Security scores in the Apigee UI

You're viewing Apigee X documentation.
View Apigee Edge documentation.

Security scores

Advanced API security continuously monitors your API proxies and traffic to calculate security scores, and provides recommendations on ways to improve the scores. Security scores are based on three main criteria:

  • Confidentiality: Keep your data private.
  • Integrity: Prevent outsiders from gaining unauthorized access to your APIs.
  • Availability: Make sure your APIs are available 24/7.

The score gives you a rating of the security of your APIs, as well as their stability over time. For example, a score that fluctuates a lot could indicate that the API behavior is frequently changing, which might not be desirable. Changes in an environment that could cause the score to drop include:

  • Deploying many API proxies in an environment without the necessary security policies.
  • A spike in unblocked bot traffic for a profile that requires low traffic from malicious sources.

Observing changes to the security score over time provides a good indicator of any unwanted or suspicious activity in the environment.

Assessment types

There are three assessment types that contribute to the overall security score calculated by Advanced API Security:

  • API source assessment: Assesses the source abuse behavior, as detected by the bot-detection rules.
  • API proxy assessment: Assesses how well proxies have implemented various security policies in the following areas:
  • API target assessment: Check if mutual transport layer security (mTLS) is configured with the target servers in the environment.

Each of these assessment types is assigned a score of its own. The overall score is the average of the scores of the individual assessment types.

Security profile

A security profile is a set of rules that you want your API proxies to adhere to. To view security scores for an environment, you need to apply a security profile to the environment.

Advanced API Security provides an out-of-the-box security profile that scores the following activity and policies:

Component Description Recommendation
Abuse detection Abuse includes any requests sent to the API for purposes other than what the API is intended for, such as high volumes of requests, data scraping, and abuse related to authorization. See Abuse recommendations
Mutual transport layer security (mTLS) configuration. Checks to see if you have configured mTLS for the target server. See Target server mTLS configuration.
Authorization Checks to see if you have an authorization policy in place. Add one of the following policies to your proxy:
Mediation Checks to see if you have a mediation policy in place. Checks if CORS is configured with an AssignMessage policy. Add one of the following policies to your proxy:
Threat Checks to see if you have a threat protection policy in place. Add one of the following policies to your proxy:

Open the Security Scores view

The Security Scores view displays scores that measure the security of your API in a specific environment.

To open Security Scores view:

  1. Open Apigee UI in a browser.
  2. Select Analyze > API Security > Scores.

This displays the Security Scores view:

Security Scores main window.

Note that no scores are computed in an environment until you apply a security profile to the environment. A security profile is a set of security rules that you want your APIs to adhere to. Apigee provides a default security policy that you can use.

In the picture above, no security profile has been attached to either environment, so the Profile Name column displays Not set for both environments.

To apply the default security profile to an environment:

  1. Under Actions, click the three-dot menu in the row for the environment.
  2. Click Attach profile.
  3. In the Attach Profile dialog:
    1. Click the Profile field and select default.
    2. Click the Profile revision field and select the revision number.
    3. Click Assign.

When you apply a security profile to an environment, Advanced API Security immediately starts assessing and scoring it. The row for the environment then displays an overall security score and the score's Assessment Date. Note that it may take a few minutes for the score to be displayed.

Security Scores main window with a security profile attached.

The overall score is calculated from the individual scores in the three assessment types:

  • Source assessment
  • Proxy assessment
  • Target assessment

Note that all scores are in the range 200 - 1200. The higher the score, the better the security assessment.

Viewing scores in an environment

Once you have attached a security profile to an environment, you can view the scores and recommendations in the environment. To do so, click the row for the environment in the main Security Scores view. This displays the scores for the environment, as shown below:

Security scores in an environment.

The view displays:

  • The latest scores for the three assessment types listed above. You can click View below any of these panes to see the assessment for that type.
  • A 5-day history and average for the overall score in the environment.
  • The Needs Attention table, which lists assessment types of your APIs in which you can improve security.

Note that a score is only computed for the assessment type if there is something to assess. For example, if there are no target servers, no score will be reported for Targets.

The Needs Attention table

The Needs Attention table, shown above, lists the components of your APIs whose scores are low, along with:

  • The latest score for the component
  • The assessment date
  • The assessment type

If the score for a component is below 1200, Advanced API Security provides a recommendation to improve the score. To view the recommendation, click the row for the component in the table. This opens the assessment view corresponding to assessment type of the component (source, proxy, or target).

The following sections describe how to view the recommendations for each assessment type:

Assessment views

The following sections provide examples of viewing the assessments for each type:

Source assessment

The source assessment calculates an abuse score for the environment. "Abuse" refers to requests sent to the API for purposes other than what the API is intended for.

To view the source assessment, click View in the Sources pane to open the API Source Assessment view:

Source assessment pane.

The Source Score History displays the scores over the last 5 days, along with their average and the latest score. The Assessment details table displays the latest individual scores for the components of the assessment.

Source recommendations

If a component has a low score, you can view recommendations for improving it. To view a recommendation for the abuse component, click its row in the Assessment details table. This displays the recommendation in the Recommendations pane.

Abuse recommendation in Recommendations pane.

The recommendation is to block or allow traffic identified by abuse detection. Below that, the Actions row displays a link to documentation for abuse recommendations.

Proxy assessment

The API proxy assessment calculates scores for all proxies in the environment. To view the proxy assessment, click View in the Proxies pane to open the API Proxy Assessment view:

Proxy assessment pane.

The Proxy Score History displays the scores over the last 5 days, along with their average and the latest score. The Assessment details table displays the latest individual scores for the components of the assessment.

Proxy recommendations

If a proxy has a low score, you can view recommendations for improving it. For example, to view recommendations for the hellooauth2 proxy, click its row in the Assessment details table. This displays the recommendations in the Recommendations pane. Two of them are shown below.

Proxy recommendation.

Target assessment

The target assessment calculates an mTLS score for each target server in the environment. Target scores are assigned as follows:

  • No TLS present: 200
  • One-way TLS present: 700
  • Two-way or mTLS present: 1200

To view the target assessment, click View in the Targets pane to open the API Target Assessment view:

Target assessment pane.

The Target Score History displays the scores over the last 5 days, along with their average and the latest score. The Assessment details table displays the latest individual scores for the components of the assessment.

Target recommendations

If a target server has a low score, you can view recommendations for improving it. To view the assessment of a target server, click its row. This displays the recommendation in the Recommendations pane.

Proxy recommendation.

Abuse recommendations

If the abuse score is low, Apigee recommends blocking traffic from IPs where bots have been detected. To do so:

  1. Create security reports that return the following:
  2. Use security software to block requests from IP addresses that are sources of bots.