3.6.4.API Security management

• Key/secret management

  • All API must require a minimal security of API key

    • Invalidate the key for misbehaving client

    • Generate analytics with key as the identify

    • Usage metrics

  • For API developer

    • Management of key/secrets

    • Implementation of key/secret in API

  • For App developer

    • Developer controls key/secret

      • Create -> Renew -> Delete

        • 建立key validation: apigee

• OAuth 2.0 implementation

  • You will need to connect to your enterprise identity and access management solution such as LDAP

  • Manage the storage of token

  • At high level, authorization server will take care of tokens, scopes and clients

    

• Functional threats

  • API testing practices; adopt tools

  • Engage third party for vulnerability assessments

  • Continuous monitoring to detect attacks/threats

  • Pro-active in protecting API from new attack types

  • Implement threat protection in the proxy

• API Infrastructure

  • 可以借助API management platform來建立public API

  • API management platform其實就是Proxy based

    

• API security practices

  • Educate the API developers

  • Provide development guidelines on security

  • Stay up to date on security threats

  • Have a well defined security policy

  • Develop a contingency plan