What is the best way to ensure the API is protected against privilege escalation?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Get ready for your WGU ITEC2034 D385 Software Security and Testing Test. Study with multiple choice questions that include hints and explanations. Boost your confidence for your exam day!

Multiple Choice

What is the best way to ensure the API is protected against privilege escalation?

Explanation:
Access control and authorization checks at the API level are what prevent privilege escalation. Implementing resource- and field-level access control ensures every API call is evaluated against what the caller is allowed to do with each specific resource and which fields they’re allowed to see or modify. This means even if a user has a valid session, the system will block actions or data access that go beyond their assigned permissions, closing gaps that could be exploited by manipulating identifiers or requests. By enforcing least privilege across resources and data, the API prevents higher-privilege operations from being performed by unauthorized users. MFA strengthens authentication, not authorization, so it doesn’t by itself stop someone who already has access from performing elevated actions. Encrypting data at rest protects data if storage is breached, but doesn’t prevent improper use of the API once a user is authenticated. Disabling admin accounts is not a practical, general solution and doesn’t address the underlying need for proper authorization checks within the API.

Access control and authorization checks at the API level are what prevent privilege escalation. Implementing resource- and field-level access control ensures every API call is evaluated against what the caller is allowed to do with each specific resource and which fields they’re allowed to see or modify. This means even if a user has a valid session, the system will block actions or data access that go beyond their assigned permissions, closing gaps that could be exploited by manipulating identifiers or requests. By enforcing least privilege across resources and data, the API prevents higher-privilege operations from being performed by unauthorized users.

MFA strengthens authentication, not authorization, so it doesn’t by itself stop someone who already has access from performing elevated actions. Encrypting data at rest protects data if storage is breached, but doesn’t prevent improper use of the API once a user is authenticated. Disabling admin accounts is not a practical, general solution and doesn’t address the underlying need for proper authorization checks within the API.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy