API Governance Guidelines

The API Governance module in the AppSentinels API Security Platform ensures that all APIs adhere to security, operational, and organizational standards. It helps prevent risks arising from shadow APIs, misconfigurations, and data exposure.

Objectives

• Maintain visibility into all active, inactive, and undocumented APIs.
• Classify and monitor sensitive, privileged, and unauthenticated endpoints.
• Reduce API sprawl by managing unused or redundant APIs.
• Enforce security policies and governance controls consistently.

Key Governance Categories

1. Shadow APIs

APIs that are not part of any known schema (e.g., Swagger) but are actively serving traffic.

Action: Identify, tag, document, or decommission.

2. Sensitive APIs

APIs that process or expose Personally Identifiable Information (PII) or sensitive data.

Action: Apply strict access control and minimize exposure.

3. Privileged APIs

Endpoints that perform high-privilege operations such as login, user management, or admin access.

Action: Enforce authentication, RBAC, and audit logging.

4. Unauthenticated APIs (UnAuth)

APIs exposed without any authentication mechanism.

Action: Evaluate necessity, and secure or disable them if inappropriate.

5. Inactive APIs

APIs that have not received traffic for a defined duration.

Action: Regularly review and retire unused or obsolete APIs to minimize attack surface.

Governance Alerts

Alerts are generated to notify administrators of potential governance violations, including:

• New shadow or unauthenticated APIs
• Inactive APIs that may be deprecated
• APIs exposing sensitive or privileged data

You can access these alerts under: Settings → Vulnerability Configuration → Governance Controls

Review Guidelines

Review New APIs

• Ensure appropriate tags (e.g., sensitive, privileged, public) are assigned.
• Assess whether the API URI requires parameterization (e.g., /user/123 → /user/{userId}) to avoid duplication in discovery and analysis.

Review Inactive APIs

• Identify endpoints with no traffic over a defined period.
• Evaluate relevance and retire outdated APIs to improve clarity and reduce unnecessary exposure.

Best Practices

• Maintain comprehensive and updated API documentation.
• Periodically review governance alerts and audit API inventory.
• Apply consistent tagging and naming standards.
• Implement strong authentication and data protection on sensitive/privileged APIs.
• Decommission unused APIs to reduce surface area and management overhead.