0% found this document useful (0 votes)
334 views

(Template) IBM APIc RFP

This document outlines criteria for evaluating API management solutions, including vendor experience, deployment options, API/microservices creation capabilities, and developer experience. It includes 38 requirements across 10 sections related to these topics, such as vendor size and support, flexible deployment architectures, out-of-the-box integration with common systems, model-driven API design, and continuous integration/delivery capabilities. The goal is to comprehensively assess solutions' features and support for the full API lifecycle from a development, operations, and business perspective.

Uploaded by

Preeti S
Copyright
© © All Rights Reserved
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
334 views

(Template) IBM APIc RFP

This document outlines criteria for evaluating API management solutions, including vendor experience, deployment options, API/microservices creation capabilities, and developer experience. It includes 38 requirements across 10 sections related to these topics, such as vendor size and support, flexible deployment architectures, out-of-the-box integration with common systems, model-driven API design, and continuous integration/delivery capabilities. The goal is to comprehensively assess solutions' features and support for the full API lifecycle from a development, operations, and business perspective.

Uploaded by

Preeti S
Copyright
© © All Rights Reserved
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 69

RFP Criteria for Choosing an API Management Solutio

These are suggested RFP criteria to consider when selecting an API management vendor
Jump to…
Section A. Vendor Experience
Section B. Deployment, Architecture & Administration
Section C. API/Microservices Creation & Deployment
Section D. API Security, Traffic Management & Mediation (API Gateway)
Section E. API Management & Analytics
Section F. API Socialization (Developer Portal)
Section G. Security
Section H. Training and Support
Section I. Industry Experience

Section A. Vendor Experience


Req. id Requirement
A1 How long has your corporation been in business?

A2 How long has your corporation been selling and supporting your
APIm product?
A3 Does your corporation have global reach? How many offices do
you have around the world?
A4 How many customers do you have worldwide?

A5 How many APIm customers do you have worldwide?

A6 If any components of your APIm solution can be sold separately,


how many customer do you have worldwide for these
components?
A7 Explain how APIm fits into your hybrid cloud integration strategy

A8 What were your corporation's annual revenues in the last 3 years?

A9 What were your corporation's APIm annual revenues in the last 3


years? If your corporate policy does not allow you to provide this
piece of information, is there an independent study/analysis that
shows or gives us an idea of your APIm worldwide market share?

A10 What is your corporation total R&D budget and APIM-specific R&D
budget?
A11 Please describe how your organization has innovated or led in
domain areas. Please provide examples of each
A12 How many customers use your API offering - please breakdown by
industry
A13 Please describe the roadmap for your API & Integration Offerings

A14 Is your APIm solution ranked by any analysts? If so, please


enumerate analysts and rankings

A15 Please describe how your offering integrates with ESB style or
other integration technologies using open standards and
automation
A16 Does your organization provide complementing integration
technologies that fit into the API management offering?

A17 Please describe your organization's experience of integrating


systems providing examples in our industry if possible
A18 Please provide references for your APIm offering

Return to Top
Section B. Deployment, Architecture & Administration
Req. id Requirement
B1 Do you offer a SaaS and on-premise versions of your APIm
offering?

B2 Does your solution provide flexible deployment options across


public and on-premise environments?

B3 Does the solution provide ease of deployment & management for


all components?

B4 Does your SaaS APIm offering run on your own IaaS?

B5 How many actual data centers around the world does your SaaS
offering run on?
B6 Does your SaaS and on-premise APIm solution support multiple
languages, e.g. English, Spanish, Chinese, etc.?
B7 Does your solution provide the same functionality and user
experience across different deployment options, e.g. SaaS multi-
tenant, SaaS single-tenant, on-premise, etc.? If not, please explain
what functionality is not offered on one vs. the other

B8 Does your solution include a console to manage and monitor all


infrastructure components, i.e. gateway servers, management
servers, load balancers, etc., of your APIm solution?

B9 Does your solution support environment promotion? Please


explain how. Can promotion to specific environments (e.g.
Production) be scripted and limited to specific roles?
B10 How does your SaaS APIm solution integrate with cloud
environments like IBM Bluemix, AWS, and Google?

B11 Can a single installation and instantiation of your APIm solution


support multi-tenancy?

B12 Please describe the availability and resilience characteristics of the


offering and any SLAs associated with it
B13 Please describe how High availability & disaster recovery can be
achieved
B14 How does your offering scale to meet increasing demand both
horizontally and vertically for both on-premise and cloud
B15 Please provide a logical overview diagram of the components
required to make up your offering both for cloud and on-premise
deployments
B16 Please provide an architectural diagram that shows how a highly
available solution could be built on-premise
B17 Please demonstrate how individual components of your solution
can be scaled in order to cope with demand both on-premise and
cloud
B18 Please provide an anonymized architecture diagram of a real
customer in production with your offering. Please provide a cloud
and on-premise version
B19 Please describe the ability of the solution to be monitored by
external enterprise tooling, listing any enterprise tooling that
works directly with your offering. Also include what metrics and
information can be monitored
B20 Please describe what tooling is available for administrators and
operators to interact and control the deployed environments for
both cloud and on-premise
B21 Can the deployments of code, infrastructure and configuration be
automated to ensure rapid delivery of a solution either on cloud or
on-premise?
B22 Please describe how maintenance, patches, fixes, upgrades are
applied to the offering
B23 Does your offering support integration with any messaging
technologies such as AMQP, MQ, Kafka, etc
Return to Top
Section C. API/Microservices Creation & Deployment
Req. id Requirement
C1 Does your APIm offering support model-driven API creation?

C2 Does your solution support out-of-the-box connectors to other


systems?

C3 Does your solution support the automatic creation of APIs and


their implementations via out-of-the-box connectors to backend
systems or data stores? Please describe how and also list backend
systems or data stores
C4 Does your APIm offering have built-in capabilities for creating and
running microservices? Please explain

C5 What languages does your solution support for the creation and
running of microservices, e.g. Java, Node.js, etc.?

C6 Does your APIm solution include a supported and managed


execution environment to run microservices, e.g. a managed
cluster of servers or nodes?
C7 Can your APIm solution automatically make APIs and Node.js
applications available on cloud platforms, such as IBM
Bluemix/AWS/Google Cloud, for consumption?

C8 Does your solution include developer desktop/laptop tooling to


create APIs, Node.js applications, and policy flows and to easily
deploy them to a managed local or cloud environment?
C9 Does your solution include SaaS tooling to create APIs, Node.js
applications, and policy flows and to easily deploy them to a
managed environment?
C10 Does your desktop/laptop tooling to create APIs, Node.js
applications, and policy flows offer the same functionality as its
SaaS version counterpart? If not, please describe the differences
C11 Does your solution use any framework built on top of Express?

C12 How does your offering integrate into a continuous development,


testing and deployment environment?
C13 Please describe the different options for developing APIs

C14 Please describe the markup languages that are used for API
development and how they are edited
C15 Is role based accessed enforced on developers?

C16 Please describe how mock APIs and prototyping is supported

C17 Does your API tooling allow the developer to model data?

C18 Can developers enforce schema validation?

C19 What security policies can developers enforce on their APIs?

C20 Can developers create transformation, routing, orchestration logic


inside of their API definitions?
C21 Does the developer experience change if they are developing for
the cloud versus developing for an on-premise solution?

C22 Can a developer work with XML & JSON as part of an API build?

C23 What are the primary languages that an API developer needs to
know in order to build an API?
C24 Can a developer expose a REST API from a SOAP web service?

C25 Can a SOAP web service be exposed from a REST API?

