"The Security Best Practices For Customers integrating with Reloadly APIs a collection of Best Practices" has been written to be followed while integrating Reloadly's APIs into your application or software.
Applying specific security protocols is crucial when interacting with APIs to avoid your account being compromised and vulnerable. To this end, this document establishes guidelines to follow when integrating Reloadly's APIs into your product or application. This guide will be helpful to security engineers, solution architects, product managers, and anyone integrating APIs in general, as its directives span different applications and use cases.
This guide has three subcategories:
- Governance: General principles concerning security - to be known and followed by everyone.
- Development Team: Guidelines to be adhered to, particularly by the development/integration/engineering team.
- Operational: Instructions to be followed by operational/customer-facing teams such as sales, customer success, or compliance.
A. Governance
- Consider forming an ITSM (IT Security Management) team to formulate IT security policies, assess security vulnerabilities periodically and enforce security policies.
- Make IT Security an integral part of your product design and integration processes.
- Be aware of the IT security requirements imposed by the parties you integrate.
- Before you go live with your product and integrations with others (e.g., Reloadly), review all security measures you have taken to bulletproof your software.
- Enforce strong security best practices, such as 2FA, regular password resets, etc., on your customers. This practice will be mandatory for all users of the Reloadly Portal as of 13 March 2023.
- Review security vulnerabilities of any third-party software libraries your software might depend on.
B. Development Team
- Promote and encourage a strong culture around security in design and code. Security is not an afterthought; it needs to be baked into software design.
- Ensure that production security credentials like passwords, client ID, client secret, etc., are never checked into version control.
- Ensure that your source code is accessible to only those who need to have access to it.
- Have your engineering team review the code with your ITSM team to certify that all security policies mandated by the organization are fully implemented.
- Ensure that sensitive information, such as passwords, etc., is never stored in databases or files in clear-text format; they should always be encrypted with strong and industry-standard encryption.
- Ensure that developer machines and servers are always patched with the latest security patches appropriate for their operating systems.
- Be aware of social engineering and other phishing threats.
- Ensure and demand from third-party integrators that end-to-end encryption via the latest standards of SSL/TLS is used.
- If you integrate with Reloadly APIs via server-side, ensure that your security credentials like ClientID and ClientSecret are not printed to server logs. Your production servers should be fully secure and locked down for any unauthorized access.
- If you integrate with Reloadly APIs via SDK, ensure that you have robust processes in place to manage the production clientID and clientSecret that you package in your mobile apps. Consult the relevant documents and best practices applicable to the platform you are developing for, e.g., iOS and Android.
C. Operational
- Ensure you create your production Developer Portal user ID using a dedicated company email ID registered with your company domain. Don't use email addresses from popular email services like Gmail or Yahoo to create your production user ID in the Reloadly developer portal.
- Hand over your Developer Portal production credentials to the right team or authorized person managing IT production systems for your company. You should never share passwords privately with anyone, not even Reloadly. Change your Developer Portal password for production access regularly, typically every 90 days or less.
- Ensure that you set up 2FA on your Developer Portal account. The mobile device used should belong to a designated and authorized individual/team in charge of production systems at your company.
- Ensure that ClientID and Client secret that you generate in Developer Portal, which is used in your production systems, are not accessible to any unauthorized person. If you have reasons to believe that your ClientID and ClientSecret have been compromised, please rotate them using the Reloadly Developer portal immediately.
- As a best practice, consider rotating your ClientID and ClientSecret every 90 days or less.
- Do not share your Bearer Tokens with anyone. If you believe your Bearer Token has been compromised, please notify Reloadly immediately.
- For server-side integration, share your production server IP addresses with Reloadly so that Reloadly will whitelist them. When you whitelist your production server IP addresses, it ensures that Reloadly will accept traffic from only those servers. If your servers are in a public cloud like AWS or GCP, do consult your cloud provider as to how you can ensure stable IP addresses for your production servers. Also, consider routing your traffic through proxy servers with stable IP addresses.
- To integrate Reloadly via mobile SDKs, consider 2FA in your mobile apps like OTP, etc. Don't just rely on simple user/password-based authentication.
- Reach out to Reloadly Support for any assistance regarding securely consuming Reloadly APIs.