A dynamic API security policy is enforced at runtime. This can be done without having access to the API specification or code. A flow of execution initiated by the API is tracked at runtime, and a data object used by the API is identified. Specific data labels are assigned to specific fields of the data object used by the API. The specific data labels consistently identify data fields of specific types. The API security policy that is enforced prohibits specific actions concerning data fields of specific types, which are also consistently identified in the security policy. Actions in the tracked flow of execution that violate the API security policy are detected at runtime, and security actions are taken in response. In some implementations, these dynamic API security techniques are supplemented with static API security analysis of an API specification and a set of rules concerning API risk assessment.
展开▼
