API governance best practices

 

The Growing Importance of APIs

APIs are essential for delivering digital and automation initiatives, making it easier than ever for organizations to implement and deploy APIs at scale. This flexibility allows organizations to build what they need when they need it.

However, this rapid growth also poses a risk. Organizations may lose track of which APIs are in production and struggle to manage them effectively. Gartner predicts that "by 2025, less than 50% of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools."

Ensuring API Security and Innovation

API governance plays a crucial role in maintaining consistent API quality and security across design, development, and deployment stages. However, it's often viewed as a hurdle to product delivery. Without adequate governance, the APIs we create for building a composable enterprise can become vulnerabilities, exposing sensitive data.

So, the question arises: How can we safeguard APIs without impeding innovation?

Proactive Data Security with API Governance

To protect APIs without hindering product delivery, organizations require:

1. Alignment on Governance Requirements: Establish clear governance standards that align with organizational objectives and regulatory requirements.

2. Enhanced Visibility of Deployed APIs: Improve visibility into all deployed APIs to effectively monitor and manage their security and compliance.

3. Governance Conformance during API Development: Ensure adherence to governance policies throughout the API development process.

By integrating automatic governance checks into the development lifecycle, particularly during development and cataloging phases, organizations can verify that each API meets security and best practices standards.

Achieving Proactive Governance with Anypoint API Governance and Anypoint API Catalog CLI

Now, let's explore how your organization can achieve proactive governance using Anypoint API Governance and Anypoint API Catalog CLI, both integral components of MuleSoft’s Universal API Management (UAPIM).

1. Alignment on Governance Requirements

Before embarking on your governance journey, it's essential to determine the following:

1. Which APIs Require What Kind of Conformance?

   • Identify specific APIs that handle sensitive data or have particular requirements. Determine the governance checks necessary for these APIs to ensure their security and compliance.

2. When Should Conformance Checks Occur?

   • Define when conformance checks should take place—whether during API development stages or when APIs are stable and ready for deployment.

3. Who Should Receive Notifications for Non-Conformance?

   • Establish who within your organization should be notified if an API fails to meet conformance standards.

4. Company Standards and Best Practices

   • Define your organization's standards and best practices regarding API governance, security, and quality.

The answers to these questions serve as guiding principles as you implement proactive governance measures.

Leveraging Anypoint API Governance

Anypoint API Governance ensures consistent API quality and security through governance rulesets. These rulesets can be applied to the metadata extracted from API definitions within Anypoint Platform.

MuleSoft offers several pre-built rulesets available in Anypoint Exchange, including Anypoint API Best Practices, OpenAPI Best Practices, OWASP API Security Top 10, and Authentication Security Best Practices. You can discover these rulesets in Exchange by filtering the search by the Rulesets type.

For each of the pre-built rulesets, you can access documentation and view the associated rules by clicking on the asset. Below is an example of the OWASP API Security Top 10 2019 Checklist ruleset page.

By identifying which APIs require specific rulesets, you can assess whether a customized ruleset tailored to your organization's needs is necessary. You have the option to construct custom rulesets based on the provided rulesets.

2.Improving Visibility of All Deployed APIs

Ensuring governance conformance requires access to API definitions. However, gaining visibility into all APIs can be challenging when organizations utilize various repositories, environments, and documentation practices.

API Catalog CLI: Consolidating API Definitions

With API Catalog CLI, you can discover and catalog API definitions, documentation files, and associated metadata, consolidating them into Anypoint Exchange. This centralization occurs regardless of where the API is developed. You can seamlessly integrate CLI commands into your CI/CD pipeline, automating the publishing of API assets to Exchange.

Tagging and Categorizing APIs

During the cataloging process, you can tag and categorize APIs. This allows you to apply appropriate rulesets to your APIs as soon as they are added to Exchange.

3. Implementing Governance Checks Throughout the Development Lifecycle

Now that you've established governance criteria and centralized all APIs, it's time to implement governance checks. Anypoint API Governance offers two experiences:

For Architects and Security Admins:

An Architect can enforce API governance by creating a new profile in Anypoint API Governance. This profile applies selected governance rulesets to a chosen group of APIs, validating their definitions against these rulesets.

1. Creating a Governance Profile: Architects select one or more rulesets to apply. For instance, combining OWASP and Anypoint Best Practices rulesets ensures APIs with sensitive data are protected while meeting syntax requirements for readability and reuse.

2. Setting API Filter Criteria: Architects specify API filter criteria such as type, tags, categories, and lifecycle state. They also designate users to receive automatic notifications of nonconformance.

3. Running Governance Rules: The governance engine runs the rulesets against filtered APIs, providing a dashboard for monitoring API conformance status. Architects can drill down to specific profiles or APIs to examine violations and send reminder notifications.

This approach ensures consistent application of governance standards across all APIs, regardless of their development origin.

For Developers

Another method to implement governance without slowing down innovation is to check APIs for conformance during the development phase. If you're a developer utilizing Anypoint API Designer, you can integrate rulesets as dependencies into the API definition within the Design Center API Designer text editor.

1. Adding Rulesets as Dependencies: Developers include rulesets as dependencies in the API definition within the API Designer text editor.

2. Viewing Conformance Messages: After adding the rulesets, developers expand the Project Errors section to access conformance messages. This feature allows developers to promptly identify and address any non-conformance issues directly within the API Designer environment.

By incorporating governance checks into the development process, developers can ensure adherence to standards and best practices without impeding the pace of innovation.

What's impressive is that if a governance ruleset is set as a dependency and there are conformance errors, you won’t be able to publish the API, ensuring that when shared, it meets conformance standards. When an API is cataloged in Exchange and checked against the Governance engine, a button displays its governance status.

But what if you're developing outside of API Designer? Mulesoft offer Governance CLI, enabling you to integrate governance checks into your CI/CD pipeline. This allows you to validate API definitions before publishing or deploying the API.

In conclusion, we highlighted three key best practices for implementing API Governance throughout your organization:

1. Alignment on Governance Requirements: Establishing alignment on governance requirements is essential, and governance rulesets serve as a guide to determine conformance criteria.

2. Universal Visibility with API Catalog CLI: Utilizing API Catalog CLI provides universal visibility of all APIs, irrespective of their development origins, ensuring comprehensive oversight.

3. Implementing Governance Checks with Anypoint API Governance: Integrating governance checks during API development with Anypoint API Governance ensures governance is ingrained in the development process, rather than an afterthought.

By adopting these best practices, organizations can effectively manage and govern APIs, ensuring adherence to standards and enhancing overall API quality and security.