Which API design practice helps prevent privilege escalation by controlling access at both resource and field levels?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Get ready for your WGU ITEC2034 D385 Software Security and Testing Test. Study with multiple choice questions that include hints and explanations. Boost your confidence for your exam day!

Multiple Choice

Which API design practice helps prevent privilege escalation by controlling access at both resource and field levels?

Explanation:
Access control must be enforced at multiple levels to prevent privilege escalation. Implementing resource and field-level access control means every API call is checked for both whether the user can access the resource and whether they are allowed to view or modify specific fields within that resource. This layered authorization blocks scenarios where a user can reach a resource but is still barred from sensitive data or actions inside it. For example, a user may be allowed to read customer records but not to see salaries, and not allowed to modify protected fields. If you only apply checks at the resource level, sensitive fields could be exposed; if you only apply field-level checks, you might still permit access to the resource itself. Other options fall short: role-based authentication verifies identity but not what they can do; client-side checks can be bypassed; encryption protects data in transit but does not enforce who can access or see fields on the server side.

Access control must be enforced at multiple levels to prevent privilege escalation. Implementing resource and field-level access control means every API call is checked for both whether the user can access the resource and whether they are allowed to view or modify specific fields within that resource. This layered authorization blocks scenarios where a user can reach a resource but is still barred from sensitive data or actions inside it. For example, a user may be allowed to read customer records but not to see salaries, and not allowed to modify protected fields. If you only apply checks at the resource level, sensitive fields could be exposed; if you only apply field-level checks, you might still permit access to the resource itself. Other options fall short: role-based authentication verifies identity but not what they can do; client-side checks can be bypassed; encryption protects data in transit but does not enforce who can access or see fields on the server side.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy