3.6.4.API Security management

  • Key/secret management

    • All API must require a minimal security of API key

      • Invalidate the key for misbehaving client

      • Generate analytics with key as the identify

      • Usage metrics

    • For API developer

      • Management of key/secrets

      • Implementation of key/secret in API

    • For App developer

      • Developer controls key/secret

        • Create -> Renew -> Delete

  • OAuth 2.0 implementation

    • You will need to connect to your enterprise identity and access management solution such as LDAP

    • Manage the storage of token

    • At high level, authorization server will take care of tokens, scopes and clients

  • Functional threats

    • API testing practices; adopt tools

    • Engage third party for vulnerability assessments

    • Continuous monitoring to detect attacks/threats

    • Pro-active in protecting API from new attack types

    • Implement threat protection in the proxy

  • API Infrastructure

    • 可以借助API management platform來建立public API

    • API management platform其實就是Proxy based

  • API security practices

    • Educate the API developers

    • Provide development guidelines on security

    • Stay up to date on security threats

    • Have a well defined security policy

    • Develop a contingency plan

Last updated

Was this helpful?