C26 Can a developer publish to cloud and environments and on-


premise environments from the same IDE?
C27 Can developers pull API definitions from any enviroment that has
published APIs?
C28 Can developers build multi-step proxy calls out to multiple back-
end services and present this as one API?
C29 Can developers create policies for individual operations on an API?

C30 What level of error handling can an API developer add to an API
definition?
C31 Can a developer provide additional documentation such as
descriptions, contact info and terms of service?
C32 Can developers control the visibility of an API when it is published?

C33 Does your development tools use any open source products or
packages?
C34 Does your development tooling require licensing? If so how?

C35 Does your developer tooling provide any testing capabilities?

C36 How can your development artifacts be plugged into testing tools?

C37 Does your developer tooling enable auto generation of APIs on top
of back end systems or databases?
C38 Does your developer tooling make use of a widely used framework
or package in order to build APIs?
Return to Top
Section D. API Security, Traffic Management & Mediation (API Gateway)
Req. id Requirement
D1 Does the solution provide a secure, purpose-built gateway? Please
explain

D2 Can your API Gateway execute customer's Java code? Please


explain

D3 What form factors do you support for your API Gateway?

D4 Does your API Gateway come in an hardware appliance form


factor? Please explain

D5 Does your API Gateway support cryptography acceleration in its


physical appliance form factor for TLS offload among other?
D6 Does your API Gateway require a database?

D7 Is your API Gateway UI browser-based or does it require a fat


client to be installed on a developer desktop/laptop?

D8 Can your API Gateway be used outside the context of your APIm
solution? Can your API Gateway be used separately from your
APIm solution?
D9 Does your API Gateway support XML, SOAP, WS-* related
standards natively?
D10 What other types of workload does your API Gateway support
beside SOAP and REST?

D11 How does your API Gateway support Node.js? Please explain

D12 What kind of rate limiting and quota enforcement features are
provided by your API Gateway?

D13 Does your API Gateway have any built-in capabilities for doing self-
balancing across a cluster of gateways and intelligent load
balancing to backend API provider layer?

D14 What security protocols and standards does your API Gateway
support?

D15 Does your API Gateway provide built-in support for schema
validation?

D16 Does your API Gateway provide built-in support for message digital
signatures & encryption?

D17 Does your API Gateway provide built-in security token translation?
D18 Can your API Gateway generate and validate JWT?

D19 Can your API Gateway generate LTPA Tokens?

D20 Does your API Gateway support a FIPS 140-2 Level 3 certified
Hardware Security Module (HSM)? Does it support a networked
HSM?
D21 Does your API Gateway natively support other transport or
messaging protocols besides HTTP, e.g. MQ?

D22 Does your API Gateway support wire-speed, native JSON and XML
processing?

D23 Does your API Gateway support transport protocol bridging, e.g.
from HTTP/SOAP to MQ?

D24 Does your API Gateway support JSON to XML, XML to JSON and
Any2Any message transformation without any coding or
extension?
D25 Can your API Gateway convert between SOAP and REST without
writing code or providing extensions?

D26 Does your API Gateway provide database & mainframe


connectivity?
D27 How is your gateway extended in functionality?

D28 Please provide any security accreditations your gateway meets

D29 Please describe how your gateway can be monitored

D30 Please describe the networking capability of the gateway device

D31 Please describe the upgrade process for your gateway including
the impact to production runtime
D32 What level of operating system patching is required in order to
keep the gateway secure?
D33 Please provide a list of customers that use your gateway offering
D34 What operating system does your gateway sit on?

D35 Does your API Gateway support routing and orchestration?

D36 Can your API Gateway be configured to be an OAuth provider?

D37 Can your API Gateway use XLST to do transformation?

D38 Does your API Gateway have a graphical mapper?

D39 Can your gateway redact fields in message payloads on input and
output?
D40 What level of error handling is available on the gateway?

D41 Is your gateway able to provide different activities or policies for


each individual API and operation on that API, i.e. POST, GET, etc.

D42 Does your gateway support POST, GET, DELETE, HEAD, PATCH &
OPTIONS?
D43 Can your gateway control, manage and shape API traffic? Please
describe the policies that can be applied

D44 How is API traffic reported from the gateway?

D45 Can multiple provider channels be exposed from the same


gateway with complete segregation? i.e. internal APIs and
external APIs running through the same gateway in isolation?
D46 Does your gateway support response caching?

Return to Top
Section E. API Management & Analytics
Req. id Requirement
E1 What REST API Description Languages does your solution support?
And what REST API Description Language do you support internally
in your runtime?
E2 Please describe your support for Open API, i.e. Swagger. Does your
corporation belong to the "Open APIs Initiative", i.e.
www.openapis.org?
E3 Do you support the creation of REST and SOAP APIs?

E4 Does your APIm solution have any out-of-the-box (OOTB)


integration points to automatically manage APIs from other
products?
E5 Does your APIm solution support built-in browser-based
visual/graphical message mapping?

E6 Does your APIm solution support an external IDE to do


visual/graphical message mapping that you can then deploy to the
runtime environment?

E7 Please describe the API Management lifecycle, versioning,


governance, & control. Does your platform support an API lifecycle
beyond API naming convention? Please explain
E8 Does your solution include logging capabilities? Please explain

E9 Does your solution include monitoring and alerting capabilities?


Please explain

E10 Does your solution support out-of-the-box policies for traffic quota
and throttling?

E11 Does your APIm solution include API analytics? If so, please
describe what API metrics are captured for analytics

E12 What components of your solution, beside the API gateway,


participate in the API analytics collection process? Would the
analytics collection process be affected if any of these components
experience an outage? Please elaborate

E13 Does your APIm solution support syndication?

E14 Please describe how an API is published from an internal endpoint


to an external endpoint
E15 Please describe the process for discovering services and APIs that
are to be published on your offering
E16 Please describe how policies are applied to APIs

E17 Can APIs be extended from their original endpoints to include new
functionality or data?
E18 Please describe how different environments such as Dev, Test,
Staging, Production can be deployed keep APIs in isolation from
each other
E19 Please describe how your API manager communicates with the
other components of your solution, such as the API Gateway,
Developer Portal, etc.
E20 Please describe how developer communities are managed?

E21 Please describe the role based access for management of the APIs

E22 Please describe the API build chain and how this can be automated

E23 Please describe how templates from other API definitions can be
used to create new APIs sharing common functions and operations

E24 Please describe how APIs are version controled at development


time
E25 Please describe the interaction with user registries for API
management
E26 Please describe the logical hierarchy of how APIs are deployed and
the benefits your offering gains from doing it in this way
E27 Can your offering enforce approvals on users when moving
through the API lifecycle?
E28 Can the visibility of APIs be controlled? Please give examples

E29 Can the same APIs be deployed to both internal users and external
users but behave differently based on context?
E30 Can APIs be grouped in a way that allows them to be consumable
by specific audiences?

E31 Please describe your product's ability to report data on your


offerings usage including screenshots
E32 Does your offering provide customizable dashboards that are
consumed through role based access?
E33 Can your dashboards be presented outside of the offering for
consumption by non-technical users?
E34 Please list the data points that are collected for each API call

E35 Can trends of usage be analyzed over time using the tooling?

E36 Can data collected be exported and consumed by other tooling?


E37 Is data available in JSON or CSV formats?
E38 Is the data collected from the API usage asynchronously to prevent
any performance impact on runtime?
E39 Can errors and failures be reported in the analytics?

E40 Are there maps available in the dashboards for detailing geo-
location of API calls?
E41 Can API call performance be reported in the tooling?

