- Autorization
- What type of object / access can a user have.
- Application logic should control what a user can or not see.
So starting with OWASP API number 1, Broken Object Level Authorization. There's a reason why it's number one on the list. It's the most common, and the most damaging of the API Top 10 items. This involves manipulating IDs and gaining access to records that do not belong to you. And as you've seen, this can lead to data loss, data manipulation, and disclosure.
The example of OWASP API number 1 is quite simple. An attacker authenticates as user A, and then attempts to transact and access information that belongs to another user. And if that works, then you can't iterate and continue potentially to harvest vast amounts of data.
In terms of prevention, it’s critical to thoughtfully define what your access control policies are. To know what access and date a given user or given role should have, and then enforce those policies at the application logic layer. Don't enforce access controls in the UI. Don't enforce it in the API itself. You need to enforce that kind of control within the application logic itself.
In addition you should implement automated testing to make sure that no exposures or gaps are being revealed or entering into your application code logic. Specifically, continuous and comprehensive testing, not once or twice a year, but on every release because these kinds of vulnerabilities can creep in whenever there's a new code release or a new functionality added to your application.