Risk assessment overview and UI

This pageapplies toApigee andApigee hybrid.

View Apigee Edge documentation.

Overview

Advanced API Security risk assessment continuously evaluates API proxy configurations and calculates security scores to help identify and address vulnerabilities in your APIs.

Risk assessment helps you:

Enforce consistent security standards across all APIs.
Detect misconfigurations in API setups.
Improve your overall security score with recommended actions.
Quickly investigate and resolve security issues via a centralized dashboard.

In addition to assessing the current risk of each proxy, risk assessment can be used to monitor the security posture of your APIs over time. An assessment score that fluctuates could indicate that the API behavior is frequently changing, including proxies deployed without necessary security policies, shared flow modifications via flow hook deployments and FlowCallout policy additions, and target server changes in environment or proxy deployments.

You can access risk assessment either through the Apigee UI, as described on this page, or through theSecurity scores and profiles API. You can also use Terraform toconfigure security profiles andmonitoring conditions.

See Required roles for risk assessment for the roles needed to perform risk assessment tasks.

Tip: You can also use Advanced API Security in Apigee API hub to assess risk across your API landscape. For information and usage, see Advanced API Security for multi-gateway projects.

Enable Risk Assessment

To use this feature, you must enable the add-on. If you are a Subscription customer, you can enable the add-on for your organization. See Manage Advanced API Security for Subscription organizations for more details. If you are a Pay-as-you-go customer, you can enable the add-on in your eligible environments. For more information, see Manage the Advanced API Security add-on.

Advanced API Security, you will need to re-enable it by running the command shown inEnable Advanced API Security for Subscription organizations again, before you can view security scores for the new environment.

Risk Assessment v1 and v2

Risk Assessment is available in two versions:Risk Assessment v2, andRisk Assessment v1. Use v2 where possible. Use of either version requires theAdvanced API Security add-on.

The main feature differences between v1 and v2 are:

v2 includes:
- Improved reliability, including faster score calculations with recent proxy data
- Score calculation without the need to first attach a security profile to an environment
- Simplified score presentation, based on a 0% to 100% scale
- The concept of assessment check weights, which v1 does not support. SeeRisk assessment concepts and scoring.
- Additional assessments over v1, which check more policies when calculating scores. For example, v1 supports five authorization and authentication-related policies while v2 supports eight. Also, v2 includes a Traffic Management category with associated policies and performs additional checks in policies, including for thecontinueOnError attribute.
- Checks of nested shared flows and flow hooks to five levels of nesting. v1 does not evaluate policies included via shared flow chaining.
- Replacement of target scores (target server scores) with proxy-based assessments and recommendations. If a Target is used in a proxy, the security scores for that proxy include the score for the Target Server as well.
- Custom profiles using the new v2 assessment checks as well as thegoogle-default system profile.
- Monitoring of security scores and metrics over time usingCloud Monitoring and setting up alerts usingCloud Monitoring alerts.
- Integration with Apigee API hub.
v2 does not support source assessment based on abusive traffic.

Risk Assessment v2

This section describes Risk Assessment v2. Some Risk Assessment concepts and behaviors differ between v1 and v2. For usage with Risk Assessment v1, seeRisk Assessment v1 instead.

Risk Assessment v2 concepts and scoring methodology

Risk assessment security scores assess the security risk of your APIs based on the scoring of security assessments and weights in a security profile.

Risk assessment scoring is based on:

Assessments and assessment checks: The individual checks performed against proxies, and on which proxies are scored. Each check also has aweight, which gives a check more or less significance when assessed against a proxy. Weights are set at minor, moderate, or major for each check. Each weight has a point value which is used to calculate a score:
- Minor: 1
- Moderate: 5
- Major: 15
Security profile: A collection of assessment checks, against which deployed proxies in an environment are assessed.
Security score: The score for a proxy after assessment against a security profile.

The score is a value between 0% and 100%. 100% indicates that the proxy is fully compliant with the assessment and no risks were found based on the assessment checks.

The security score is essentially the total of all points awarded for passed assessment checks divided by the total potential points in the profile. The score is a weighted average, so the more policies the security profile has, the less impact each assessment check has on the security score.

The assessment check weight also impacts the security score. Higher weights have more impact on the calculation and lower weights have less impact, using the point value for each weight. If the weights are equal for all assessment checks in the security profile (such as when all assessment checks have a medium weight) then the security score is calculated as a regular average.
Severity: A severity value for each assessed proxy, based on the security score. The potential severity values are high (0-50%), medium (51-90%), low (91-99%), and minimal (100%/no risk found based on the assessments in the assigned security profile).

Assessment categories and checks

This table shows the assessment categories and individual checks that can be part of security profiles. It also shows recommendations on how to address failed assessments for each.

Assessment category Description

Checks whether AI policies are present.

Assessment check / name	Description	Recommendation
SanitizeUserPrompt policy check /`sanitize-user-prompt-policy-check`	Check whether a SanitizeUserPrompt policy is in use.	Add the SanitizeUserPrompt policy to the proxy.
SanitizeModelResponse policy check /`sanitize-model-response-policy-check`	Check whether a SanitizeModelResponse policy is in use.	Add the SanitizeModelResponse policy to the proxy.
SemanticCacheLookup policy check /`semantic-cache-lookup-policy-check`	Check whether a SemanticCacheLookup policy is in use.	Add the SemanticCacheLookup policy to the proxy.

Auth

"Auth" means both authorization and authentication in this case. Auth assessments check to see if you have an authorization and authentication policies in place and if thecontinueOnError attribute for auth policies is set tofalse.

Assessment check / name	Description	Recommendation
Auth policies check /`auth-policies-check`	Check whether any of the following auth policies are enabled:AccessControl,BasicAuthentication,HMAC,OAuth,ValidateSAMLAssertion,VerifyAPIKey,VerifyIAM,VerifyJWS, orVerifyJWT policy.	At least one of the required policies to the proxy
continueOnError check in auth policies /`continue-on-error-auth-policies-check`	Checks whether the`continueOnError` field is enabled on all auth policies in the proxy. This involves checking whether an auth policy is in use and this check has no impact if there are no auth policies in the proxy.	Set`continueOnError` to false for all auth policies included in the proxy.
AccessControl policy check /`access-control-policy-check`	Whether theAccessControl policy is in use.	Add the AccessControl policy to the proxy.
BasicAuthentication policy check /`basic-auth-policy-check`	Whether theBasicAuthentication policy is in use.	Add the BasicAuthentication policy to the proxy.
HMAC policy check /`hmac-policy-check`	Whether theHMAC policy is in use.	Add the HMAC policy to the proxy.
OAuthV2 policy check /`oauthv2-policy-check`	Whether theOAuth policy is in use.	Add the OAuthV2 policy to the proxy.
ValidateSAMLAssertion policy check /`validate-saml-assertion-policy-check`	Whether theValidateSAMLAssertion policy is in use.	Add the ValidateSAMLAssertion policy to the proxy.
VerifyAPIKey policy /`verify-api-key-policy-check`	Whether theVerifyAPIKey policy is in use.	Add the VerifyAPIKey policy to the proxy.
VerifyIAM /`verify-iam-policy-check`	Whether theVerifyIAM policy is in use.	Add the VerifyIAM to the proxy.
VerifyJWS policy /`verify-jws-policy-check`	Whether theVerifyJWS policy is in use.	Add the VerifyJWS policy to the proxy.
VerifyJWT policy /`verify-jwt-policy-check`	Whether theVerifyJWT policy is in use.	Add the VerifyJWT policy to the proxy.

CORS

Checks whether a CORS policy or CORS header in the AssignMessage policy are present.

Assessment check / name	Description	Recommendation
CORS policies check /`cors-policies-check`	Check whether aCORS policyor CORS header inAssignMessage policy are present.	Add either the CORS policy or AssignMessage policy with the CORS headers to the proxy.
CORS policy check /`cors-policy-check`	Check whether aCORS policy is in use.	Add the CORS policy to the proxy.
CORS AssignMessage policy check /`cors-assignmessage-policy-check`	Check whether CORS headers are added in anAssignMessage policy.	Add the AssignMessage policy with CORS headers to the proxy.