E42 Can payload data be captured and used for reporting?

Return to Top
Section F. API Socialization (Developer Portal)
Req. id Requirement
F1 Does your Developer Portal include built-in social capabilities, such
as Forums, Blogs, API ranking, API comments, etc.?

F2 Does your Developer Portal leverage any Content Management


System?

F3 Do you offer self-service to provision your SaaS Developer Portal?


If not, what is the process to provision a SaaS Develop Portal and
how long does it take for it to come online?
F4 Does your Developer Portal include an easy-to-use test harness for
App developers to try and test APIs

F5 Does your Developer Portal provide self-service API testing


capabilities? Please explain

F6 Does your Developer Portal provide sample code to invoke an API


from different platforms, e.g. Swift, Java, Node, Python, Ruby, PHP,
cURL, Go, etc. that can be easily copy-and-pasted?
F7 Does your Developer Portal include capabilities to create Support
tickets and access FAQs?

F8 Is your Developer Portal customizable? Can the Developer Portal


be customized to the look, feel and style of our branding? Please
explain
F9 Does your Developer Portal allow for self-service App and client
secret registration?
F10 Does your Developer Portal allow for the masking of the client id
and secret when generated by system?

F11 Please describe what information is available to subscribing


developers when they visit the Developer Portal
F12 Does each developer or developer organization get usage
information for the APIs they have subscribed to?
F13 Describe the on-boarding process for new developers wanting to
subscribe to APIs
F14 Is the user registration form customizable?
F15 Does your Developer Portal provide the ability to stop developers
from using the APIs after they have subscribed?

F16 Can different developer portals be created for specific audiences?


If so how is this done?
F17 What is the method of communication used to interact with the
developers who have signed up to your Developer Portal?
F18 Can additional content be added to your Developer Portal above
and beyond API documentation?
F19 Please provide public examples of developer portals that are using
your offering
F20 Can the visibility of specific APIs be controlled by who has signed
up to the Developer Portal?
F21 Does your Developer Portal have OAuth testing tools which enable
the complete testing of APIs that are secured with all of the OAuth
flows?
F22 Is there an active commmunity of modules or plugins that can be
added to the Developer Portal?
F23 Please describe how your Developer Portal can be extended using
open technologies
F24 Can control of your Developer Portal be driven via REST APIs?

F25 Please describe the upgrade process for your Developer Portal and
the impact it has on production runtime
Return to Top
Section G. Security
Req. id Requirement
G1 Does your APIm solution include security capabilities to manage
Users, Roles, TLS Profiles, and User Registries? Please explain

G2 What security roles does your APIm solution include out-of-the-


box?

G3 What types of external user registries does your APIm solution


support?
G4 Does your APIm solution include capabilities to manage developer
organizations, applications and subscriptions? Can it also manage
developer organizations from cloud providers, such as IBM
Bluemix, AWS, or Google? Please explain

G5 Does your Developer Portal provide any 3rd-party authentication


mechanism?
G6 Can your Developer Portal use an externally controlled user
registry such as LDAP?
G7 Does your Developer Portal have new user creation self-service
capabiliites?
G8 Does your Developer Portal support CAPTCHA for self-service new
user creation as well as API Comments?
G9 Does your Developer Portal include invalid password lockout?

G10 Is your API Gateway DMZ-ready out-of-the-box?

G11 Does your API Gateway support FIPS 140-2 Level 3 and Common
Criteria EAL4?

G12 Does your API Gateway support out-of-the-box integration to


third-party user access management systems, such as IBM Security
Access Manager, CA Siteminder, etc.?
G13 Does your solution come with built-in OAuth Token support &
Token Management System? Or does it require a third-party
solution for this? If third-party OAuth provider is needed, what
OAuth provider solutions do you support?
G14 For cloud based hosting please describe the connectivity options
to ensure secure communication and the types of customers who
trust this connectivity using real examples
G15 Please describe how your offering would address the OWASP Top
10 threats
G16 Please describe the token mechanisms your offering supports

G17 What Authorization and Authentication mechanisms does your


offering support on an API level
G18 How does your offering secure payloads and channels?

G19 Please provide a list of supported security standards

G20 Please describe how granular your system access can be defined

G21 Please provide the level of control and visibility users can be
granted
G22 Please list all recent vunerabilities that your offering had to be
patched on to become secure e.g. heartbleed, openSSL,
ShellShock, Data Loss, Drown
G23 Please highlight other security features that come with your
offering that would be of benefit to us
G24 Please provide a list of all security accreditations for your offering
G25 Does the offering support HTTP/S?

G26 Please describe how policies are created

G27 Please describe how policies are enforced

G28 Please describe the security mediation features of your offering

G29 Please describe how the interation between developers and the
published APIs are secured
G30 Please describe how you ensure platform security on your cloud
offering
G31 Does your offering supply any OAuth testing tools?

G32 Can a developer create an OAuth provider endpoint?

Return to Top
Section H. Training and Support
Req. id Requirement
H1 Please describe the support model your organization provides

H2 Please provide SLAs for any cloud environments

H3 Please provide a link to user communities for your offering

H4 Please provide a link to the public documentation for your offering

H5 Please provide public links to reference architecture that is


relevant to your offering

H6 Please provide links to any freely available tutorials for your


offering
H7 Please provide details of the free training that your organization
provides for your offering
H8 Please provide details on the professional services you offer in
order to implement an APIm solution
Return to Top
Section I. Industry Experience
Req. id Requirement
I1 Please describe your company's vision for API usage in my industry
I2 Please describe your company's experience in supporting my
industry outside the API management domain
PI Management Solution
ting an API management vendor

Mediation (API Gateway)

Requirement Description
We would like to know your corporation trajectory in the industry

We would like to know your corporation trajectory in this market


segment
We would like to understand your global reach

We would like to know about your global customer base in the


industry
We would like to know about your global APIm customer base

We would like to understand the success of your APIm solution as


a whole and of its parts

We would like to understand your company's point-of-view of how


APIm fits into end-to-end hybrid integration
We would like to know your financial success in the market

We would like to know your APIm-specific success in the market

We would like to know how much you're investing in all your


products and your APIm-specific product
We would like to know your company's leadership in the API
Management field
We would like to know your company's leadership in the API
Management field
We want to understand how you plan to mature your offerings

We would like to know how analyst view your APIm solution

We would like to know how your APIm offering coexists in


heterogeneous environments

We would like to know if your APIm solution includes other


integration technologies, such as an ESB, messaging, SaaS
connectivity, etc.
We would like to know your expertise in integration

We would like to know your expertise in integration

Requirement Description
We would like to know if your APIm solution is available in SaaS
and/or on-premise

We would like to know if your APIm solution runs anywhere with


offerings for on-premise and as a vendor-managed cloud Service.
For example:
- Vendor-managed, multi-tenant, public cloud hosted offering
- Vendor-managed, single-tenant, public cloud hosted offering
- Vendor-managed, private cloud hosted offering
- Client-managed, on-premise or 3rd party cloud offering

We would like to understand how the components of your


solution are deployed. Is your solution made up of separately
installable components? Or is the entire solution just a single
image or software install? Does your solution require the pre-
installation of any specific OS patch, database, JRE, web server,
etc.?

