W HITEPA PER

Top 5 API Security

Best Practices
How to secure your digital estate
Contents

Executive Summary 03

Introduction 04

The Two Challenges of Securing APIs 05

01 API Sprawl 05
02 API Standardization 06

5 Steps to Secure Your Digital Estate 07

01 API Protection: Access and Authorization Granted 07

02
02 API Governance: Rule Over Your Digital Estate 07
03 API Data Security: Dive a Step Deeper 08
04 API Discovery: Finding New Spaces 09
05 API Security Testing: Keep Everything Wrapped 09

Empower Your IT Team to Secure APIs 10

Ensure your team has visibility into all apis 10

Be proactive with security 11
Monitor everything with runtime protection 13

Your API Security Strategy Shows Your Dependability 15

 TOP 5 API SECURIT Y BEST PR ACTICES
Executive Summary

03
IT teams have been faced with the call to secure their organization’s
digital estate while dealing with shrinking budgets. IT leaders
must balance the impossible task of ensuring every API is secure
without sacrificing time. And there is a lot at stake if security is not
taken seriously.
Customer trust is slow to build and quick to lose — one data breach
is all it takes to rattle even the most loyal customer. This means
employing a comprehensive API security strategy is necessary and
not a luxury for IT teams since your digital estate is only as secure as
©2022 M U L E S O F T ­­— M U L E S O F T . C O M

your weakest potential entry point for bad actors.

In this whitepaper, we’ll cover IT teams’ challenges when enforcing
API security measures. We’ll also cover the five core steps to
combat these challenges, guide your organization to develop a
comprehensive API security strategy, and demonstrate why your
strategy must be developed as soon as possible.
 TOP 5 API SECURIT Y BEST PR ACTICES
Introduction
As organizations grow to create exceptional customer experiences,
their digital architecture must shift to meet these increased
demands. And while companies have quickly adopted APIs to
stay ahead of the curve and future-proof their digital estate, API
sprawl has become an increasing problem in recent years.

The traditional enterprise landscape This situation puts IT team leaders in a

uses more than 500 APIs, many of which challenging position: on the one hand,
come in different flavors and are built in their teams are facing the call to achieve
various environments. These environments more with fewer resources as quickly as
might each have a different set of security possible. At the same time, IT teams are
standards, creating an environment that responsible for ensuring all APIs in the

04
bad actors love to take advantage of. digital estate are secure, which can be
time-consuming.
Organizations that do not prioritize
cybersecurity have a lot to lose for taking
a lax stance. While every company that
deals with customer information needs to As more individuals build
prioritize cybersecurity initiatives, certain automations and APIs,
finance and healthcare industries have the need for improved
even more at stake thanks to external API security increases.
regulations like HIPAA. Governments
have also taken a firm stance to create
customer protections, and violations of
these laws can incur hefty fines. And APIs are now acting as a launching
©2022 M U L E S O F T ­­— M U L E S O F T . C O M

pad for automation. These automation

While a company might be able to survive
projects are enabling everyone within
financially after these fines, the damage
the organization to take part in no-code,
to customer trust and perception is nearly
innovative projects that are driving
impossible to solve. As companies know,
business goals.
customer trust is challenging to build and
shockingly easy to lose. One data breach,
and it’s gone.
 TOP 5 API SECURIT Y BEST PR ACTICES
The Two Challenges
of Securing APIs
IT teams are already facing the call to achieve more projects with fewer
resources — with demand on IT outpacing increases in budget and
resources. Yet, API security is a critical foundation within the digital estate.

Aside from overcoming the increased demand on IT, there are

two major roadblocks that stand in the way of securing APIs.

01 API Sprawl

05
As an organization’s digital estate grows, compounding number of APIs also needs
systems are often siloed from one another. to be secured, similar to any technical
To digitally transform, many organizations component of the digital estate.
quickly adopted APIs to open up data
This drastic increase has resulted in an
across the organization. Teams may have
API sprawl and less visibility of your API
also adopted pre-built or bespoke APIs
estate. The result is challenging to manage
from partners or vendors to share data and
and dramatically increases bad actors'
create engaging experiences. This required
opportunities to take advantage.

BY THE NUMBERS
©2022 M U L E S O F T ­­— M U L E S O F T . C O M

Organizations have
will have more attack

90% 200%
seen a 200% increase
surface area in the
in the number of APIs
form of exposed APIs.
in the last 12 months.
of web apps Source: Gartner MQ more APIs Source: 451 Research API
Application Security Testing
Security Trends Survey
Quality issues across a 02 API Standardization

TOP 5 API SECURIT Y BEST PR ACTICES

diverse landscape
Standardizing APIs ensures all APIs within
As an organization’s digital estate grows
the digital estate adhere to the agreed and
more complex, critical problems emerge in
defined security standards. However, this
the diverse, sprawling landscape:
process cannot be considered secure if
→ Multi-cloud initiatives: API even a single API is not up to code since
developed and deployed on one opportunity is all it takes to invite a
different cloud platforms with potential data breach.
varying security requirements
Therefore, to achieve standardization
→ Multiple protocols: APIs designed and across your digital architecture, IT teams
developed using modern protocols must balance creating high-quality and
like AsyncAPI and GraphQL with secure APIs — without compromising
different security implementations project development speeds.

→ Microservices and modern Further complicating the situation, most

applications: APIs developed organizations have APIs developed on
to support these initiatives several platforms. This API fragmentation
with incomplete security can lead IT leaders to believe the APIs
adhere to the “correct” security standards.
The reality is that each vendor has its own
standards, and it is up to organizations to

06
determine and enforce these standards.

Microservices
Multi-cloud Multiple
and modern
initiatives protocols
applications
©2022 M U L E S O F T ­­— M U L E S O F T . C O M

Critical problems emerge in the

diverse, sprawling landscape
 TOP 5 API SECURIT Y BEST PR ACTICES
5 Steps to Secure
Your Digital Estate
To safeguard your APIs, IT leaders must With an API gateway, additional rules can
consider these five core steps. These steps be implemented, such as a rate-limiting
build on one another and act as a guide policy which is a rule that limits the
map to achieve proper API security. number of times an API is called and helps
avoid a denial of service attachment. This
01 API Protection
policy ensures that all APIs controlled by
02 API Governance
the gateway adhere to specific rules and
03 API Data Security
permissions.
04 API Discovery
05 API Security Testing Defining permissions further enhances
security by controlling how much access

01 API Protection: Access and

Authorization Granted
an individual has when they access
an API — can they read, write, or even

07
delete your APIs?
Developers that create APIs are likely

02
familiar with authorization, essentially
API Governance: Rule Over
the controls implemented on who can
Your Digital Estate
access the data within an API. While this is
a foundational step towards API security, To implement an industry-leading API
additional measures are required. Best security strategy, organizations must
practices indicate that your organization establish a centralized governance model
should implement strict API access control to set the standards used when any
and ensure that layered protections APIs are developed. Ensuring uniformity
are in place. saves IT teams valuable time, rather than
requiring them to spend time on review
This strict control can be implemented in
©2022 M U L E S O F T ­­— M U L E S O F T . C O M

cycles and shift resources away from

a number of ways, including Multi-factor
critical tasks.
Authentication (MFA) and API gateways.
Implementing an API gateway can help With IT leaders facing the call to achieve
mitigate some of the expansive landscape increased delivery while balancing fewer
that comes with the rise of API sprawl. resources, API governance is a proactive
necessity — not a luxury.
 To understand API data security, let’s

TOP 5 API SECURIT Y BEST PR ACTICES

imagine an API is an island with a buried
Architects must focus on establishing
treasure (PII) somewhere in the middle
visible governance standards to
of the ocean. API governance would
enable developers.
dictate the security patrol of the island
Developers must adhere to uniform and to keep away bad actors looking for the
easy-to-understand governance practices PII treasure.
to deliver secure projects on time.
At this point, the island would implement
API data security practices to ensure that
everyone that comes to the island has
access to the parts of the island they are
Implementing API governance best
supposed to access. This level of control
practices from development to discovery
individualized for each user is the idea
means IT teams are taking a proactive
behind tokenization.
approach to API security. Additionally,
standardization achieved through By controlling what data is accessible
governance has the benefit of making it within an API, IT teams can employ an
easier for your developers by unifying rules additional layer of protection by ensuring
across the digital estate. that the API does not release all data to
every user that accesses it.
More than ever, developers are rising to the
challenge of delivering on more projects

08
than ever. These high-priority initiatives
require specific technical knowledge, and
enforcing governance standards ensures Tokenization
and Healthcare
additional security while directly reducing
the burden on developers.
It wouldn’t make sense for a doctor

03 API Data Security:

Dive a Step Deeper
to access a patient's credit card
information when they access their
patient’s complete profile. And
While API governance standards ensure
tokenization prevents the doctor and
APIs are all adhering to the same
any bad actors from attempting to
standards, IT leaders must go a step
infiltrate the APIs in this process.
©2022 M U L E S O F T ­­— M U L E S O F T . C O M

further and focus on the data that the APIs

are concerned with.
Mule App
Client
Today nearly every industry and (Order API)

organization is concerned with sensitive API Gateway

Tokenization
customer data, and protection of that Policy

personal identifying information (PPI) is

essential to an organization’s reputation. Tokenization Service
 TOP 5 API SECURIT Y BEST PR ACTICES
04 API Discovery:
Finding New Spaces 05 API Security Testing:
Keep Everything Wrapped

Organizations have digital estates Testing the security of your APIs is what
comprised of APIs developed in various comes to mind when IT leaders picture an
environments, with several teams having API security strategy. But note that it is the
a hand in creating. For APIs to be secure, last step in our guideline, meaning it can
they must be managed and visible within only be employed after a full-scope API
a single source of truth that includes all security strategy has been enforced.
APIs within the organization. This single
API security testing is the practice of
view must include APIs developed in all
testing to identify vulnerabilities in APIs.
environments, which include APIs built on:
Two types of vulnerabilities should be
→ Cloud platforms using cloud- considered when designing your API
native architecture security testing:

→ Those built on a container platform to → Injection attacks: Also known as

support modern application initiatives traditional application vulnerabilities,
these attacks are when bad actors
→ Integration platforms using existing
manipulate data to make their inputs
applications and data sources

09
indistinguishable from trusted inputs
Additionally, your comprehensive API
→ API-focused attacks: These attacks
discovery strategy must be able to view all
target vulnerabilities specific to APIs
third-party APIs used by the organization,
and include API-specific DDoS attacks
APIs that are part of SaaS products, and
and Man in the Middle attacks
APIs used as part of mobile and web
frameworks. • DDos attacks aim to overwhelm
APIs with hundreds or thousands
A complex digital environment that has
of requests to the API
fallen to API sprawl is almost sure to
have shadow APIs — APIs that have been • Man in the Middle attacks occur
created and are potentially in use but are when the bad actor intercepts and
not visible across the organization. relays information between two
©2022 M U L E S O F T ­­— M U L E S O F T . C O M

parties and allows them to access

PII they should not have access to

If an API is not visible and easy to IT teams can only security test APIs they
discover, it cannot be secured. are aware of. So for security testing to be
effective, it must be employed along with
API security best practices.
 TOP 5 API SECURIT Y BEST PR ACTICES
Empower Your IT Team
to Secure APIs
As IT teams move through the five steps, a few core strengths
must be kept in mind. By focusing on these areas, IT leaders can
empower everyone across IT to take ownership of API security.

Ensure your team has in the automatic detection and cataloging

visibility into all apis of APIs. Once the APIs are cataloged, they
can be assessed for conforming to gover-
Having visibility into every single API in
nance standards, security vulnerabilities,
your digital estate is a massive challenge.
and inclusion in API business services.
Even if your organization employs diligent

10
governance standards, human error is
inevitable. As a digital estate begins to
form, some IT teams opt to monitor each
Five key features
API manually.
of Auto-Cataloging CLI
While this approach is appealing, it
that bolster your API
is prone to errors and does not scale
with additional APIs. This is why your security strategy
API security strategy should include an
1. Identify all APIs in a
automated process to ensure visibility into project directory
every API in your digital estate.
2. Identify all new and changed APIs
That's where MuleSoft Auto-Cataloging and update the descriptor file
©2022 M U L E S O F T ­­— M U L E S O F T . C O M

CLI comes in. Auto-Cataloging CLI helps 3. Conditionally trigger the publish
new APIs based on criteria
discover and catalog non-Mule APIs using
CI/CD pipelines when they are created, 4. Conditionally set the asset version
strategy based on criteria
regardless of the environment where they
5. Publish APIs in the descriptor
are developed.
file by running commands by
Using an automated workflow enables a a command prompt or as part
of your CI/CD pipelines or
continuous discovery of all APIs, resulting
custom scripts
Be proactive with security compliance standards extends review

TOP 5 API SECURIT Y BEST PR ACTICES

cycles, ultimately costing more time and
With the ever-increasing number of
money that IT teams don’t have.
APIs and automations developed across
multiple teams, IT architects must Anypoint API Governance
maintain standardized security and
Anypoint API Governance empowers
quality. At the same time, developers need
everyone across the IT team, from
the flexibility to develop APIs without
leaders to developers. IT team members
sacrificing valuable time on conformance
can leverage out-of-the-box rulesets
review cycles that shift focus away from
provided by MuleSoft, or create custom
high-priority projects.
rulesets to avoid managing standards in
API governance efforts must be controlled siloed documents.
centrally and allow architects to self-serve
Architects can use Anypoint API
to ensure that every API and automation
Governance to filter and group the APIs
aligns with standards. The alternative
based on metadata, such as tags or
means that organizations that opt to build
categories. Profiles created are dynamic,
first and secure later risk developing APIs
automatically enforcing standards
and automations that invite bad actors.
across every new API added to Anypoint
Furthermore, looking backward to meet
Exchange that matches the profile criteria.

11
What is a
ruleset?
API Governance

Rulesets

Authentication Security ... OWASP API Security Top 10 A ruleset is a collection of rules that can be
applied over the metadata extracted from any
Anypoint Platform Anypoint Platform
The starting point for API security is the OWASP API Security Top 10
API definition itself

1 View details in Exchange View details in Exchange

REST API definition. These rules are extensible
MuleSoft Anypoint API ... OpenAPI Best Practices and based on open standards (W3C, OPA).
Anypoint Platform Anypoint Platform
API Governance
MuleSoft Anypoint API Best Practices OpenAPI Best Practices

Governance
1 Rulesets can be used to create a profile, a
View details in Console
Exchange / Create Profile View details in Exchange
©2022 M U L E S O F T ­­— M U L E S O F T . C O M

API Type Tags collection of rules resembling a governance

REST APIs Public

Loyalty API
standard. With Anypoint API governance,

Inventory API
a profile can define the rules of a given
2 group of APIs.
Customer API

2 IT teams can create multiple profiles to

customize IT teams' governance standards
per use case.
 TOP 5 API SECURIT Y BEST PR ACTICES
Anypoint API Manager

IT teams need to quickly secure APIs with policies, manage client access, and gain critical
insights into your API programs. And Anypoint API Manager allows you to manage all your
APIs and microservices from one place — no matter where they live.

12
→ Unlock and manage any service securely
K E Y FE ATURE S
with a flexible API gateway

Deploy → Apply pre-built or custom security policies

and manage at runtime with no downtime

©2022 M U L E S O F T ­­— M U L E S O F T . C O M

your APIs → Secure and govern microservices regardless of

where they’re hosted with service mesh

→ Manage access to your assets across

individual users or entire teams

→ Gain critical insights into your API reliability,

performance, and compliance
Monitor everything with There are three core benefits of Anypoint

TOP 5 API SECURIT Y BEST PR ACTICES

runtime protection Flex Gateway:

There are two simple questions IT team → Secure any API running anywhere
leaders need to ask that can shed some
→ Extend Anypoint Platform to all APIs
troubling light on API security practices:
→ Build responsive experiences
1. If someone were abusing your
Anypoint Security provides a layered
organization’s APIs, would you know?
approach to secure your application
2. How can you find API vulnerabilities network. These layers work together to
throughout the development life cycle control access to APIs, enforce policies,
and improve API security posture? and proxying all inbound or outbound
traffic to mitigate external threats and
Your API security strategy should take attacks. Anypoint Security also provides a
measures to ensure your solutions detect dedicated endpoint to detect attacks and
vulnerabilities based on rulesets like validate traffic without taxing your network
OWASP, TLS, or security best practices. implementations.
And by employing a runtime protection
Anypoint Security is built with WAF and
framework across the organization, IT
Tokenization to protect against threats:
teams can create policies that control
access to APIs. → Tokenization allows customers to

13
tokenize sensitive data processed by
Mulesoft API Gateway provides built-in
the API. This protects sensitive data like
policies to authenticate, authorize and
credit cards, social security, or other
control access to APIs. IT teams can use
PII and helps prevent data breaches.
API Gateway to configure a robust set
of authentication, security, and traffic → WAF (Web application Firewall)
management policies with zero trust policy adds protection at the
implemented right out of the box. IT teams web application level.
are setting the foundation for additional
security measures by using an API gateway. ©2022 M U L E S O F T ­­— M U L E S O F T . C O M
 TOP 5 API SECURIT Y BEST PR ACTICES
CUSTOMER STORY

Identifying
shadow APIs
with Takeda
Pharmaceuticals
Takeda Pharmaceutical Company is one of the top 20 largest pharma
companies in the world, employing almost 50,000 people worldwide and
providing healthcare to millions of patients.

Takeda relies on MuleSoft for its API management. Anypoint enables

Takeda to standardize on schema, apply governance, encourage reuse,
and increase efficiency with its APIs.

However, two challenges remain:

14
→ How to govern all APIs in Mulesoft and AWS

→ Protecting patient’s sensitive data

To mitigate these risks, Takeda complemented the MuleSoft deployment

with a full-fledged API security platform to monitor all transactions in a
machine-learning-based system asynchronously and identify threats.

With MuleSoft, Takeda identified 30% additional APIs that had not been
previously categorized.

“At Takeda, we strive for a culture of readiness and preparedness

and my team operates with certain guiding principles including
©2022 M U L E S O F T ­­— M U L E S O F T . C O M

standardization, simplification, scalability, reusability and adoption.

Mulesoft helps us support those principles.”

SUNDAR KRISHNA, Director Of Cloud Engineering Platforms And

Head Of Data Integration Services And Products, Takeda

Read more
 TOP 5 API SECURIT Y BEST PR ACTICES
Your API Security Strategy
Shows Your Dependability

15
The stakes have never been higher for IT leaders. With
shrinking budgets and increased expectations, API security
might not seem necessary when business goals are on the
line. However, the risk of putting API security on the back
burner is not worth it. Your team’s reputation is on the
line, and one data breach is enough to create significant
problems — ultimately, customer trust is on the line.
Developing a comprehensive API security strategy is
©2022 M U L E S O F T ­­— M U L E S O F T . C O M

critical for IT teams to protect themselves and customer

PII. MuleSoft has several API security solutions that ease
the burden on IT teams and allow them to secure your
organization’s APIs without sacrificing precious time.
Let’s get your API estate secured now!
Learn more
about MuleSoft

Start your security Webinar: Discover and govern

journey today APIs for universal visibility

See how MuleSoft helps IT teams Watch and learn how to apply security
secure every API in the digital estate. guardrails in Anypoint Governance.

16
Get to know MuleSoft See the webinar

©2022 M U L E S O F T ­­— M U L E S O F T . C O M

Powerful, quick, Webinar: Digital Services, Enterprise

and flexible API Security with Okta and Mulesoft

Manage and secure any API built MuleSoft and Okta have joined forces
anywhere with Anypoint Flex Gateway. to support developers across the entire
development cycle
Start securing
Watch now
Salesforce, the global CRM leader, empowers companies of every size and industry to
digitally transform and create a 360° view of their customers. For more information about
Salesforce (NYSE: CRM), visit salesforce.com.

Any unreleased services or features referenced in this or other press releases or

public statements are not currently available and may not be delivered on time or at all.
Customers who purchase Salesforce applications should make their purchase decisions
based upon features that are currently available. Salesforce has headquarters in San
Francisco, with offices in Europe and Asia, and trades on the New York Stock Exchange
under the ticker symbol “CRM.”

For more information please visit salesforce.com, or call 1-800-NO-SOFTWARE.

MULESOFT IS A REGISTERED TRADEMARK OF MULESOFT, INC., A SALESFORCE COMPANY.

ALL OTHER MARKS ARE THOSE OF RESPECTIVE OWNERS.