Mediation

Checks whether a mediation policy is enabled.

Assessment check / name	Description	Recommendation
Mediation policies check /`mediation-policies-check`	Check whether either of the following mediation policies are enabled:SOAPMessageValidation orOASValidation.	Add one of the following mediation policies to your proxy: SOAPMessageValidation or OASValidation.
SOAPMessageValidation policy check /`soap-validation-policy-check`	Check whether theSOAPMessageValidation policy is in use.	Add the SOAPMessageValidation policy to the proxy.
OASValidation policy check /`oas-validation-policy-check`	Check whether theOASValidation policy is use.	Add the OASValidationCheck policy to the proxy.

Target

Checks whether target server protections are used. For information on target server configuration, seeLoad balancing across backend servers.

Assessment check / name	Description	Recommendation
Target Server TLS check /`tls-target-server-check`	Check for TLS/SSL in target servers.	Configure TLS/SSL in all target servers configured in the proxy for secure communications.
Target Server mTLS check /`mtls-target-server-check`	Check for mTLS in target servers.	Configure mTLS in all target servers configured in the proxy for maximum security.
Target Server enforce field check /`target-enforce-field-check`	Check whether the`Enforce` field is enabled in target server configuration.	Configure Enforce field to enforce strict SSL between the Apigee proxy and the target.

Threat

Checks to see if threat prevention policies are used.

Assessment check / name	Description	Recommendation
Threat policies check /`threat-policies-check`	Check whether any of the following threat policies are enabled:JSONThreatProtection,RegularExpressionProtection, orXMLThreatProtection.	Add one of the required threat policies to your proxy.
continueOnError check in threat policies /`continue-on-error-threat-policies`	Check whether`continueOnError` field is enabled in all threat policies used in the proxy. This involves checking whether a threat policy is in use and this check has no impact if there are no threat policies in the proxy.	Set`continueOnError` to`false` for all threat policies in use in the proxy.
JSONThreatProtection policy check /`json-threat-protection-policy-check`	Check whether theJSONThreatProtection policy is use.	Add the JSONThreatProtection policy to the proxy.
RegularExpressionProtection policy check /`regex-protection-policy-check`	Check whether theRegularExpressionProtection policy is use.	Add the RegularExpressionProtection policy to the proxy.
XMLThreatProtection policy check /`xml-threat-protection-policy-check`	Check whether theXMLThreatProtection policy is in use.	Add the XMLThreatProtection policy to the proxy.

Traffic

Checks to see if you have traffic management policies in place.

Assessment check / name	Description	Recommendation
Traffic management policies check /`traffic-management-policies-check`	Check whether any of the following traffic management policies are enabled:LookupCache,Quota,ResponseCache, orSpikeArrest.	Add one of the traffic management policies to your proxy.
LookupCache policy check /`lookup-cache-policy-check`	Check whether theLookupCache policy is enabled.	Add the LookupCache policy to the proxy.
Quota policy check /`quota-policy-check`	Check whether theQuota policy is use.	Add the Quota policy to the proxy.
ResponseCache policy check /`response-cache-policy-check`	Check whether theResponseCache policy is in use.	Add the ResponseCache policy to the proxy.
SpikeArrest policy check /`spike-arrest-policy-check`	Check whether theSpikeArrest policy is use.	Add the SpikeArrest policy to the proxy.

Policy attachment and proxy security scores

For proxy assessments, security scores are based on the policies you are using. How those policies are assessed depends on whether and how they are attached to flows:

Only policies that are attached to a flow (preflow,conditional flow, post flow in proxies, or shared flow) affect scores. Policies that are not attached to any flow donot affect scores.
Proxy scores take into account shared flows a proxy calls via flow hooks andFlowCallout policies in the proxy, provided the FlowCallout policy is attached to a flow. However, if the FlowCallout is not attached to a flow, policies from its linked shared flow do not affect security scores.
Chained shared flows are evaluated up to five levels deep. Any policies included directly in the proxy and in the first five levels of shared flows are counted towards the security score.
For policies attached to conditional flows, security scores only take into account whether the policies are present; it does not take into account whether or how the policies are enforced at runtime.

