3.6.4.API Security management

Key/secret management
- All API must require a minimal security of API key
  - Invalidate the key for misbehaving client
  - Generate analytics with key as the identify
  - Usage metrics
- For API developer
  - Management of key/secrets
  - Implementation of key/secret in API
- For App developer
  - Developer controls key/secret
    Create -> Renew -> Delete
    建立key validation: apigee
OAuth 2.0 implementation
- You will need to connect to your enterprise identity and access management solution such as LDAP
- Manage the storage of token
- At high level, authorization server will take care of tokens, scopes and clients
Functional threats
- API testing practices; adopt tools
- Engage third party for vulnerability assessments
- Continuous monitoring to detect attacks/threats
- Pro-active in protecting API from new attack types
- Implement threat protection in the proxy
API Infrastructure
- 可以借助API management platform來建立public API
- API management platform其實就是Proxy based
API security practices
- Educate the API developers
- Provide development guidelines on security
- Stay up to date on security threats
- Have a well defined security policy
- Develop a contingency plan

Last updated 4 years ago