Technical Brief. A Checklist for Every API Call. Managing the Complete API Lifecycle

Similar documents
Edge Foundational Training

Apigee Edge Cloud. Supported browsers:

Apigee Edge Cloud. Supported browsers:

Apigee Edge Cloud - Bundles Spec Sheets

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

API Best Practices. Managing APIs holistically across the enterprise

Apigee Edge Developer Training

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Apigee Edge Start. Description. Key Features. Deployment. Limitations. Apigee Edge Start

WEB-APIs DRIVING DIGITAL INNOVATION

FUJITSU Cloud Service K5 - API Management Service Description

Sentinet for BizTalk Server SENTINET

Microsoft Architecting Microsoft Azure Solutions.

FUJITSU Cloud Service K5 - API Management Service Description

FUJITSU Cloud Service K5 API Management. Function Manual. Version 1.4 FUJITSU LIMITED

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Overview SENTINET 3.1

Developing Enterprise Cloud Solutions with Azure

Verasys Enterprise Security and IT Guide

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

SAP API Management Unit 4.4: Closer look at API Owner Policy Designer PUBLIC

5 OAuth EssEntiAls for APi AccEss control layer7.com

Microsoft Exam Questions and Answers (PDF) Microsoft Exam Questions BrainDumps

Red Hat 3Scale 2.0 Terminology

Securely Access Services Over AWS PrivateLink. January 2019

FAST, FLEXIBLE, RELIABLE SEAMLESSLY ROUTING AND SECURING BILLIONS OF REQUESTS PER MONTH

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

SAP Security in a Hybrid World. Kiran Kola

API s in a hybrid world. Date 28 September 2017

70-487: Developing Windows Azure and Web Services

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Next Paradigm for Decentralized Apps. Table of Contents 1. Introduction 1. Color Spectrum Overview 3. Two-tier Architecture of Color Spectrum 4

API Security Management SENTINET

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

API Management Solutions

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Example Azure Implementation for Government Agencies. Indirect tax-filing system. By Alok Jain Azure Customer Advisory Team (AzureCAT)

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Sentinet for Microsoft Azure SENTINET

5 OAuth Essentials for API Access Control

Architecting Microsoft Azure Solutions (proposed exam 535)

What It Takes to be a CISO in 2017

Alliance Key Manager A Solution Brief for Technical Implementers

Managing API Security in the Connected Digital Economy

Additional Security Services on AWS

Managing your microservices with Kubernetes and Istio. Craig Box

Axway API Gateway. Version 7.4.1

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Cloud Essentials for Architects using OpenStack

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

AD FS v3. Deployment Guide

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Which compute option is designed for the above scenario? A. OpenWhisk B. Containers C. Virtual Servers D. Cloud Foundry

IBM API Connect: Introduction to APIs, Microservices and IBM API Connect

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform

How to use or not use the AWS API Gateway for Microservices

WHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs

<Partner Name> <Partner Product> RSA Ready Implementation Guide for. Rapid 7 Nexpose Enterprise 6.1

CompTIA CAS-002. CompTIA Advanced Security Practitioner (CASP) Download Full Version :

Elastic Load Balance. User Guide. Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

API Gateway Version October Concepts Guide

Developing Microsoft Azure Solutions (70-532) Syllabus

DreamFactory Security Guide

A10 HARMONY CONTROLLER

Pulse Secure Application Delivery

Delivering Microservices Securely and at Scale with NGINX in Red Hat OpenShift. November, 2017

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Security by Default: Enabling Transformation Through Cyber Resilience

Provide Real-Time Data To Financial Applications

FIREFLY ARCHITECTURE: CO-BROWSING AT SCALE FOR THE ENTERPRISE

Why Microsoft Azure is the right choice for your Public Cloud, a Consultants view by Simon Conyard

Architecting C++ apps

Self-driving Datacenter: Analytics

AKAMAI CLOUD SECURITY SOLUTIONS

SAP API Management and API Business Hub Overview

Il Mainframe e il paradigma dell enterprise mobility. Carlo Ferrarini zsystems Hybrid Cloud

