The API must use a static type of system.

STIG ID: SRG-APP-000516-API-001300  |  SRG: SRG-APP-000516 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-274768

Vulnerability Discussion

By enforcing strict type checks at compile time, a static type of system ensures that data passed between functions or components is validated against predefined types, reducing the likelihood of unexpected behavior or exploitation. This helps prevent common issues such as SQL injection, buffer overflows, and type-related vulnerabilities, as developers must explicitly define and validate the expected data types. It also improves code clarity, maintainability, and reliability, making it easier to identify and fix security flaws before deployment.

Check

Verify the API is using a static type system.

1. Check the source code for the use of strongly typed languages such as TypeScript, Java, C#, or Go, which enforce type definitions at compile time.

2. Look for explicit type annotations in function signatures, variables, and data structures.

3. Review the project's dependencies to see if type-checking tools or frameworks (e.g., TypeScript for JavaScript, MyPy for Python) are used.

4. Check for the presence of static type checking in the build or compilation process, which ensures type correctness before runtime.

If the API is not a static type system, this is a finding.

Fix

Redesign the API to use a static type of system.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.