Policies should be configured to be naturally defensive, meaning that if access is not explicitly granted then it is denied. The degree to which this is done will depend on the nature of the API call and what data it exposes. Careful consideration should be given to ensure that the correct level of security policies is set, as even innocuous looking API calls can result in damage to organizations. For example, an API call that records the last login date and time of a user may seem harmless, but it will presumably store the login details into a database and therefore, this API could be used to direct potential SQL injection attacks, which if successful could result in serious damage.
The focus will ...