When interacting with APIs, it's very important to observe certain security protocols to avoid having your account being compromised and vulnerable. To this end, this document has been prepared to establish guidelines to be followed when integrating Reloadly's APIs to your product or application. This guide will be helpful to security engineers, solution architects, product managers, and anyone integrating APIs in general as its directives span across different applications and use cases. This guide has been divided into three subcategories:
Governance: General principles concerning security - to be known and followed by everyone.
Development Team: Guidelines to be adhered to particularly by the development/integration/engineering team
Operational: Instructions to be followed by operational/customer facing teams such as sales, customer success or compliance.
Consider forming an ITSM (IT Security Management) team to formulate IT security policies, assess security vulnerabilities periodically and enforce security policies.
Make IT Security an integral part of your product design and integration processes.
Be aware of the IT security requirements imposed by those parties with whom you integrate.
Before you go live with your product and integrations with others (e.g. Reloadly) review all security measures that you have taken to bullet-proof your software.
Enforce strong security best practices such as 2FA, regular password resets, etc, on your own customers.
Review security vulnerabilities of any third-party software libraries your software might depend on.
B. Development Team
Promote and encourage a strong culture around security in design and code. Security is not an after-thought, it needs to be baked into software design from the get-go.
Ensure that production security credentials like passwords, clientID, clientsecret, etc. are never checked in into version control.
Ensure that your source code is accessible to only those who need to have access to it.
Have your engineering team review code with your ITSM team to certify that all security policies mandated by the organization are fully implemented.
Ensure that sensitive information such as passwords etc. is never stored in databases or files in clear-text format; they should be always encrypted with strong and industry-standard encryption.
Ensure that developer machines and servers are always patched with the latest security patches appropriate for the operating systems they run.
Be aware of social engineering and other phishing threats.
Ensure and demand from third-party integrators that end-to-end encryption via the latest standards of SSL/TLS is used.
If you integrate with Reloadly APIs via server-side, ensure that your security credentials like ClientID and ClientSecret are not printed to server logs. Your production servers should be fully secure and locked down for any unauthorized access.
If you integrate with Reloadly APIs via SDK, ensure that you have robust processes in place to manage the production clientID and clientSecret that you package in your mobile apps. Consult the relevant documents and best practices applicable for the platform you are developing for, e.g. iOS, Android.
Ensure that you create your production Developer Portal user ID using a dedicated company email ID that's registered with your company domain. Don't use email addresses from popular email services like Gmail or Yahoo to create your production user ID in the Reloadly developer portal.
Handover your Developer Portal production credentials to the right team or authorized person managing IT production systems for your company. You should never share passwords with anyone, not even Reloadly. Change your Developer Portal password for production access regularly, typically every 90 days or less.
Ensure that you set up 2FA on your Developer Portal account. The mobile device used, should belong to a designated and authorized individual/team in charge of production systems at your company.
Ensure that ClientID and Clientsecret that you generate in Developer Portal which are used in your production systems are not accessible to any unauthorized person. If you have reasons to believe that your ClientID and ClientSecret have been compromised, please rotate them using the Reloadly Developer portal immediately.
As a best practice, consider rotating your ClientID and ClientSecret every 90 days or less.
Do not share your Bearer Tokens with anyone. If you believe that your Bearer Token has been compromised please notify Reloadly immediately.
For server-side integration, share your production server IP addresses with Reloadly so that they will be whitelisted by Reloadly. When you whitelist your production server IP addresses, it ensures that traffic from only those servers will be accepted by Reloadly. If your servers are in a public cloud like AWS or GCP, do consult your cloud provider as to how you can ensure stable IP addresses for your production servers. You may also consider routing your traffic through proxy servers with stable IP addresses.
For integration with Reloadly via mobile SDKs, consider 2FA in your mobile apps like OTP, etc. Don't just rely on simple user/password-based authentication.
Reach out to Reloadly for any assistance you might need regarding consuming Reloadly APIs in a secure way.