Beruflich Dokumente
Kultur Dokumente
These are suggested RFP criteria to consider when selecting an API management vendor
Jump to…
Section A. Vendor Experience
Section B. Deployment, Architecture & Administration
Section C. API/Microservices Creation & Deployment
Section D. API Security, Traffic Management & Mediation (API Gateway)
Section E. API Management & Analytics
Section F. API Socialization (Developer Portal)
Section G. Security
Section H. Training and Support
Section I. Industry Experience
A10 What is your corporation total R&D budget and APIM-specific R&D
budget?
A11 Please describe how your organization has innovated or led in
domain areas. Please provide examples of each
A12 How many customers use your API offering - please breakdown by
industry
A13 Please describe the roadmap for your API & Integration Offerings
C4 Does your APIm offering have built-in capabilities for creating and
running microservices? Please explain
C5 What languages does your solution support for the creation and
running of microservices, e.g. Java, Node.js, etc.?
C6 Does your APIm solution include a supported and managed
execution environment to run microservices, e.g. a managed
cluster of servers or nodes?
C7 Can your APIm solution automatically make APIs and Node.js
applications available on cloud platforms, such as IBM
Bluemix/AWS/Google Cloud, for consumption?
C8 Does your solution include developer desktop/laptop tooling to
create APIs, Node.js applications, and policy flows and to easily
deploy them to a managed local or cloud environment?
C9 Does your solution include SaaS tooling to create APIs, Node.js
applications, and policy flows and to easily deploy them to a
managed environment?
C10 Does your desktop/laptop tooling to create APIs, Node.js
applications, and policy flows offer the same functionality as its
SaaS version counterpart? If not, please describe the differences
C11 Does your solution use any framework built on top of Express?
C12 How does your offering integrate into a continuous development,
testing and deployment environment?
C13 Please describe the different options for developing APIs
C14 Please describe the markup languages that are used for API
development and how they are edited
C15 Is role based accessed enforced on developers?
C16 Please describe how mock APIs and prototyping is supported
C17 Does your API tooling allow the developer to model data?
C18 Can developers enforce schema validation?
C19 What security policies can developers enforce on their APIs?
C20 Can developers create transformation, routing, orchestration logic
inside of their API definitions?
C21 Does the developer experience change if they are developing for
the cloud versus developing for an on-premise solution?
C22 Can a developer work with XML & JSON as part of an API build?
C23 What are the primary languages that an API developer needs to
know in order to build an API?
C24 Can a developer expose a REST API from a SOAP web service?
C25 Can a SOAP web service be exposed from a REST API?
C26 Can a developer publish to cloud and environments and on-
premise environments from the same IDE?
C27 Can developers pull API definitions from any enviroment that has
published APIs?
C28 Can developers build multi-step proxy calls out to multiple back-
end services and present this as one API?
C29 Can developers create policies for individual operations on an API?
C30 What level of error handling can an API developer add to an API
definition?
C31 Can a developer provide additional documentation such as
descriptions, contact info and terms of service?
C32 Can developers control the visibility of an API when it is published?
C33 Does your development tools use any open source products or
packages?
C34 Does your development tooling require licensing? If so how?
C35 Does your developer tooling provide any testing capabilities?
C36 How can your development artifacts be plugged into testing tools?
C37 Does your developer tooling enable auto generation of APIs on top
of back end systems or databases?
C38 Does your developer tooling make use of a widely used framework
or package in order to build APIs?
Return to Top
Section D. API Security, Traffic Management & Mediation (API Gateway)
Req. id Requirement
D1 Does the solution provide a secure, purpose-built gateway? Please
explain
D2 Can your API Gateway execute customer's Java code? Please
explain
D3 What form factors do you support for your API Gateway?
D4 Does your API Gateway come in an hardware appliance form
factor? Please explain
D5 Does your API Gateway support cryptography acceleration in its
physical appliance form factor for TLS offload among other?
D6 Does your API Gateway require a database?
D7 Is your API Gateway UI browser-based or does it require a fat
client to be installed on a developer desktop/laptop?
D8 Can your API Gateway be used outside the context of your APIm
solution? Can your API Gateway be used separately from your
APIm solution?