We would like to know if you have your own IaaS or leverage a


third party, such as Amazon or Google

We would like to know if your SaaS APIm offering runs on multiple


data centers around the world
We would like to know if your APIm solution supports many
spoken languages
We would like to know to what extent the different versions of
your APIm solution differ. Please ellaborate as to the differences

We would like to know your capabilities to manage and monitor all


of the components of your APIm solution from a single console

We would like to know how your solution handle promoting assets


across environments, e.g. from dev to test, from test to QA, from
QA to prod
We would like to know all the ways your APIm solution integrates
with cloud environments

We would like to know if an instance of your APIm solution can


support multiple organizations, such as Marketing, Accounting,
Finance, IT, etc. In addition, we would like to know how various
independent environments such as dev, test, uat, oat, staging, pre-
prod, production can be hosted within your offering

We would like to know your solution's HA and SLAs features

We would like to know your solution's HA and DR capabilties

We would like to know how your solution handles scalability

We would like to understand the differences between your cloud


and on-premise deployments

We would like to understand your HA configurations

We would like to know how your solution handles scalability

We would like to get an idea of your solution's production


deployment and architecture

We would like to know if your solution can be integrated to third-


party monitoring solutions
We would like to know your solution's administration and
monitoring capabilities

We would like to know if it's possible to script your solution's


capabilities/operations/functions/tasks

We would like to know how your solution is patched, upgrated

We would like to know if your solution supports integration with


messaging solutions

Requirement Description
We would like to know if your solution supports the concept of
models to support the automatic creation of REST APIs

We would like to know if your solution provides out-of-the-box


connectors to systems like databases, WSDL services, Salesforce,
etc.
We would like to know if your solution offers any out-of-the-box
connectors to systems like databases, WSDL services, Salesforce,
etc. that aid in the automatic creation of APIs and its underlying
implementations to support connectivity to these systems
We would like to know if your solution has any capabilities for the
creation and execution of microservices

We would like to know what languages your solution supports for


microservices

We would like to know if your solution includes a supported


runtime platform for the execution of microservices

We would like to know if your solution supports the publication of


APIs and/or microservices to cloud platforms, such as IBM
Bluemix, AWS, Google Cloud, etc.

We would like to know if your solution includes desktop/laptop


tooling for the creation of APIs, Node.js applications, and policy
flows
We would like to know if you offer any SaaS tooling for the
creation of APIs, Node.js applications and policy flows
We would like to know if the tooling (not your entire APIm
solution) you offer for developer's desktop/laptop offers the same
functionality as your equivalent SaaS tooling
We would like to know what Express-based frameworks your
solution uses, if any
We would like to know how solution integrates with CI/CD
solutions
We would like to understand the ways your solution supports the
development of APIs
We would like to know what markup languages your solution
supports
We would like to understand if your solution supports Access
Control Lists (ACLs)
We would like to know whether or not your solution supports the
mocking of APIs

We would like to know the different ways your solution allows the
modeling of data
We would like to know the different ways your solution allows for
schema validation
We would like to know all API security-related policies your
solution
We would like to understand your solution capabilities to create
and develop policy flows
We would like to know the differences between your cloud and
on-premise developer experience

We would like to know if your solution supports XML and JSON for
API development
We would like to know what language(s) your solution supports
for API development
We would like to know if your solution is capable of exposing a
backend SOAP web service as a REST API
We would like to know if your solution is capable of exposing a
backend REST API as a SOAP web service
We would like to know if your IDE allows for deployment to either
cloud and/or on-premise environments
We would like to understand the ways your solution can consume
APIs already exposed by other systems
We would like to understand your solution capabilities to create
and develop policy flows
We would like to understand the granularity of policy application
of your solution
We would like to understand your error handling capabilities, e.g.
error handling policies
We would like to know what other documentation your tooling
allows a developer to specify for APIs
We would like to understand your solution API publication
capabilities
We would like to know your dependency on open source software

We would like to know if we need to purchase your development


tooling separately
We would like to know your testing capabilities and support for
third-party testing solutions
We would like to know your testing capabilities and support for
third-party testing solutions
We would like know if your solution allows for automatic creation
of APIs
We would like to know if your solution supports
frameworks/packages to build APIs

n (API Gateway)
Requirement Description
We would like to understand your API Gateway internal design to
understand how it can perform, scale and protect against
vulnerabilities . Does it use non-blocking, even-driven I/O
architecture? Is it protected against Java vulnerabilities? Does it
provided high-speed and native processing of JSON and XML
payloads? Is your API Gateway optimized to its underlying
hardware? Does it come with an embedded operating system and
optimized application layer? Is its image signed and encrypted?

We would like to know if it's possible to upload Java code to your


API Gateway and have it execute it. If so, what measure does your
solution provide to prevent the Java code from causing harm to
the API Gateway
We would like to know what different deployment options your
API Gateway supports, e.g Docker, software, virtual machine,
physical appliance, etc.
We would like to know if your API Gateway comes in an appliance
form factor but most importantly if it’s a purpose-built network
appliance or a commodity server
We would like to know if your API Gateway physical form factor
includes hardware cryptographic acceleration
Most API Gateways collect metrics for API reporting and analytics
and store it in a database. We would like to know if your API
Gateway needs a database.
We would like to know the way a user interfaces with your API
Gateway

We would like to know if your API Gateway can handle non-API


traffic and if it can be used as a gateway for other workloads

We would like to know if your API Gateway can handle XML, SOAP
related standards, including WS-*, natively
We would like to know the breadth of workloads supported by
your API Gateway supports

We would like to know if and how your API Gateway supports


Node.js
We would like to understand rate limiting and quota enforcement
capabilities provided by the API Gateway

We would like to know if your API Gateway has any out-of-the-box


capabilities for load balancing and intelligent workload distribution
capabilities which allow elimination of external load balancer hops
to simplify the architecture
We would like to know all security protocols, standards, features
of your API Gateway. Does it support both modern security
standards including OAuth, JWT, OpenID Connect and traditional
ones including SAML, Kerberos/SPNEGO, LTPA?

We would like to know all security protocols, standards, features


of your API Gateway. Does it support both modern security
standards including OAuth, JWT, OpenID Connect and traditional
ones including SAML, Kerberos/SPNEGO, LTPA?

We would like to know all security protocols, standards, features


of your API Gateway. Does it support both modern security
standards including OAuth, JWT, OpenID Connect and traditional
ones including SAML, Kerberos/SPNEGO, LTPA?

We would like to know all security protocols, standards, features


of your API Gateway. Does it support both modern security
standards including OAuth, JWT, OpenID Connect and traditional
ones including SAML, Kerberos/SPNEGO, LTPA?
We would like to know all security protocols, standards, features
of your API Gateway. Does it support both modern security
standards including OAuth, JWT, OpenID Connect and traditional
ones including SAML, Kerberos/SPNEGO, LTPA?

We would like to know all security protocols, standards, features


of your API Gateway. Does it support both modern security
standards including OAuth, JWT, OpenID Connect and traditional
ones including SAML, Kerberos/SPNEGO, LTPA?

