Episode 3

Are my APIs secure?

Sharing data via APIs feel like opening doors to your house. Are my assets safe? Areusers adequately authenticated and authorised? How can I take care of access to different types of data and data privacy consent requirements? Security is crucial and cannot be ignored when APIs are designed and developed.

By 2022, according to Gartner, API abuses will become the most-frequent attack vector.

In the  previous episode, we have talked about the lessons learned and best practices for API-led integration projects using MuleSoft as a platform. We also spoke about how you get started and set up your governance and reusability.


In this episode, Vikram Setia (CCO) and Dan Shepherd (COO) will focus on how to secure your API environment.

Vikram Setia and Dan Shepherd discuss the role of security.

Vikram Setia and Dan Shepherd discuss the role of security.

Most businesses have come to terms with using the cloud as their platform. However, there is still a natural nervousness within organisations about connecting cloud platforms with on-premise legacy systems, exposing their back-office systems to the APIs built on the cloud. At the end of the day, this is business-critical data, which should be handled securely. You can look at this from an infrastructure point of view, but it is also important to consider the security of applications and the APIs. This data is exposed to external sources and within different business domains. 


Many of our customers start their integration journey adopting Mule 4 (MuleSoft), which is a cloud-based platform. MuleSoft CloudHub comes with state-of-the-art capability for securing environments. Most of them adopt a Virtual Private Cloud (VPC) configuration, which acts as an extension of the internal network. An IPSec VPN is configured so that users can connect securely from an on-premise app to the cloud platform. There is more about IPSec VPN in the MuleSoft blog.


It is critical to get foundations right from the outset to make the data secure, especially when adopting multiple cloud technologies. For example, one of our customers has implemented VPC Peering between different cloud platforms. They have MuleSoft and Pega (case management tool) running on AWS. To prevent the need of coming back into their internal network and go out again to the Pega environment, VPC Peering has been configured so that communication can happen directly between those cloud environments.


It is vital to follow the best practices to secure applications and APIs on top of CloudHub. Using Client ID and Secret is a no-brainer and an easy way of wrapping some security around APIs. By leveraging the IP-Whitelisting capability, we ensure that communication is only accepted from certain machines and devices. We put in place important steps like encryption of passwords within the application itself. MuleSoft comes with the capability to secure properties which gives you this additional encryption. The name of those properties can be viewed through the runtime manager, but the passwords themselves are not visible, given the level of encryption in place. We also encrypt through all the layers of MuleSoft components to ensure that data is encrypted in transit.


To sum up, when it comes to security, consider VPC, IPSec with VPN, Client ID and Secret, and encryption. Most importantly, choose the platform which enables you to do all of the above.

Don't miss our  next episode where we will talk about the scalability, enablement and adoption of API-led integration programs.


If you have any questions regarding the issues we covered in this video or want to discuss your challenges, talk to our integration experts.

Leave quick feedback