APIs are the building blocks to deliver digital and automation initiatives. It’s never been easier to implement and deploy APIs at scale allowing organizations to build what they need when they need it.
But, this leaves organizers at risk of not knowing what APIs are in production and being unable to manage them. Gartner predicted that “By 2025, less than 50% of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools.”
API governance ensures consistent API quality and security through design, development, and deployment. However, we often see API governance as an impediment to product delivery. Without proper governance, the APIs we build and use to create a composable enterprise become the weak link that leaves data exposed.
So, that leads us to the question: how can we protect APIs without slowing down innovation?
Secure your data proactively with API governance
To protect APIs without slowing down product delivery, organizations need:
- Alignment on governance requirements
- Improve visibility of all deployed APIs
- Governance conformance during API development
By implementing automatic governance checks throughout the development lifecycle, especially during development and cataloging, organizations can ensure that each API conforms to the security and best practices requirements.
1. Alignment on governance requirements
Before you start your governance journey, determine the following:
- Which type of APIs need what kind of conformance? E.g. Are there particular APIs that deal with sensitive data? And what kind of governance checks would those APIs need?
- When should the conformance check occur? I.e. When API is in development or stable?
- Who should get notified when an API doesn’t meet conformance?
- What are your company standards or best practices?
The answers to these questions will act as your north star as you navigate proactive governance.
Anypoint API Governance ensures consistent API quality and security through governance rulesets. Governance rulesets can be applied over the metadata extracted from API definitions in Anypoint Platform.
MuleSoft provides several pre-built rulesets in Anypoint Exchange, such as Anypoint API Best Practices, OpenAPI Best Practices, OWASP API Security Top 10, and Authentication Security Best Practices governance rulesets. You can discover rulesets published in Exchange by filtering the search in Exchange by the Rulesets type.
For each of the pre-built ruleset, you can see documentation and the rules associated by clicking on the asset. The following figure shows OWASP API Security Top 10 2019 Checklist ruleset page.
By determining which APIs need a certain ruleset, you can determine if you need a ruleset that is customized for your organization. You can build custom rulesets from provided rulesets. For more information, see Creating Custom Governance Rulesets.
2. Improve visibility of all deployed APIs
To check APIs for governance conformance, you need to have access to the API definitions. However, having visibility into all of your APIs can be difficult if your organization peruses various repositories, environments, and documentation practices.
With API Catalog CLI you can now discover and catalog your API definitions, documentation files, and associated metadata and bring them all into ONE place, Anypoint Exchange, regardless of where the API is developed. You can embed the CLI commands into your CI/CD pipeline to automatically trigger the publishing of your API assets to Exchange.
During the cataloging process, you can tag and categorize APIs which will allow you in the next step to apply appropriate rulesets to your APIs as soon as they are added to Exchange.
To learn more about API Catalog CLI, check out the two-part tutorial series which walks you through the basics of setting up the descriptor file (think of it as a roadmap for Exchange to be able to catalog your APIs with proper information) and implement it to a CI/CD pipeline.
3. Implement governance checks throughout development lifecycle
Now that you’ve determined governance criteria and cataloged all the APIs into one place, it’s time to implement governance checks. Anypoint API Governance currently provides two experiences:
- Architects/security admins can apply standards consistently to any API, regardless of where they are built, through a simple UI walkthrough
- Developers can validate conformance during API design
For architects and security admins
Let’s first look at how an Architect can enforce API governance. In Anypoint API Governance, you can create a new profile. A governance profile applies chosen governance rulesets to a selected group of APIs. The API definitions are validated against the governance rulesets.
When you create a new profile, you can select one or more rulesets to apply. For example, a combination of OWASP and Anypoint Best Practices rulesets can be used together to ensure that APIs with sensitive data are properly protected and also meets syntax requirements for easy readability and reuse.
Afterward, you can set API filter criteria (API type, Tags, Categories, and Lifecycle State – sound familiar?) and specify users to get automatic notification of nonconformance.
Once finished, the governance engine runs the rulesets against the filtered APIs and provides a dashboard (see below) where you can see your API conformance status. You can drill down to a particular profile or APIs to get a detailed look at the violations and send reminder notifications.
Another way to implement governance while keeping up the innovation speed is to check APIs for conformance while you develop an API. If you are a developer who uses Anypoint API Designer, you can add the rulesets as dependencies to API definition in the Design Center API Designer text editor. After you add the rulesets, expand the Project Errors section to view conformance messages (see below).
What’s neat is that if you have a governance ruleset as a dependency and there are conformance errors, you won’t be able to publish it to share with the rest of the organization. This ensures that when the API definition is shared, you can count on the API to meet conformance. When an API is cataloged in Exchange and checked against the Governance engine, there’s a button that shows governance status.
But what if you are developing outside of API Designer? We provide Governance CLI so that you can implement it in your CI/CD pipeline to validate API definitions before you publish or deploy the API. For more information, see API Governance CLI Command List.
To recap, we discussed three best practices for implementing API Governance across your organization:
- You need alignment on governance requirements, and governance rulesets are a vehicle for you to determine what conformance requirements you need
- Through API Catalog CLI, you can have universal visibility of all APIs regardless of where they are developed
- With Anypoint API Governance, you can implement governance checks during API development, not as an afterthought
API security attacks are on the rise. You can combat them through proper boundaries set by proactive governance practices. To learn more, check out our webinar on how to secure your digital estate with API security and our whitepaper outlining the top 5 API security best practices.