By Vikas Vijendra, Principal Pre-Sales Solution Architect at Axway
I’d like to explain one of the foundation elements of API platforms – API Sandbox. Most new applications built today to run digital businesses are API-driven, and APIs are an important means of both delivering business products to the market and interacting with business partners in a Customer Experience Network. Therefore, API Portals and self-service API testing become critical to engage and grow API consumers with seamless developer experience.
What is an API Sandbox?
A simple way to describe an API Sandbox is an environment targeted at API consumers (developers and testers) that mimics the characteristics of the production environment to create simulated responses for APIs that reflect real system behavior. A couple examples of companies that use API Sandbox are these successful tech pioneers – Uber and Paypal.
Some key characteristics:
- API Sandbox mirrors the features found on the production API servers.
- It is a platform that allows users and non-users to try/make and view the results of simple API calls in a walled-garden approach.
- While registered users would obviously be the best-case scenario, anyone can use an API Sandbox, as the system itself does not handle significant volumes of private or important information.
- By its very nature, it is closed off from the rest of the API ecosystem.
- API Sandbox allows for a testing environment to be shared publicly with users while the API itself is being concurrently developed (Beta APIs).
Business Case: Why do you need it?
Having seen what an API Sandbox does, let me explain why it is important and how using an API Sandbox reduces risks and costs. There are two key factors that make the case for API Sandbox:
1. Risk mitigation against attacks using an isolated public API Sandbox
Cyber security is a broad topic and given it is not the focus of this blog, I’d like to focus our attention to APIs which are building blocks for digital business. As APIs increasingly expose/unlock important data stored within organizations, API security best practices need to be implemented. One of which is API Sandbox, where isolation of Developer/API Portal from production Runtime API minimizes the risks of attacks. Mind you, it is still important to protect your production runtime APIs with API Firewall and/or AI-based threat protection, as this will become clearer when we look at the architecture later on.
There is no shortage of news on cyber attacks or security breaches in today’s world where organizations (public and private) do business or offer their services online. A simple Google search gives me a lengthy list of attacks ranging from government departments to financial services organizations including an interesting visualization of all the hacks.
I’m just going to list four random attacks over the past year and the impact each have had to get a perspective:
May 2017: NHS UK Wannacry attack
Global Ransomware cyber attack causing major healthcare disruption across UK
Cause: Hacker attack
Impact: 34% of trusts affected including hundreds of primary care and GP practices
Sep 2017: Equifax hack
Equifax breached, up to 143 million SSNs and DOBs stolen, all Americans offered credit monitoring
Cause: Hacker attack
Impact: Biggest breach in history (after Yahoo)
Nov 2017: State Dept. of Maine, USA
Data breach in Maine exposes private information of 2,100 foster parents
Cause: Human Error
Impact: Potential identity/credit fraud
May 2018: Canadian Banks attacked
Customer Data stolen from Bank of Montreal and Simplii Financial
Cause: Hacker attack
Impact: Personal information for nearly 100,000 customers stolen
With the chances and the frequency of these attacks on the rise, data security & protection against threats becomes mandatory.
It is also important to understand that there are a variety of threats companies should guard against – I’ve provided a snapshot of a list of cyberattacks from Wikipedia to illustrate this.
Examples of some of the common types of attacks are:
- Personal/Company confidential information stolen and sold to the highest bidder
- Distributed Denial of Service (DDoS)
- Ransomware where software systems are locked out until a ransom is paid
2. Quick time-to-market with efficient API testing using API Sandbox
The other key factor that makes API Sandbox beneficial is time-to-market through SDLC/API Testing benefits as nicely explained here. I’ll list the two key benefits so not to duplicate:
- Test Failure in a Safe Environment
Development teams can deploy more confidently because everything is fully tested using virtual APIs to simulate a variety of errors.
- Team/Parallel testing
As no one is getting in anyone else’s way using stubs/sandboxes, testing is not a drag on the project timeline.
API Sandbox Architecture
While API Sandbox can be implemented in a number of ways including logical grouping, I’d like to illustrate one of the preferred ways which provides complete isolation of Sandbox and Production environments. In this way, untrusted developers and potential hackers who can target publicly listed API Catalogs do not get access to the production environments as they are isolated and use separate security policies and credentials that are not publicly accessible.
Fully isolated Sandbox
In this architecture, production runtime APIs (eg: https://api.xyz.com endpoint above) are not only isolated, but secured by API firewalls and/or AI-based threat protection systems and utilize highly secure Authentication/Authorization policies like OAuth/Open ID Connect. Having said that, it is quite common for Sandbox API endpoints (eg: https://sandbox.api.xyz.com above) to use simpler or no authentication policies to make it easier to try and hence drive adoption.
API Lifecycle with Sandbox
Having briefly looked at the benefits of using API Sandbox on Agile testing/SDLC, the below process diagram should give a better idea on how it all works. When you review this, there are three points to keep in mind:
- Beta APIs can be published to external clients to test for real-world scenarios.
- Internal API developers and testers can independently test APIs.
- In both scenarios, API testing can be done without any dependency on the back-end service/system.
How do we put this into practice?
OK, if you’ve had enough of theory and want to try this out, Axway API Management platform makes it easy by enabling API mocks within API Builder and Sandbox architecture with isolation using API Portal where you can enable Try It capability for API testing in Sandbox environment.