We would like to know if your API Gateway supports an on-board


or networked HSM

We would like to know if vendor natively supports transport


protocols besides HTTP natively, i.e. without using a bridge or
connector
We would like to know if your API Gateway supports JSON and
XML processing natively through purpose-built, high-speed parsers
and compilers
We would like to know if your API Gateway can do bridging across
many different protocols

We would like to know if your API Gateway has built-in message


transformation capabilities

We would like to know if your API Gateway has built-in protocol


transformation capabilities

We would like to know if your API Gateway can access information


in database and mainframe systems
We would like to know all the ways the functionality of your API
Gateway can be extended
We would like to know all the security certifications your API
Gateway has
We would like to know all the ways your API Gateway can be
monitored
We would like to know all the networking features of your API
Gateway
We would like to know how your API Gateway is upgraded and
whether or not it requires an outage
We would like to know the patching needed to protect the
operating system in your API Gateway
We would like to know representative customers using your API
Gateway, preferably in our industry
We would like to know the operating system(s) your API Gateway
can run on
We would like to know whether or not your API Gateway supports
routing and orchestration flows

We would like to know whether or not your API Gateway can be


an OAuth provider
We would like to know if your API Gateway support XSLT for
message transformation
We would like to know if your API Gateway has a built-in graphical
mapper

We would like to know if your API Gateway offers the capability to


modify input and output message payloads
We would like to know about all the error handling capabilities of
your API Gateway
We would like to know if your API Gateway is capable of assigning
a specific policy to a single API operation and HTTP method

We would like to know the HTTP methods your API Gateway


supports
We would like to know all the ways your API Gateway can shape
API traffic

We would like to know the ways API traffic is reported by your API
Gateway
We would like to know if your API Gateway has built-in capabilities
to be segmented

We would like to know all the ways your API Gateway can cache
API responses

Requirement Description
We would like to know all the DLs your solution supports

We would like to know if you support Swagger

We would like to know if your solution supports the creation and


management of these two types of APIs
We would like to know all OOTB integration capabilities you have
to speed up the management of APIs generated by other products
beyond export and import operations
We would like to know if your solution includes message mapping
capabilities from your browser-based API management UI

We would like to know if visual/graphical message mapping can be


done from an IDE that needs to be installed on the developer's
desktop/laptop

We would like to know your capabilities related to API lifecycle


beyond using a namig convention for your API names

We would like to know the logging capabilities of your solution.


Include any policies as well as logging features in your
management node and gateway
We would like to know the monitoring and alerting capabilities of
your solution. Include any policies as well as monitoring and
alerting feautures in your management node and gateway
We would like to know the traffic quota and throttling capabilities
of your solution. Include any policies as well as any quota and
throttling features in your management node and gateway

We would like to know all of the pieces of data that your solution
collects for API analytics

We would like to understand your solution's API analytics data


collection process

We would like to know if your solution supports a single global


catalog across multiple lines of business

We would like to know how your solution can publish an API from
an internal to an external endpoint
We would like to know all the ways your solution can discover APIs

We would like to know in detail how a policy is applied to an API

We would like to know how policy flows are supported for APIs

We would ike to know how your solution can support multiple


environments
We would like to know the interaction among all the components
in your solution

We would like to know all the ways your solution manages


developer communities
We would like to understand how your solution manages access to
APIs
We would like to know how an API is built and whether or not this
can be automated
We would like to understand the ways your solution can
templatize assets for reuse

We would like to know about the API versioning capabilities of


your solution
We would like to know about all the ways your solution can
interface with user registries
We would like to understand your solution's API deployment
capabilities
We would like to know about the user approval capabilities of your
solution
We would like to know all the ways API visibility can be controlled
by your solution
We would like to know how the same API can behave differently
depending on the user context
We would like to know if your solution provides the capability of
grouping APIs in a construct that is targeted to a specific audience

We would like to know the ways your solution reports data

We would like to know how your solution supports customizable


dashboards
We would like to know if your dashboards can be shared outside
your solution to external users
We would like to know all API metrics offered collected by your
solution
We would like to know if your solution allows for usage trend
analysis
We would like to know if metrics data can be exported
We would like to know if metrics data can be exported
We would like to know how your solution collects API metrics
without affecting performance
We would like to know if errors and failures are reported in your
solution's analytics component
We would like to know the API geo-location capabilities of your
solution
We would like to know your solution's reporting capabilities for
API call performance
We would like to know your solution's reporting capabilities for
payload data

Requirement Description
We would like to know what social capabilities your APIm solution
comes with

We would like to know what is your underlying Content


Management Systems, e.g. Drupal, for your Developer Portal, if
applicable.

We would like to understand your process to provision a new


Developer Portal

We would like to know what API test tools you provide in your
solution

We would like to know if your testing capabiliites are self-service.


Or do they require the installation of separate testing tools outside
your solution?
We would like to know if your solution includes sample code to
invoke API operations

We would like to know your solution's capabilities for problem


reporting and resolution

We would like the customization capabilities for your Developer


Portal

We would like to know your solution's capabilities for self-service


app and client registration
We would like to know if your solution can mask (obfuscate)
generated client ids and secrets

We would like to know the information your Developer portal


offers to app developers
We would like to know the type of API analytics and metrics is
offered by your Developer portal
We would like to understand your Developer portal self-service
on-boarding process for app developers
We would like to know if it is possible to customize the registration
form or process in your Developer portal
We would like understand the mechanisms your solution offers to
prevent an app developer from using a previously subscribed API

We would like to know if a single installation of your solution can


support multiple Developer portals
We would like to understand the communication methods your
solution uses with app developers
We would like to know what different types of content your
Developer portal supports
We would like to see public examples of your Developer portal

We woud like to understand how API visibility to app developers


can be controlled
We would like to know if your Developer portal provides OAuth
testing tools that exercise APIs' OAuth security

We would like to learn about all plugins your solution offers for
your Developer portal
We would like to know if and how your Developer portal can be
extended by open source technologies
We would like to know if your Developer portal has a REST
interface and what functionality it covers
We would like to understand the upgrade process for your
Developer portal

Requirement Description
We would like to know the extent to which your solution supports
the management and administration of security-related items in
the platform
We would like to know how many and what the roles are that your
APIm solution supports out-of-the-box. Also, we would like to
know what activities each role is capability of carry out
We would like to know if your solution supports user registries
such as LDAP, SCIM, etc.
We would like to know your solution's management capabilities
for dev organizations, applications and subscriptions. In addition,
include your capabilities to do the same with dev organizations
from third-party cloud providers

We would like to know if your solution provides a 3rd-party


authentication solution
We would like to know if your Developer portal supports 3rd-party
user registries
We woud like to know if a new user can self-register via your
Developer Portal
We would like to know if and how CAPTCHA is used by your
Developer Portal
We would like to know if a user can be automatically locked out
when they have entered their password incorrectly so many times

We would like to know if your API Gateway can be installed in the


DMZ out-of-the-box

We would like to know if you API Gateway (and which form


factors) supports these very highly secure standards

We would like to know if your API Gateway has out-of-the-box


integration to third-party user access management systems

We would like to know if your solution supports OAuth and to


what extent

We would like to know how your solution protects communication


between cloud APIs and on-premise services

We would like to know how your solution specifically address


OWASP top 10 threats
We would like to know all the ways your solution supports tokens

We would like to know all the ways your solutions supports


authorization and authentication
We would like to know all the ways your solution secures payloads
and channels
We would like to know your solution's supported security
standards
We would like to know all the ways your solution supports system
access
We would like to know how your solution controls access and
visibility to APIs by users
We would like to know about patches that are needed for your
solution to be protected from known cyber threats

We would like to know any other security features that you think
would be useful to us
We would like to know all security certifications of your solution
We would like to know whether or not your solution supports
HTTP/S
We would like to know the details about how policies are authored

We would like to know the details about how policies are enforced
in your solution
We would like to know all your security mediation capabilities

We would like to know how your solution secures the API calls app
developers make
We would like to know all the security certifications and
accreditations of your cloud offering
We would like to know whether or not your solution offers OAuth
testing tools
We would like to know if an API developer can create an OAuth
provider endpoint

Requirement Description
We would like to know about your support processes

We would like to know your cloud SLAs

We would like to know about user communities for your solution

We would like to know the public location of your documentation


on the web
We would like to know any public information about best practices
and sample architectures for your solution

