Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Overview

API Posture Compliance lets you continuously evaluate your API security posture against industry-standard frameworks. It maps Datadog’s built-in API security detection rules to compliance framework controls and provides a real-time posture score showing which controls are passing or failing across your services.

Unlike Cloud Security compliance, which evaluates cloud infrastructure misconfigurations and identity risks, API Posture Compliance focuses exclusively on API security findings: threats and vulnerabilities detected in the traffic reaching your application APIs.

The OWASP API Security Top 10 framework detail page, showing a posture score, failing findings, and a severity breakdown of failing rules by requirement.

Supported frameworks

OWASP API Security Top 10 (2023)

The OWASP API Security Top 10 identifies the most critical security risks for APIs. Datadog maps its API security detection rules to the ten categories:

CategoryNameDescription
API1:2023Broken Object Level AuthorizationAPIs fail to verify whether a user is authorized to access specific objects, allowing attackers to read or manipulate data belonging to other users.
API2:2023Broken AuthenticationFlawed or missing authentication mechanisms allow attackers to steal tokens, impersonate users, or bypass login controls entirely.
API3:2023Broken Object Property Level AuthorizationAPIs expose sensitive object properties that users should not be allowed to read or write, enabling mass assignment or data leakage attacks.
API4:2023Unrestricted Resource ConsumptionAPIs impose no limits on request size or rate, enabling denial-of-service attacks or abuse of downstream resources and third-party costs.
API5:2023Broken Function Level AuthorizationImproper access controls allow unauthorized users to invoke admin or privileged API functions not intended for their role.
API6:2023Unrestricted Access to Sensitive Business FlowsExposed business flows such as checkout or login can be automated and abused at scale without proper rate limits or anomaly detection.
API7:2023Server Side Request ForgeryAPIs make server-side HTTP requests to attacker-supplied URLs, potentially exposing internal services, cloud metadata, or other sensitive endpoints.
API8:2023Security MisconfigurationInsecure defaults, verbose error messages, open cloud storage, or missing security hardening leave APIs exposed to opportunistic attacks.
API9:2023Improper Inventory ManagementOutdated, undocumented, or shadow API versions remain accessible without oversight, widening the attack surface beyond what is actively maintained.
API10:2023Unsafe Consumption of APIsTrusting third-party API responses without proper validation exposes the application to injection attacks, unexpected data, or downstream compromise.

How it works

  • Detection rules: Each Datadog API security detection rule is tagged with the OWASP controls it covers. When a rule fires and generates a finding, the associated control is marked as failing for the affected service.
  • Posture score: The posture score reflects the ratio of controls that are fully passing versus those with at least one failing finding. The score is calculated using the same methodology as Cloud Security posture scores.
  • Compliance Frameworks page: The Compliance Frameworks page lists all available frameworks for your API security context. For each framework you can examine control-level details, filter by severity, and open a finding side panel to investigate individual API security events.

View your compliance posture

Navigate to Security > App & API Protection > Compliance to open the Compliance Frameworks page. You can:

  • Select a framework (for example, OWASP API Security Top 10) to see per-control pass/fail status.
  • Click a failing control to view the list of API security findings that caused it to fail.
  • Open a finding’s side panel to see the affected endpoint, severity, and recommended remediation steps.

Further reading