Security profiles v2

A security profile is a set ofsecurity assessments and weights to score API proxies against. You can use either Apigee'sdefault security profile, calledgoogle-default, or you can create acustom security profile that contains only the security categories and weights you want to assess.

When working with security profiles or creating custom security profiles, note that multiple assessment checks within a category are assessed individually.

For example, if there are three authentication policy checks in a security profile and the assessed proxy includes one of the three, the assessment score will include full points for the one found policy and zero points for the other two policies which are not present. In this example, the assessed proxy would not receive full points for authentication policy checks even though it does include an authentication policy. Be careful about security score interpretation and security profile design given this behavior.

Default security profile

Advanced API Security provides a default security profile that contains all of the assessments. When you use the default profile, security scores are based on all of the categories.

The default security profile,google-default, can't be edited or deleted.

Custom security profile

You can create custom security profiles that include only your chosen assessment checks and weights to evaluate against proxies. For instructions on creating and using custom security profiles from the Apigee UI, seeManage custom profiles in the Apigee UI.

Assessment checks in a custom security profile are "AND" assessments. SeeRisk assessment concepts and scoring for more information.

In some cases you might want to use a custom security profile to create an "OR" condition between assessment checks. For example, you might want to create a profile that requires either an OAuth policy or an API Key policy for authentication. While you can't, at this time, create a true "OR" condition where the presence of either policy results in a score of 100%, you can use a custom security profile to signal whether one or both policies are present.

For example:

Create a custom profile with the following checks and weights:
- OAuthV2 policy check: Major
- VerifyAPIKey policy check: Minor
With this configuration, the scores are:
- 100% if both policies are present
- 94% if only the OAuthV2 policy is present
- 6% if only the VerifyAPIKey policy is present
- 0% if neither policy is present
Use the scores to determine which policies are configured in the proxies.
Additionally, create a monitoring condition and a Cloud Monitoring Alert to set an alert to trigger if the score goes below 6%. Above 6% it means the proxy has either the OAuthV2 policy or the VerifyAPIKey policy (or both). Below 6%, no policy exists, which needs the user attention. Use the name and description of the alert to indicate if one or both policies are missing. See the example in Example: Create a risk assessment monitoring condition monitoring alert.

For custom security profiles:

The profile name (also called the profile ID) is required and is shown in the summary table when listing profiles. The name must be 1 to 63 characters, which can be lower case letters, numbers 0-9, or hyphens. The first character must be a lower case letter. The last character must be a lower case letter or number. Custom security profiles must have unique names and can't duplicate existing profile names.
The profile description is optional and can't exceed 1,000 characters.

Preview — Advanced API Security Monitoring Conditions for Risk Assessment v2

This feature is covered by the Pre-GA Offerings Terms of the Google Cloud Terms of Service. Pre-GA features may have limited support, and changes to pre-GA features may not be compatible with other pre-GA versions. For more information, see the launch stage descriptions.

Support for the Preview launch of Advanced API Security Monitoring Conditions is available through the Apigee - Google Cloud Community forum.

Monitoring conditions and alerts

Advanced API Security allows you to add monitoring conditions to Risk Assessment. Once you create a monitoring condition, Risk Assessment publishes security score metrics to Cloud Monitoring. Cloud Monitoring can track security scores over time for proxies assessed against security profiles.

To use monitoring conditions:

Familiarize yourself with theCloud Monitoring functionality.
Make sure you have the required roles or permissions needed to manage monitoring conditions. SeeRequired roles for Risk Assessment.
Use the Apigee UI or API to create and manage monitoring conditions. SeeManage monitoring conditions and alerts in the Apigee UI andManage monitoring conditions in the API.Note: When a new monitoring condition is created or an existing monitoring condition is changed, it takes up to 5 minutes for the changes to be reflected in Cloud Monitoring metrics.

Once you've created a monitoring condition, you can set up monitoring alerts on the condition metrics, using Cloud Monitoring alerts.

To create monitoring alerts from the Apigee UI, seeManage monitoring conditions and alerts in the Apigee UI. For information on alerts in Advanced API Security and how to manage the monitoring alerts, seeSecurity alerts.