We would like to know the public location of your product


tutorials on the web
We would like to know if you offer free training for your solution

We would like to know about your company's fee-based services


related to your solution

Requirement Description
We would like to know how you envision APIs playing a part in
solutions in the industry
We would like to know that you understand the industry
dynamics, where the industry is headed, and can provide industry
solution perspectives as well as support industry ecosystem
opportunities.
Updated: February 27th, 2017

Rationale
We want to make sure the vendor is solid and will not be acquired
or disappear from the market in the long-term
We want to understand the experience of the vendor developing
and selling their APIm product
We want to make sure that the vendor will be able to support our
offices all around the world
We want to understand the vendor's market leadership worldwide

We want to understand the vendor's market leadership for their


APIm solution
We want to understand the vendor's market leadership for the
components that are part of their APIm solution

We want to make sure vendor has thought leadership

We want to ensure that vendor has a profitable and successful


product in the market as well as growth
We want to ensure that vendor has a profitable and successful
APIm product in the market as well as growth

We want to make sure that vendor has healthy R&D investment

We want to ensure that we are acquiring a leading solution in the


market place
We want to ensure that we are acquiring a leading solution in the
market place
We want to make sure that the vendor's product direction lines up
with our current and future needs
Although analyst reports are not the definitive source for selecting
an APIm solution, they are a good data point to consider

We want to make sure that the vendor's solution can integrate


with the software/IT solutions we already own

We want to clearly understand technologies, beyond APIm, the


vendor's solution includes

We want to make sure that vendor has extensive experience in


solving integration problems
We want to make sure that vendor has extensive experience in
solving integration problems

Rationale
We would like to adopt a hybrid cloud environment where some
of our development and deployments can run on-premise and
some on cloud. In addition, we may do dev and test on cloud
version of vendor's APIm solution and deploy production on-
premise

We would like to adopt a hybrid cloud environment and for that


we need a solution that offers a variety of deployment options and
that can be run anywhere.

We want to minimize the deployment/installation times so that


we can stand up environments fast thus increasing productivity
and speeding time-to-market.

We would like to adopt a single vendor approach from "pane-of-


glass to core". It's important to us to shorten our production
problem resolution and outage times and having a single vendor in
the support line (instead of many) will help achieve this goal
Having vendor's solution run on multiple data centers around the
world improves response times for users located in the same
geographies as the data centers
We have offices around the world so it's important for us to
provide to our users a solution in their own spoken languages
Since we may leverage a combination of cloud and on-premise
APIm versions, we need to know the vendor's differences among
all versions (e.g. vendor-managed multi-tenant SaaS, vendor-
managed single-tenant SaaS, vendor-managed private cloud
hosted, client-managed on-premise, etc.) of their solution

Whether it's the on-premise or SaaS versions of the vendor's


solution, a single console to manage and monitor all components
of solution would speed up the setup and maintenance of
environments

We need to ensure that vendor's solution includes mechanisms to


easily migrate assets across environments

If we decide to use cloud providers such as IBM Bluemix, AWS, or


Google Cloud, we would like to know how the vendor's solution
integrates with them to speed up development and ease-of-use.

We want to minimize the installation, management and


monitoring of multiple APIm installations and instantiations

We want to minimize scheduled and unforeseen downtimes and


outages
We want to minimize scheduled and unforeseen downtimes and
outages
We have high and low peak traffic seasons and need an scalable
platform with elasticity
We want a consistent solution capable of running on-premise and
cloud

We want to minimize scheduled and unforeseen downtimes and


outages
We have high and low peak traffic seasons and need an scalable
platform with elasticity

We want to understand architecture of vendor's real-world


deployments

We want to make sure that we can monitor vendor's solution via


existing operational and application monitoring systems/tooling
We want to ensure that vendor's solution comes with its own
administration and monitoring tooling as well

We want to make sure that vendor's solution operations can be


automated via scripts

We want to know how easy it is to patch, fix, upgrade the vendor's


solution
We want to ensure that vendor's solution can integrate to the
messaging solutions we already own

Rationale
We want to know if vendor uses an underlying technology for the
creation of REST APIs that speeds up application development

We want to know if vendor's solution comes with any connectors


to backend or SaaS systems

We want to know if vendor's connectors are integrated to their


APIm solution and actually speed up application development by
automating the creation of APIs and their implementations

Microservice architecture and APIm are very complementary in


that an APIm solution can manage the APIs, whose
implementations are microservices. We want to know if vendor's
solution has any run and create capabilities for microservices

Microservices can be implemented using different technologies


and languages. We would like a polyglot solution that supports
more than a single language for microservices, such as Java and
Node.js. Support for more languages would be beneficial.

We don't want to support our own open-source Node.js or Java


runtime environments. So, we need a vendor solution that
includes a supported runtime platform for microservices
We use different cloud platforms and would like a vendor solution
that supports the publication of APIs and/or Node.js applications
directly to different cloud platforms. This capability would speed
up development
This type of tooling is important because it increases developer
productivity and can be used off-line

This type of tooling is important because it increases developer


productivity
We would like to understand the differences, if any, of the
vendor's SaaS and desktop tooling for the creation of APIs, Node.js
applications and policy flows
Express-based frameworks, such as LoopBack, speed up
development and productivity
We want to ensure that vendor's solution integrates to our CI/CD
tooling
We want to make sure that vendor's solution supports systems
and interaction APIs
We want to make sure that vendor's solution supports markup
languages, such as XML, JSON, etc.
We want to ensure that vendor's solution supports Access Control
Lists and how granular they get
We want to ensure that vendor's solution is capable of mocking
API calls (the ability to test an API without having to implement its
backend service)
We want to make sure that vendor's solution provides the
capability and tooling to model data
We want to ensure that vendor's solution provides mechanisms to
do schema validation
We want to ensure that API security-related policies cover our
needs
We want to make sure that vendor's solution supports the
development of interaction APIs
We want to understand how different the vendor's cloud and on-
premise solutions differ from each other from the developer
experience perspective
We want to ensure that XML and JSON are supported for API
development
We want to ensure the vendor's solutions supports API
development languages that we are interested in
We want to make sure vendor's solution can do this type of
protocol switching
We want to make sure vendor's solution can do this type of
protocol switching
We want to make sure vendor's solution offers deployment
flexibility for APIs and their policies
We want to ensure vendor's solution is capable of managing
existing APIs exposed by third-party systems
We want to make sure that vendor's solution supports the
development of interaction APIs
We want to make sure that vendor's solution supports the
application of policies to individual operations of an API
We want to ensure vendor's solution provides built-in error
handling capabilities
We want to make sure vendor's solution offers rich API
documentation features
We want to make sure that we can publish APIs without making
them visible to app developers
We want to understand vendor's solution level of adoption and
dependency of open source software
We want to know if vendor's solution development tooling is sold
separately
We want to ensure vendor's solution provides a testing harness
and can integrate to third-party testing tools
We want to ensure vendor's solution provides a testing harness
and can integrate to third-party testing tools
We want to ensure that vendor's solution support some level of
automatic API creation
We want to know if vendor's solution supports an API creation
framework to accelerate developer productivity

Rationale
We want to make sure the vendor's API Gateway design and
implementation enables it to be scalable and have high-
performance while being secure

We want to make sure the vendor's API Gateway is not vulnerable


to potential Java security weaknesses

We want to ensure that API Gateway supports many form factors


that will give us flexibility in our deployments as well as cost
savings and speed to stand up new environments
An appliance form factor will give us higher security as well as
performance so it is of high interest to us

We want to know if vendor's physical API Gateway has hardware


to improve performance for encryption, signature and other
cryptographic operations including TLS offload. This will allow the
API Gateway to handle more API calls per second than a gateway
without these hardware features
We would like to know if we need to purchase a database
separately to run your API Gateway. Also, if we already own a
database, we would like to know if you support it
Some API vendors require the installation of a fat client on the
developer's desktop/laptop to interface with their API Gateway. A
browser-based UI does not require any installation on the
developer's desktop/laptop.

We want to make sure your gateway can be used for other


purposes beyond APIm so that we can also leverage it as a generic
gateway to optimize its utilization and reduce cost
We want to expose existing Systems of Records utilizing XML,
SOAP & WS-* standards as API to consumers
We want to know if vendor's API Gateway can handle workloads
besides SOAP and REST for cases where we may need such
functionality
We want to know all the ways the vendor's API Gateway supports
Node.js and whether or not it runs Node.js in situ
We want to provided differentiated levels of service to consumers
and protect our backend systems from overloading by utilzing rate
limiting and quote enforcement capabilites
We want to know if vendor's API Gateway is capable of doing load
balancing and can coordinate workload assignment with a backend
application server. This can lead to savings, optimized use of
resources, and better processing
We want to make sure that the vendor's API Gateway supports a
rich set of security features, standards, and protocols that will
protect us from security-related cyber attacks and allow
connectivity with backend Systems of Records utilizing traditional
security mechanisms

We want to make sure that the vendor's API Gateway supports a


rich set of security features, standards, and protocols that will
protect us from security-related cyber attacks and allow
connectivity with backend Systems of Records utilizing traditional
security mechanisms

We want to make sure that the vendor's API Gateway supports a


rich set of security features, standards, and protocols that will
protect us from security-related cyber attacks and allow
connectivity with backend Systems of Records utilizing traditional
security mechanisms

We want to make sure that the vendor's API Gateway supports a


rich set of security features, standards, and protocols that will
protect us from security-related cyber attacks and allow
connectivity with backend Systems of Records utilizing traditional
security mechanisms
We want to make sure that the vendor's API Gateway supports a
rich set of security features, standards, and protocols that will
protect us from security-related cyber attacks and allow
connectivity with backend Systems of Records utilizing traditional
security mechanisms

We want to make sure that the vendor's API Gateway supports a


rich set of security features, standards, and protocols that will
protect us from security-related cyber attacks and allow
connectivity with backend Systems of Records utilizing traditional
security mechanisms

We want to make sure vendor's API Gateway can safeguard and


manage digital keys for strong authentication and provides
cryptoprocessing
Existing Systems of Record may utilize a messaging subsystem such
as MQ. It's very important for us to make sure that the vendor's
API Gateway can integrate with those systems
We want to know if vendor's API Gateway has the ability to
process JSON and XML payloads in a high-performance fashion to
support REST and SOAP services
We want to ensure that vendor's API Gateway can bridge from
protocols like MQ, TIBCO, JMS to APIm-friendly protocols REST and
SOAP
We want to ensure that existing Systems of Record using
SOAP/XML or some other propreitary message format can be
exposed as JSON/REST API on the frontend
We want to ensure that existing Systems of Record using
SOAP/XML or some other propreitary message format can be
exposed as JSON/REST API on the frontend
We want to connect & access information stored in databases and
mainframes as part of our API workloads
We want to ensure that vendor's API Gateway functionality can be
extended via custom policies or activities
We want to ensure that vendor's API Gateway complies to known
and recognized security certifications
We want to ensure that vendor's API Gateway has monitoring
features (built-in or integration to monitoring tools)
We want to make sure that vendor's API Gateway will fit in our
environment from the networking perspective
We want to make sure we can minimize or eliminate downtime
when upgrading vendor's API Gateway
We want to ensure that underlying OS in vendor's API Gateway
can be protected from OS-level cyber attacks
We want to make sure vendor's API Gateway is a production-grade
gateway
We want to know if vendor's API Gateway requires an underlying
operating system
We want to make sure vendor's API Gateway has routing and
orchestration capabilities that will increase developer productivity

We want to ensure that vendor's API Gateway comes with OAuth


provider capabilities
We want to make sure vendor's API Gateway supports XSLT

We want to ensure vendor's API Gateway provides visual graphical


message transformation to improve developer productivity

We want to make sure vendor's API Gateway provides the ability


to modify message payloads
We want to ensure vendor's API Gateway provides error handling
features to enhance developer productivity
We want to ensure vendor's API Gateway provides granularity in
applying policies or activities to API operations and different HTTP
methods
We want to make sure vendor's API Gateway supports all HTTP
methods
We want to ensure vendor's API Gateway comes with built-in
capabilities for traffic shaping, such as throttling, SLAs, traffic
limits, quota enforcement, etc.
We want to make sure vendor's API Gateway includes a rich set of
metrics and/or dashboards for API traffic
We want to ensure that vendor's API Gateway supports the
concept of partitioning, e.g. domains, to segment the gateway

We want to make sure vendor's API Gateway supports caching to


speed up API calls

Rationale
We would like to know what other DLs the vendor supports.
Swagger, the market de-facto standard for REST APIs is of special
interest to us
Swagger is widely used in the market more so than any other DL
and we would like to make sure vendor is committed to this
standard
These two standards are the most common and easiest to use for
API consumption
We would like to know OOTB integration points with other
products for API management that speed up development and
time-to-market
We want to know whether or not vendor supports message
mapping from their browser-based UI or from a fat client that
needs to be installed on a developer's desktop/laptop. Or both.
Message mapping capabiliites at the browser-based UI speeds up
development

We want to know whether or not vendor supports message


mapping from their browser-based UI or from a fat client that
needs to be installed on a developer's desktop/laptop. Or both.
Message mapping capabiliites at the browser-based UI speeds up
development

We want to ensure the vendor's solution includes API lifecycle


capabilties beyond just a naming convention for API names

Logging capabilities help development as well as DevOps teams


debug and troubleshoot and resolve problems. Logging also can
be used by Analytics and dashboards
Monitoring and alerting capabilities help DevOps teams be
proactive about potential problems that may arise. They can also
be used by dashboards
Traffic quota and throttling are important to control de
consumption of APIs and to protect backend API implementations
from overloads

We want to know all of the API metrics that the vendor's solution
collects to get insight into what kind of analyses we can do

We want to understand the vendor's API metrics data collection


process and the dependencies between the components that
participate in it. We also want to know any component outage
scenarios that would stop the solution from either collecting API
metrics or from processing API calls

We have many LoB units and may have the need to support all
these organizations under a single catalog in the vendor's APIm
solution
We want to ensure vendor's solution provides hybrid integration
capabilities
We want to a solution that can easily discover and bring APIs into
management
We want to ensure vendor's solution API policy application is easy

We want to ensure vendor's solution supports interaction APIs

We need a solution that supports multi-tenancy


We want to understand the APIm solution components and its
dependencies and technologies behind each

We want to ensure vendor's solution provides capabilities to


manage developer communities
We want to ensure vendor's solution provides granular features
for API access management
We want to make sure vendor's solution supports mechanisms for
continuous integration and continuous deployment
We want to ensure vendor's solution supports re-usability of
assets to improve developer productivity, e.g. Handlebar
templates
We want to ensure vendor's solution supports API versioning

We want to ensure vendor's solution can easily integrate with user


registries
We want to understand vendor's solution detail process for API
deployment
We want to make sure vendor's solution supports user approvals
for API lifecycle
We want to have a solution that provides flexibility to control API
visibility
We want to make sure vendor's solution provides a mechanism to
tailor the same API based on the caller type
We want to ensure vendor's solution provides a way to group APIs
targeted to a specific audience, e.g. Product concept