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

IT Services IT LOGGING POLICY

CloudSOC and Security.cloud for Microsoft Office 365

Alliance Key Manager A Solution Brief for Partners & Integrators

Help Your Security Team Sleep at Night

Elastic Load Balancing. User Guide. Date

Managing Performance in Liferay DXP: An Overview of Liferay Connected Services

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

Brocade Virtual Traffic Manager and Parallels Remote Application Server

the SWIFT Customer Security

SoftLayer Security and Compliance:

Microservices with Red Hat. JBoss Fuse

Security Assessment Checklist

Using IBM DataPower as the ESB appliance, this provides the following benefits:

Cloud Customer Architecture for Securing Workloads on Cloud Services

TIBCO API Exchange Manager

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Develop and test your Mobile App faster on AWS

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

API Security Management with Sentinet SENTINET

Data Encryption with ServiceNow

Oracle API Gateway Release Notes

Transcription:

Technical Brief A Checklist for

Table of Contents Introduction: The API Lifecycle 2 3 Security professionals API developers Operations engineers API product or business owners Apigee Edge 7 A Checklist for : 1

Introduction: The API Lifecycle An API gateway is the core of an API management solution. But it s not the whole solution. To learn about the components of comprehensive API management, see the ebook: The Definitive Guide to API Management. When it comes to the API gateway, however, the most important role it serves is ensuring reliable processing of every API call. An API gateway manages the entire API lifecycle. It is imperative that it enables the people responsible for it to effectively and securely deliver APIs that are easy to use by app developers. Design People and the API Lifecycle The following people or teams are stakeholders in the API lifecycle and therefore care about the functionality of an API an API gateway and an API management solution. Security architect or CISOs Developers or enterprise architects Operations engineers API business or product owners While most API gateway solutions can do basic API proxying, APIs have become the fabric of the digital enterprise, so companies need functionality that addresses the concerns of all the stakeholders. The key to helping these people do their jobs? Provide an easy-toconfigure tool and extensibility. Monetize Develop Analyze Secure Monitor Publish Scale A Checklist for : 2

Depending on their roles and responsibilities the primary stakeholders in the API lifecycle are concerned about a number of different use cases. An API management solution provides the features and capabilities that enable each stakeholder. Security professionals Security is paramount for companies when they expose their backend systems or proxy existing APIs. Given that customers or consumers use first-party or third-party apps on mobile devices, partners do transactions, and internal developers build apps on sensitive data, companies need to view security from the perspective of an API call: end to end. An enterprise should assess potential risk and how to secure and mitigate those risks. The following is a list of security use cases and the API gateway features needed to address them. Use case Definition Required feature Mutual authentication SSL, VPN, IP whitelisting Authentication of endpoint from which API call originates Endpoint authentication API key validation Authentication of process from which API call originates API caller authentication API key authorization Authorization of process from which API call originates API caller authorization API key & request/response logging Attributing API calls to right callers API caller auditing OAuth access token validation Authentication of end user involved in API call API user authentication OAuth scopes check Authorization of end user involved in API call API user authorization User & request/response logging Attributing API calls to correct end users API user auditing A Checklist for : 3

Security professionals (Continued) Use case Definition Required feature Bots, SQL injection, virus, compromised user, compromised API key Screen requests for malicious intent Threat protection Confidential data screening, PII data screening, data masking Ensure sensitive data is not accidentally or intentionally leaked Leakage prevention (compliance) SSL, storage encryption Encrypted transmission and storage of data Data encryption API developers Productivity is key for API developers. They want to use familiar tools and languages and configure things easily, and they care deeply about the experience of those who ll build on the API. API developers have to ensure that the API behaves as intended and they need to provide quick and precise debugging and optimize the backend resources that serve the API requests. Here s a list of the use cases and features that are important for API developers. Use case Definition Feature needed Service callouts Implement APIs using multiple calls to other APIs and aggregate/ transform data between the calls Extensibility (Java/Javascript) including support for Node.js XML to/from JSON, SOAP to REST Implement transformation between popular formats Request/response transformation Path validation, parameter validation, header validation Validate requests Request validation Warnings, error logs, debug logs, info logs Log intermediate status/data during request/response processing Logging A Checklist for : 4

