SAP Cloud Platform API Management – API Security Best Practices Blog Series
APIs are the building blocks unlocking enterprise data and processes for digital consumption and interactions, enabling businesses to easily share digital assets beyond traditional applications, websites and devices. APIs also enables enterprises to interact with their business partners to create business networks and external developers to extend their solution capabilities in innovative ways through the development of new applications.
APIs have become a strategic necessity for enterprises to innovate and open up new channels, partner ecosystems, and revenue opportunities.
One of the most important aspect of developing APIs for the enterprise is ensuring API security. The main principles of API security can be summarized as follows:-
Identify the API caller :- The APIs should not just identify the users of the application but also should identify the application that consumes the APIs. OAuth has taken off as a standard way and a best practice for applications and websites to handle authorization. OAuth defines an open protocol for allowing secure API authorization of desktop, mobile and web applications through a simple and standard method
Mitigate cyber attacks :- Cyber attacks are attempts by malicious users to destroy, expose, alter, steal data or gain unauthorized access to or make unauthorized use of an asset. These attacks range from code injections to gain access to sensitive data, sending inflated data structures to spike server resource consumption or flood target systems with too many calls resulting in denial of service. APIs should have checks and validation in places to identify code injections and control the rate of traffic sent or received by an API endpoint.
Log all API interactions :- Collecting and analyzing API logs can help identify the damage caused and expose the cloud attacks and therefore all API interactions should be logged into a central logging server.
SAP Cloud Platform, API Management offers many out of the box API Security polices based on the OWASP API security best practices which can be customized for your enterprise requirements.
In this blog series, we will be showcasing the security policies from SAP Cloud Platform API Management to secure and protect the enterprise APIs as shown in the picture below:-
These API Security Best Practices includes policies for Authentication and Authorization, Traffic Management, detecting cloud threats/ cyber attacks and are covered in details in the following parts:-
Part 1 – Restrict access to API based on IP Addresses
Part 2 – Rate limit API calls with Retry time
Part 3 – Rate limit API calls for OData Batch calls
Part 4 – Data masking of sensitive data from API response
Part 5 – JSON Threat protection against injection attacks
Part 6 – XML Threat protection against injection attacks
Part 7 – Log all API interactions
Part 8 – Threat protection against SQL injection attacks
Part 9 – Threat protection against XML External entity injection attacks
Part 10 – Raise alerts via email notification when threat is detected
Part 11 – Rate limit concurrent connection to target
Part 12 – Rate limit API call per developer
For more blogs on SAP Cloud Platform API Management visit us at SAP Community
Thanks Divya Mary for this very useful blog series on APIs security best practices.
Thank you for such a detailed blog series covering various important scenarios.