So the spec seems just additive of OpenAPI which itself has the same issues with not including RULES.
The main issue is that with a request/response, you have to secure the INGRESS and EGRESS. Tools like API Gateway ONLY secure the initial INGRESS and not internal redirects or the response.
So you need RBAC/ABAC rules integrated into the routing; rules can be defined separately in app or properties files.
You are checking inputs at 'resolveInputParametersFromRequest' function but you neglect to compare them to what is expected at the endpoint for each ROLES calling said endpoint.
You also do not check output/EGRESS for said endpoint for each role to make sure there is not escalation.
I hate to even think about your cache as if you are not checking this, cache can be escalated too.
The reason those are important to add to GOVERNANCE is BECAUSE other tools have partial implementations and this data needs to be shared across all services that pass the HTTP call (ie cache, gateway, api backend, queue, etc)
So the spec seems just additive of OpenAPI which itself has the same issues with not including RULES.
The main issue is that with a request/response, you have to secure the INGRESS and EGRESS. Tools like API Gateway ONLY secure the initial INGRESS and not internal redirects or the response.
So you need RBAC/ABAC rules integrated into the routing; rules can be defined separately in app or properties files.
You are checking inputs at 'resolveInputParametersFromRequest' function but you neglect to compare them to what is expected at the endpoint for each ROLES calling said endpoint.
You also do not check output/EGRESS for said endpoint for each role to make sure there is not escalation.
I hate to even think about your cache as if you are not checking this, cache can be escalated too.
The reason those are important to add to GOVERNANCE is BECAUSE other tools have partial implementations and this data needs to be shared across all services that pass the HTTP call (ie cache, gateway, api backend, queue, etc)