3370429 - Security queries regarding SAP SuccessFactors APIs

You wish to have answers to a number of security questions in relation to SAP SuccessFactors APIs, such as (but not exclusive to):

a) Have your organisation made any changes to its security controls in the past year, such as:
- changes to its cloud hosting provider?
- changes in security certification?  
- changes in its security maturity or posture? 

b) Do you perform regular vulnerability assessments and security testing on your systems? 

c) Have you conducted IPv4 internet scanning to identify potential API assets? 

d) Do you have a process to track and remediate findings from security testing? 

e) Do you allow customers to conduct independent vulnerability assessments or penetration tests on the environment where they data is hosted? 

f) Does API testing include checks for OWASP API Top 10 such as
Fuzzing, PII identification, API key and credential leakages,
code exposure, misconfigurations,
public repo vulnerabilities,
Verbose error messages,
Crypto misconfigs 

g) What frequency of testing do you perform against customer APIs / SFTP ?

h) What authentication protocols does the API support and is it protected by WAF / API gateway discovery? 

SAP SuccessFactors API

cloud hosting provider, security certification, security maturity, vulnerability assessments, security testing, IPv4 internet scanning, API assets, independent vulnerability assessments, penetration tests, OWASP API Top 10,Fuzzing, PII identification, API key, credential leakages, code exposure, misconfigurations, public repo vulnerabilities, Verbose error messages, Crypto misconfigs, authentication protocols, WAF, API gateway discovery , KBA , LOD-SF-INT-API , API & Adhoc API Framework , How To