I am going to share about common mistake of Web API. When I was a software developer long time ago, We need to develop effective code by doing function or code reusable as much as possible in order not to redevelop things again and again.
Usually with the above mindset, it is often that the developer will create a very big function that could handle manything to return data where later the data that is returned by that function will be filtered out again as per needed. For example getting the user profile function will return all user details (name, email address, phone, password and etc) but the actual needs is only to show the name.
Lets see the sample below
There is an http API called to feed the information in the mobile apps GUI to show the username and his comments on the post
But after checking the server response from that API call, I found that it returned more data then I need such as Lastname, Email address and even Password.
There is a possibility that the developer wants to reuse the API code for serveral purpose including the scenario above to achieve effectiveness so that less code to be maintained. But from the perspective of security, it gives unnecessary data leakage because the adversaries could intercept the response from the API call by proxying it and see this in clear text
This is one of the reason why we need to do Secure SDLC because there are two mindset need to be mixed all together to achieve effective and secure code. Usually the security analyst will involve during the design phase and also do regular code review to assess the security.