D9 Does your API Gateway support XML, SOAP, WS-* related
standards natively?
D10 What other types of workload does your API Gateway support
beside SOAP and REST?
D11 How does your API Gateway support Node.js? Please explain
D12 What kind of rate limiting and quota enforcement features are
provided by your API Gateway?
D13 Does your API Gateway have any built-in capabilities for doing self-
balancing across a cluster of gateways and intelligent load
balancing to backend API provider layer?
D14 What security protocols and standards does your API Gateway
support?
D15 Does your API Gateway provide built-in support for schema
validation?
D16 Does your API Gateway provide built-in support for message digital
signatures & encryption?
D17 Does your API Gateway provide built-in security token translation?
D31 Please describe the upgrade process for your gateway including
the impact to production runtime
D32 What level of operating system patching is required in order to
keep the gateway secure?
D33 Please provide a list of customers that use your gateway offering
D34 What operating system does your gateway sit on?
D35 Does your API Gateway support routing and orchestration?
D36 Can your API Gateway be configured to be an OAuth provider?
D37 Can your API Gateway use XLST to do transformation?
D38 Does your API Gateway have a graphical mapper?
D39 Can your gateway redact fields in message payloads on input and
output?
D40 What level of error handling is available on the gateway?
D41 Is your gateway able to provide different activities or policies for
each individual API and operation on that API, i.e. POST, GET, etc.
D42 Does your gateway support POST, GET, DELETE, HEAD, PATCH &
OPTIONS?
D43 Can your gateway control, manage and shape API traffic? Please
describe the policies that can be applied
D44 How is API traffic reported from the gateway?
D45 Can multiple provider channels be exposed from the same
gateway with complete segregation? i.e. internal APIs and
external APIs running through the same gateway in isolation?
D46 Does your gateway support response caching?
Return to Top
Section E. API Management & Analytics
Req. id Requirement
E1 What REST API Description Languages does your solution support?
And what REST API Description Language do you support internally
in your runtime?
E2 Please describe your support for Open API, i.e. Swagger. Does your
corporation belong to the "Open APIs Initiative", i.e.
www.openapis.org?
E3 Do you support the creation of REST and SOAP APIs?
E4 Does your APIm solution have any out-of-the-box (OOTB)
integration points to automatically manage APIs from other
products?
E5 Does your APIm solution support built-in browser-based
visual/graphical message mapping?
E6 Does your APIm solution support an external IDE to do
visual/graphical message mapping that you can then deploy to the
runtime environment?
E7 Please describe the API Management lifecycle, versioning,
governance, & control. Does your platform support an API lifecycle
beyond API naming convention? Please explain
E8 Does your solution include logging capabilities? Please explain
E9 Does your solution include monitoring and alerting capabilities?
Please explain
E10 Does your solution support out-of-the-box policies for traffic quota
and throttling?
E11 Does your APIm solution include API analytics? If so, please
describe what API metrics are captured for analytics
E12 What components of your solution, beside the API gateway,
participate in the API analytics collection process? Would the
analytics collection process be affected if any of these components
experience an outage? Please elaborate
E22 Please describe the API build chain and how this can be automated
E23 Please describe how templates from other API definitions can be
used to create new APIs sharing common functions and operations
G14 For cloud based hosting please describe the connectivity options
to ensure secure communication and the types of customers who
trust this connectivity using real examples
G15 Please describe how your offering would address the OWASP Top
10 threats
G16 Please describe the token mechanisms your offering supports
G17 What Authorization and Authentication mechanisms does your
offering support on an API level
G18 How does your offering secure payloads and channels?
G19 Please provide a list of supported security standards
G20 Please describe how granular your system access can be defined
G21 Please provide the level of control and visibility users can be
granted
G22 Please list all recent vunerabilities that your offering had to be
patched on to become secure e.g. heartbleed, openSSL,
ShellShock, Data Loss, Drown
G23 Please highlight other security features that come with your
offering that would be of benefit to us
G24 Please provide a list of all security accreditations for your offering
Response
Response
Response
n (API Gateway)
Response
Response
Response
Response
Response
Response