Use case 8

  • Author: Jarno Huusko
  • Date / Version: 20/02/2024 / 1.0

User roles

  1. Sec (Actor1): Responsible for implementing security measures on API endpoints.
  2. Dev (Actor2): Develops the API endpoints and integrates security measures.
  3. User (Actor3): End-users or third-party applications that interact with the secured API endpoints.

Prerequisites / Conditions

  1. API endpoints are developed and operational but require security enhancements.
  2. The security team has access to necessary tools and technologies for securing API endpoints (e.g., OAuth, JWT, SSL/TLS).

Use Case Diagram

uml diagram

Description of use case -eg. Modify existing request

  1. Security Assessment: The Sec conducts an initial assessment of the API endpoints to identify potential vulnerabilities and security requirements.
  2. Authentication Implementation: Secure authentication mechanisms (e.g., OAuth, JWT) are implemented to verify the identity of users or services accessing the API.
  3. Authorization Controls: Authorization controls are established to ensure users can only access data and actions permitted to their role or identity.
  4. Data Encryption: Data in transit and at rest is encrypted using industry-standard protocols (e.g., SSL/TLS for in-transit encryption) to protect sensitive information.
  5. Rate Limiting: Rate limiting is applied to prevent abuse and mitigate denial-of-service (DoS) attacks.
  6. Regular Audits and Monitoring: Continuous monitoring and regular security audits are set up to detect and respond to threats promptly.

Exceptions

  • E1: If unauthorized access is attempted, the system logs the attempt and may temporarily block the IP address or user account involved.

  • E2: If a security vulnerability is discovered, an emergency protocol is initiated to patch the vulnerability and notify affected users if necessary.

Result

  • API endpoints are secured against unauthorized access and data breaches, ensuring the confidentiality, integrity, and availability of the API services.

Use frequency

  • Security measures are implemented during the API development phase, with continuous monitoring and periodic reviews to adapt to new threats and vulnerabilities.

Additional information

  • Documentation should include detailed security guidelines, API usage policies, and incident response plans.

Sources

  • Security implementation is based on best practices from OWASP (Open Web Application Security Project), industry standards, and regulatory compliance requirements relevant to the application.