API developers (continued) Use case Definition Feature needed Thread pools, exception counts, object counts Collect metrics specific to API implementation Metrics collection Round robin, least loaded, retries Load-balance calls made to other API implementations from a given API implementation Target load balancing Fallbacks, back pressure, multiple implementations Route around issues when making calls to other API implementations from a given API implementation Target routing Caching Cache data used in API implementations Data caching Encryption, masking Encrypt data used in API implementations Data encryption Custom usage tracking Track usage of specific data or logic resources within API implementations Usage tracking Custom usage records, custom limit enforcement Track subscriptions or limits specific to API implementations Subscription & limit checks Custom caller journey, custom user journey Track journey specific to API implementations Journey tracking API access keys, database credentials, certificate keys Store credentials required to access data or another API implementations from a given API implementation Credential store Key value map, document store, graph, relational store Persist the data required by the API implementations Data persistence A Checklist for : 5

Operations engineers Operations teams are accountable for the reliability of the service, both internally and externally. Managing the service level agreements (SLAs) for the APIs is a priority. Operations teams also need tools that enable them to provide the best service for developers without major increases to infrastructure costs. Use case Definition Feature needed Caching Caching of responses to avoid reprocessing requests Response caching Access logging, custom logging Logging of requests and responses Request/response logging Latencies, status codes Collecting metrics related to requests and responses Metrics collection Rate limits, spike arrests, concurrency limits, quotas Implementing quality-of-service management through traffic shaping Traffic management Round robin, least-loaded, retries Supporting clustered API implementations Load balancing Retries, fallbacks, back pressure, multiple implementations Routing around faults or latencies based on context Request routing Progressive rollout, experimentation Splitting traffic between two different implementations Traffic splitting A Checklist for : 6

API product or business owners For the API product or business owner, it s crucial to relate the APIs to the business imperatives and results in a meaningful way and therefore to instrument APIs to capture the right metrics and measure the impact. More advanced needs include the ability to have rate cards and charge developers who consume the APIs. Use case Definition Feature needed Per-caller tracking, per-user tracking, per-api tracking Track usage of API calls Usage tracking Subscription validation, limit enforcement Validate subscriptions to APIs and ensure limits have not been reached Subscription & limit checks Caller journey, user journey Track journey through API calls Journey tracking A Checklist for : 7

Apigee Edge Whether you re a security architect, developer, operations engineer, or API product owner or you require different combinations of the features required for these roles Apigee Edge has you covered. With more than 30 preconfigured policies, the ability to use common languages like Java, JavaScript, Python, and Node.js, and built-in metrics collection and reporting, Edge offers the powerful extensibility needed to build and manage every aspect of an API program. USE CASES TO MANAGE THE API LIFECYCLE API developer Security professional Operations engineer API product owner Service callouts XML to/from JSON, SOAP to REST Path validation, parameter validation, header validation Warnings, error logs, debug logs, info logs Thread pools, exception counts, object counts Round robin, least loaded, retries Fallbacks, back pressure, multiple implementations Caching Encryption, masking Custom usage tracking Mutual authentication SSL, VPN, IP whitelisting API key validation API key authorization API key & request/ response logging OAuth access token validation OAuth scopes check User & request/response logging Bots, SOL injection, virus, compromised user, compromised APIkey Confidential data screening, PII data screening, data masking Caching Access logging, custom logging Latencies, status codes Rate limits, spike arrests, concurrency limits, quotas Round robin, least-loaded, retries Retries, fallbacks, back pressure, multiple implementations Progressive rollout, experimentation Per-caller tracking, per-user tracking, per-api tracking Subscription validation, limit enforcement Caller journey, user journey Custom usage records, custom limit enforcement SSL, storage encryption Custom caller journey, custom user journey API access keys, database credentials, certificate keys Key value map, document store, graph, relational store A Checklist for : 8

About Apigee Apigee delivers an intelligent API platform to accelerate the pace of digital business. We help companies from disruptive start-ups to the Fortune 100 use their enterprise data and services to create connected digital experiences for customers, partners, and employees. This is digital business. For more information, visit apigee.com. Where to go from here For more on the anatomy of a sophisticated API management solution, best practices for API security, getting insights from API analytics, extending your basic APIs via BaaS, and more, download the ebook, The Definitive Guide to API Management. The Apigee Edge product helps developers and companies of every size manage, secure, scale, and analyze their APIs. Get started with the right Apigee Edge for your size business. For additional resources, visit apigee.com/about/resources/ Share this ebook A Checklist for : 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback