Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
APIs are the building blocks unlocking enterprise data and processes for digital consumption and interactions, enabling businesses to easily share digital assets beyond traditional applications, websites and devices. APIs also enables enterprises to interact with their business partners to create business networks and external developers to extend their solution capabilities in innovative ways through the development of new applications.

APIs have become a strategic necessity for enterprises to innovate and open up new channels, partner ecosystems, and revenue opportunities.



One of the most important aspect of developing APIs for the enterprise is ensuring API security. The main principles of API security can be summarized as follows:-

Identify the API caller :-  The APIs should not just identify the users of the application but also should identify the application that consumes the APIs. OAuth has taken off as a standard way and a best practice for applications and websites to handle authorization. OAuth defines an open protocol for allowing secure API authorization of desktop, mobile and web applications through a simple and standard method

Mitigate cyber attacks :-  Cyber attacks are attempts by malicious users to destroy, expose, alter, steal data or gain unauthorized access to or make unauthorized use of an asset. These attacks range from code injections to gain access to sensitive data, sending inflated data structures to spike server resource consumption or flood target systems with too many calls resulting in denial of service. APIs should have checks and validation in places to identify code injections and control the rate of traffic sent or received by an API endpoint.

Log all API interactions :-  Collecting and analyzing API logs can help identify the damage caused and expose the cloud attacks and therefore all API interactions should be logged into a central logging server.

SAP Cloud Platform, API Management offers many out of the box API Security polices based on the OWASP API security best practices which can be customized for your enterprise requirements.

In this blog series, we will be showcasing the security policies from SAP Cloud Platform API Management to secure and protect the enterprise APIs as shown in the picture below:-





These API Security Best Practices includes policies for Authentication and Authorization, Traffic Management, detecting cloud threats/ cyber attacks and are covered in details in the following parts:-

Part 1 - Restrict access to API based on IP Addresses

Part 2 -  Rate limit API calls with Retry time

Part 3 - Rate limit API calls for OData Batch calls

Part 4 - Data masking of sensitive data from API response

Part 5 - JSON Threat protection against injection attacks

Part 6 - XML Threat protection against injection attacks

Part 7 - Log all API interactions

Part 8 - Threat protection against SQL injection attacks

Part 9 - Threat protection against XML External entity injection attacks

Part 10 - Raise alerts via email notification when threat is detected

Part 11 - Rate limit concurrent connection to target

Part 12 -  Rate limit API call per developer


For more blogs on SAP Cloud Platform API Management visit us at SAP Community