Readiness · Security
Security Posture
OWASP API Top-10 static analysis over your contract — BOLA, excessive data exposure, mass assignment, broken inventory, missing auth and rate-limit gaps — with actionable remediation and scenario stubs.
Posture scan
42/ 100 ready
12 security findings (3 high, 1 medium, 8 low) across 6 subjects.
0critical
3high
1medium
8low
0info
OWASP category breakdown
Findings
Security findings
12
| Severity | OWASP | Finding | Subject | Remediation | CSV |
|---|---|---|---|---|---|
| high | API1 · BOLA | BOLA risk is untested for GET /orders/{id} GET /orders/{id} takes an object id {id} but has no auth_error scenario proving a forbidden id is rejected. Object-level authorization is asserted in code, never in a test. | /orders/{id} | Add an auth_error / forbidden-object scenario (403/404) exercising another tenant's id to lock the BOLA boundary. | 24 |
| high | API1 · BOLA | BOLA risk is untested for PATCH /orders/{id} PATCH /orders/{id} takes an object id {id} but has no auth_error scenario proving a forbidden id is rejected. Object-level authorization is asserted in code, never in a test. | /orders/{id} | Add an auth_error / forbidden-object scenario (403/404) exercising another tenant's id to lock the BOLA boundary. | 24 |
| high | API1 · BOLA | BOLA risk is untested for POST /orders/{id}/fulfill POST /orders/{id}/fulfill takes an object id {id} but has no auth_error scenario proving a forbidden id is rejected. Object-level authorization is asserted in code, never in a test. | /orders/{id}/fulfill | Add an auth_error / forbidden-object scenario (403/404) exercising another tenant's id to lock the BOLA boundary. | 24 |
| medium | API1 · BOLA | Bulk endpoint lacks authorization scenario POST /orders returns or mutates a collection but has no auth_error scenario. Bulk endpoints leak or alter rows across tenants when scoping is wrong (OWASP API1/API3 at scale). | /orders | Add a bulk-authorization scenario asserting results are tenant-scoped and forbidden filters return 403. | 25 |
| low | Negative / fuzz gap | No negative / fuzz scenario POST /orders has no validation_error, auth_error or rate_limit scenario. Only happy-path behaviour is asserted, so malformed and hostile input is untested (dynamic security testing gap). | /orders | Add at least one negative scenario (malformed body → 400, missing auth → 401/403) to cover hostile input. | 41 |
| low | Negative / fuzz gap | No negative / fuzz scenario GET /orders/{id} has no validation_error, auth_error or rate_limit scenario. Only happy-path behaviour is asserted, so malformed and hostile input is untested (dynamic security testing gap). | /orders/{id} | Add at least one negative scenario (malformed body → 400, missing auth → 401/403) to cover hostile input. | 41 |
| low | Negative / fuzz gap | No negative / fuzz scenario PATCH /orders/{id} has no validation_error, auth_error or rate_limit scenario. Only happy-path behaviour is asserted, so malformed and hostile input is untested (dynamic security testing gap). | /orders/{id} | Add at least one negative scenario (malformed body → 400, missing auth → 401/403) to cover hostile input. | 41 |
| low | Negative / fuzz gap | No negative / fuzz scenario POST /orders/{id}/fulfill has no validation_error, auth_error or rate_limit scenario. Only happy-path behaviour is asserted, so malformed and hostile input is untested (dynamic security testing gap). | /orders/{id}/fulfill | Add at least one negative scenario (malformed body → 400, missing auth → 401/403) to cover hostile input. | 41 |
| low | API4 · Rate-limit | No rate-limit signalling POST /orders declares no 429 response, no per-status throttle behaviour and no rate_limit scenario. Without resource/rate limiting the endpoint is an abuse target (OWASP API4). | /orders | Document a 429 response with Retry-After and add a rate_limit scenario so clients can be proven to back off. | 26 |
| low | API4 · Rate-limit | No rate-limit signalling GET /orders/{id} declares no 429 response, no per-status throttle behaviour and no rate_limit scenario. Without resource/rate limiting the endpoint is an abuse target (OWASP API4). | /orders/{id} | Document a 429 response with Retry-After and add a rate_limit scenario so clients can be proven to back off. | 26 |
| low | API4 · Rate-limit | No rate-limit signalling PATCH /orders/{id} declares no 429 response, no per-status throttle behaviour and no rate_limit scenario. Without resource/rate limiting the endpoint is an abuse target (OWASP API4). | /orders/{id} | Document a 429 response with Retry-After and add a rate_limit scenario so clients can be proven to back off. | 26 |
| low | API4 · Rate-limit | No rate-limit signalling POST /orders/{id}/fulfill declares no 429 response, no per-status throttle behaviour and no rate_limit scenario. Without resource/rate limiting the endpoint is an abuse target (OWASP API4). | /orders/{id}/fulfill | Document a 429 response with Retry-After and add a rate_limit scenario so clients can be proven to back off. | 26 |
OWASP API9
Inventory health
Owner-less
0
Shadow / undocumented
0
Deprecated-but-live
0
Inventory is healthy
Every endpoint has an owner, is documented and sits in a non-deprecated API. Nothing is orphaned or shadowed.
Scenario-based auth abuse
Suggested abuse scenarios
auth_errorForbidden object access for /orders→ 403
Request another tenant's object id and assert it is rejected (BOLA lock).
rate_limitThrottled after burst for /orders→ 429
Exceed the call budget and assert a 429 with Retry-After is returned.
validation_errorMalformed input rejected for /orders→ 400
Send a malformed/hostile body and assert a clean validation error.
auth_errorForbidden object access for /orders/{id}→ 403
Request another tenant's object id and assert it is rejected (BOLA lock).
rate_limitThrottled after burst for /orders/{id}→ 429
Exceed the call budget and assert a 429 with Retry-After is returned.
validation_errorMalformed input rejected for /orders/{id}→ 400
Send a malformed/hostile body and assert a clean validation error.
auth_errorForbidden object access for /orders/{id}→ 403
Request another tenant's object id and assert it is rejected (BOLA lock).
rate_limitThrottled after burst for /orders/{id}→ 429
Exceed the call budget and assert a 429 with Retry-After is returned.
validation_errorMalformed input rejected for /orders/{id}→ 400
Send a malformed/hostile body and assert a clean validation error.
auth_errorForbidden object access for /orders/{id}/fulfill→ 403
Request another tenant's object id and assert it is rejected (BOLA lock).
rate_limitThrottled after burst for /orders/{id}/fulfill→ 429
Exceed the call budget and assert a 429 with Retry-After is returned.
validation_errorMalformed input rejected for /orders/{id}/fulfill→ 400
Send a malformed/hostile body and assert a clean validation error.