We want to have a solution with a rich set of data visualization


capabilities, e.g. Kibana
We want to have a solution with a rich set of data visualization
capabilities, e.g. Kibana
We want a solution with dashboards that can be shared outside
the vendor's solution with non-technical users
We want a solution with a rich set of collected and reportable API
metrics
We want a solution that permits the identification of usage trends

We want a solution that allows the export of API metrics


We want a solution that allows the export of API metrics
We want a solution that collects metrics without affecting its
performance
We want a solution that is capable of reporting on errors and
failures via its analytics tooling
We want to have a solution with a rich set of data visualization
capabilities, e.g. Kibana
We want a solution with a rich set of collected and reportable API
metrics
We want a solution with a rich set of collected and reportable API
metrics

Rationale
Nowadays, social capabilities are heavily used by Internet users,
including App developers. Social tools are a great source of
information and provide a network of knowledge to users
We want to make sure the vendor is using a good underlying
platform for their Developers' portal solution. We also want to
make sure that vendor is not using a Beta or Alpha release of some
other open source project not heavily tested in the market

Provisioning a brand new Developer Portal should be easy and


fast. This will speed up delivery of service to our customers

API testing is extremely important in developing good and robut


APIs. We would like to make sure vendor provides easy-to-use
and good test tools in their solution
Embedded and self-service testing tools will speed up the adoption
and use of our APIs by app developers

Including sample code to invoke APIs will speed up app


development and increase the consuption of APIs

Having integrated capabilities to report and resolve problems can


improve the platform and produce less error-prone applications

We need to brand the vendor's Developer Portal as well as apply


customizations to fit in the way we do things

Easy-to-use self-service app and cient registration is necessary to


promote and increase the consumption of APIs
We need to give developers the option to obfuscate their ids and
secrets that are displayed on the browser during self-registration
for confidentiality purposes
We need a Developer portal that engages and encourages
developers to use our APIs
We need a Developer portal that provides some level of analytics
to subscribing developer and developer organizations
We need a Developer portal that provides an easy-to-use self-
service approach to developers wanting to use managed APIs
We need a Developer portal with customization capabilities
We need a Developer portal with granular API access capabilities

We need a solution that allows for the creation of many Developer


portals targeted to different audiences
We need a solution that supports different channels for easy
communication with app developers
We need a solution with a Developer portal rich in capabilities and
functionality
We need to ensure that vendor's Developer portal is production-
ready
We need a Developer portal with granular API access capabilities

We need a Developer portal with built-in OAuth testing


capabilities

We need a Developer portal extensible via a rich set of commercial


or open source plugins
We need a Developer portal extensible via a rich set of commercial
or open source plugins
We want to be able to use REST to operate vendor's Developer
portal
We need a Developer portal that can be upgraded with little or no
downtime, if possible

Rationale
We want to ensure that the vendor's solution offers out-of-the-box
security management and administration capabilities

A rich set of roles and Access Control List (ACL) capabilities will
secure and speed up the adoption of the vendor's APIm solution

We need to make sure that the vendor solution supports the


major user registry technologies in the market
A rich set of capabilities for the management of dev orgs, apps,
and subscriptions will aid in API adoption and use. Also, it's
important to us to also manage dev orgs from cloud providers
since this is needed for hybrid integration (integrations that span
across on-premise and cloud) use cases

We want to ensure that vendor's solution includes its own or a


3rd-party authentication solution
We want to ensure that vendor's solution supports our user
registry
This capability in the vendor's solution will help with the adoption
and use of APIs
This is an important security capability to prevent robots from
overloading the site
This is important to prevent hackers from trying to break in to the
site

We want to ensure that we can install vendor's API Gateway in the


DMZ without spending a lot of setup time. This will speed up
deployment and setting up new environments
We want to make sure that vendor's API Gateway conforms to
very high security standards since it will be handling highly
sensitive data traffic
We use third-party user access management systems and need the
vendor's solution to easily integrate to them

We want to know if we will have to purchase/use a third-party


OAuth provider solution

We want to ensure that vendor's solution is capable of securely


connect to our on-premise systems, e.g. Secure Gateway
component
We want to make sure vendor's API Gateway provides high-level
of security
We want to ensure vendor's solution provides a rich set of token-
based standards
We want to make sure vendor's solution supports a rich set of
authorization and authentication mechanisms
We want to ensure that vendor's solution provides a rich set of
security features for payload and channels
We want to make sure vendor's solution supports a rich set of
security standards
We want a solution with extensive access management features

We want a solution with extensive access management features

We want a solution that provides patches for all known security


vulnerabilities

We want to make sure vendor's solution supports a rich set of


security features
We want to ensure that vendor's solution complies to known and
recognized security certifications
We want a solution that supports secure and encrypted
communication
We want a solution with an easy policy creation tooling to improve
developer productivity
We want a solution with a reliable, secure, and efficient policy
enforcement point
We want to make sure vendor's solution supports a rich set of
security features
We want to make sure vendor's solution supports a rich set of
security features
We want to make sure vendor's solution supports a rich set of
security features
We want to make sure vendor's solution supports a rich set of
security features
We want to make sure vendor's solution supports a rich set of
security features

Rationale
We want to ensure that vendor has a good support model in place

We want to ensure that vendor cloud offering offers reasonable


SLAs
We want to make sure there's a large community of users for
vendor's solution
We want to make sure that vendor's solution documentation is
readily available
We want to make sure that vendor provides references
architectures for public consumption to help us get started with
their solution
We want to ensure vendor offers free tutorials that can help us get
started with their solution
We want to make sure vendor offers some level of free training of
their solution to help us get started with it
We want to make sure vendor offers a good set of fee-based
services to help us adopt their solution

Rationale
We want to ensure that vendor has a view as to how APIs support
business solutions
We want to ensure that vendor can take us beyond initial use
cases
Response
Response
Response
Response
Response
Response
Response
Response

Response
Last update:

These are suggested RFP criteria to consider for Financial and Banking

Section A. Vendor Experience


Req. id Requirement
A1 Please provide an overview of your experience in payments
A2 Please provide an overview of your experience in banking
A3 Please provide an overview of your experience in financial services

A4 Please provide a list of financial institutions or banks that use your


offering
A5 Please specifiy the organizations, within the FTSE 100 and FTSE250
(or your specific region's financial market, e.g. DAX, CAC 40,
NIKKEI, Shangai Composite, S&P 500, etc.), who use of your
product

A6 Please describe how your organization is involved in any working


groups for PSD2 and or Open Banking
A7 Please describe work you have done with other customers with
PSD2 and Open Banking
A8 Please provide information or documentation on any solutions,
offerings or points of view on PSD2 / Open Banking
A9 Please provide a list of financial institutions or banks that use your
offering
A10 Please provide any architectural or solution designs for PSD2 /
Open Banking that would be appropriate for us.
A11 Please provide a view on the security that is required on a
technical level by our organisation to meet the PSD2 / Open
Banking regulations
A12 Please describe the work you currently do in the banking and
financial services industry including the scope of the work,
customer examples, technology offerings used and non-technology
offerings used

Section B. Secutiry
A13 Please provide your view on how 2-factor authentication will work
for PSD2 & Open Banking
Section C. API Gateway
A14 Please provide a list of customers that use your gateway offering.
Those in financial services and banking would be higher priority
#VALUE!
16-Dec-16

l and Banking

Requirement Description
Rationale
Response

You might also like