42) Most important of all the considerations for organisations providing and consuming APIs is the security measures that are deployed, which must comply with network security best practices. Updates and patches to all systems, particularly security systems, should be performed as soon as safely feasible after such updates and patches have been released. The following sections set out the main risk areas and mitigations for these that, in the opinion of the FSRA, need to be taken into account.
43) As a general rule organisations providing and using APIs should also ensure that all parties that they are engaging with:
• Use access tokens to establish trusted identities and control access to the services and resources.
• Encryption and signatures are employed as standard.
• Quotas and throttling are in place that determine how often APIs can be called. For example, more calls on an API may indicate that there is a Denial-of-Service attack. Or it could also be a programming mistake such as calling the API in an endless loop.
• API traffic is enforced using an API gateway that allows authentication as well as control.
44) For more detailed technology standards that should be employed please see Appendix B.