5. Leveraging API Façades
5
• Hide API back-end implementation details
• Configure security constraints and other processing
based on API consumer
• Carefully manage return of sensitive, inappropriate
or unauthorized data by APIs
• track device usage info and correlation to specific
users
API Façade http://www.theage.com.au/ffximage/2008/01/03/rg_sewage_wideweb__470x335,0.jpg
6. Design considerations
• Classify your APIs – use API products
• Classify your resources – use OAuth2 scopes
– Restricted Resources
– Private Resources
– Public Resources
• Establish and enforce SLAs
– Quota and Spike Arrest – Prevent Application denial of service
– Edge out of the box security policies – Prevent injection attacks, data leaks
• Inbound and Outbound communications security
– Edge SSL APIs – Manage your transport security
• Logging and Auditing
– Log access – Edge message logging
– Follow through with an audit policy
6
7. Security policies in Apigee Edge
7
Secure APIs and protect
back-end systems from
attack
Secure interactions
with API consumers
and optimize
performance
9. Threat Protection – Best practices
• Use Conditionals and Fault Rules to reject input before it reaches the southbound
service
• Use the Extract Variables policy so that JSON and XML variables are parsed and
made available using secure parsers already built into Edge
• Use the JSON and XML Threat protection policies to establish content-level limits on
JSON and XML structures.
• Use the Regular Expression Protection policy to protect against SQL Injection, Cross
site and reflected cross site scripting attacks
• Use the SOAP Message Validation policy to validate a SOAP message against a
schema or WSDL
9
13. Mitigating risks from compromised applications
– Monitor for unusual activity (traffic
volume/source, excessive authentication calls,
etc.)
– Revoke/re-approve/delete an API key
– Regenerate API keys and secrets
– Revoke/re-approve/delete some or all active
OAuth access and refresh tokens
– Dynamic invalidation via code in API proxies,
based on user IDs, device identifiers or other
criteria
13
When this happens… What do you do?