the internal disclosure intake channel land as findings on the API engagement after the dedup discipline runs against the open catalogue, the closed catalogue, the override register, and the scanner catalogue. The intake ledger preserves the platform identifier, the calibrated severity, and the disclosure-handling terms so the audit reads the external research input alongside the internal scan record.

The fraction of APIs in the estate inventory with a verified ownership binding, an environment classification, an exposure class, and a current-version specification on the workspace. Programmes operating below ninety percent on inventory currency cannot answer a regulator question about the estate at the moment the question is asked.

The count of shadow APIs and zombie APIs detected per cycle on the discovery loop, with the time-to-resolution against the named owner. The rate trending toward zero on a mature programme indicates the discovery loop is current; a sustained non-zero rate indicates engineering is shipping APIs the inventory does not see.

The fraction of APIs in the estate with authenticated scan coverage at the role tiers the threat model requires. Coverage gaps name the APIs where BOLA, BFLA, mass assignment, and excessive data exposure can hide behind login screens the scan never reached.

The median age of the held specification per API on the workspace and the fraction of APIs whose held specification carries a named reviewer and a named review date inside the review cadence window appropriate for the API criticality.

The open finding count per API, the calibrated severity mix, the median time-to-fix per severity tier, the SLA breach rate per severity, and the trend over the prior cycles. The metric reads against the per-API record so the programme posture is a queryable summary rather than a single aggregated number.

The count of active exceptions on the API estate, the median age since last review, the fraction with a named expiry inside the documented horizon, and the count of expired exceptions that reopened the underlying finding rather than persisting silently.

The fraction of change events (new API, exposure change, schema breaking change, authentication mode change, new finding type, regression, coverage drop) resolved within the documented response window per event class. The metric surfaces operating drift before the audit cycle reads against a stale record.

The API security testing workflow runs a single API pentest as a tracked engagement: scope the surface, run authenticated scans, layer manual review, triage findings, deliver the report, retest the fix. This workflow is the wider programme posture cycle the engagement-level pentests feed: estate inventory, schema governance, continuous authenticated coverage, change-event detection, exception lifecycle, and recurring audit-evidence pack. The two pair: each engagement-level pentest contributes findings and evidence to the posture record on the wider programme.

The ASPM explainer covers the wider application-security posture record the API surface sits inside. ASPM consumes findings from SAST, SCA, DAST, IaC, container scanning, secrets scanning, and manual review across the application portfolio. API posture is the API-specific lane of ASPM, with its own inventory discipline, schema governance, authenticated-coverage rule, change-event taxonomy, and OWASP API Security Top 10 framework citation set.

The CSPM explainer covers the cloud-resource posture record the API hosting infrastructure sits inside. CSPM reads against the IAM, network, storage, compute, and logging configuration on the cloud account. API posture is the application-surface lane: the endpoints the runtime exposes, the schema they advertise, and the authorisation logic the application enforces. Both lanes pair on the same workspace so the consolidated read covers the cloud-resource posture and the application-surface posture together.

The EASM explainer covers the outside-in surface discovery record (domains, subdomains, IP ranges, certificates, public services). API posture is the inside-out application-surface record (the endpoints, the schemas, the authentication modes, the authorisation logic). EASM names the API hosts that are reachable from the public internet; API posture names the endpoints those hosts expose and the security logic the application carries. The two pair: the EASM read feeds the estate inventory and the API posture read feeds the audit-evidence pack.

Inline API protection (WAAP, API gateway, API firewall) sits at runtime in front of the API and blocks or rate-limits malicious traffic in production. SecPortal does not provide an inline runtime protection layer. The API security posture workflow on this page is the pre-production and continuous-assessment record that names the inventory, the schema, the authenticated coverage, the findings, the exception lifecycle, and the audit-evidence pack; a runtime protection layer remains a separate operating discipline the programme runs alongside the posture record.