Limitations and known issues on Risk Assessment v2

Security scores have the following limitations and known issues:

Security scores are only generated if an environment has deployed proxies.
Newly deployed proxies and newly enabled organizations and environments do not immediately show scores. SeeData delays for information.
For custom profiles, you can create a maximum of 100 custom profiles per organization.
Notification of new assessment calculations and scores is not supported at this time.
Only one monitoring condition can exist for a scope and security profile combination. If a profile is already part of an existing monitoring condition for the scope selected, then a warning message appears and prevents creation of the new condition.
Only deployed proxies are monitored. If a proxy that is included in a monitoring condition is undeployed, it isn't monitored and doesn't show as monitored in the monitoring condition details. On redeploy, the proxy is automatically monitored and shows as monitored in the monitoring condition details.
You can create a maximum of 1,000 security monitoring conditions per organization.
New scores that are tracked by a security monitoring condition might take up to 5 minutes to show in Cloud Monitoring.
Security scores are available in Cloud Monitoring for up to 6 weeks. SeeData retention.

Data delays

The data that Advanced API Security security scores have the following processing windows before results are available:

When you enable Advanced API Security in an organization for the first time, it takes time for the scores for existing proxies and targets to be reflected in an environment. As a guideline, expect 30 to 90 minutes for Subscription organizations and less time for Pay-as-you-go organizations.
New events related to proxies (deployment and undeployment) and targets (create, update, delete) in an environment take at least 60 seconds and up to 5 minutes (for very large environments) to reflect in the environment's score.

View risk assessments in the Apigee UI

TheRisk Assessment page displays scores that measure the security of your API in each environment.

Note: You might need to select "Switch to Risk Assessment v2" in order to switch to Risk Assessment v2 for this organization.

To open theRisk Assessment page:

In the Google Cloud console, go to theAdvanced API Security> Risk assessment page.

Go to Risk assessment

This displays theRisk Assessment page:

The page has these sections:

Environment: Select the environment on which to view assessments.
Security profile: Select the default profile (google-default) or a custom profile, if available. SeeSecurity profiles for information on security profiles.
Deployed proxies by severity: Once the environment is set, the page shows a summary of severities across proxies in that environment. SeeRisk assessment concepts and scoring.
Assessment details: Shows the security profile, assessment date and time, total assessed configurations, and total deployed proxies for the selected environment. The total assessed configurations count reflects the total number of "checks" performed. This count might be higher than the number of assessments in a profile; some assessments, such as verifying that the "continueOnError” attribute is set tofalse also check if the related policies are in place and enabled.
Deployed proxies: A summary of deployed proxies in the environment and their risk assessment scores:
- Proxy: Name of the proxy.
- Severity: The risk assessment severity for the proxy. SeeSecurity scores and severities for information.
- Score: The risk assessment score for the proxy. SeeRisk assessment concepts and scoring for information.Note: If no score can be calculated for the environment, due to the limitations on security scores, the proxy name field displays an icon and message that scores aren't available yet.
- Revision: The proxy revision on which the score was assessed.
- Failed assessments by weight: The number of failed assessments grouped by the assessment weight.
- Recommendations: Specific recommendations for improving the score on the proxy. Click the number to see the recommendations.

Manage custom security profiles in the Apigee UI

This section shows how to view, create, edit, and delete custom security profiles using the Apigee UI. Note the limitations on custom security profiles listed inLimitations on security scores.

Start byViewing risk assessments in the Apigee UI.

Create and edit custom security profiles

On the Risk Assessment screen, select theSecurity Profiles tab. To edit an existing profile, click the profile name to see the profile details and thenEdit. Or, you can selectEdit from the Actions menu in the row for that profile.

To create a new custom profile, click+ Create on the security profile list.

When creating or editing a custom security profile, you can set these values:

Name: The name of the security profile. Make sure this is unique for the project.
Description: (Optional). A description for the security profile.
Assessment check(s) andAssessment weight(s): One or more assessment checks to evaluate against proxies and a weight for each. SeeRisk assessment concepts and scoring for a list of the available assessment checks. To add additional assessment checks and weights to the profile, click+ Add. To delete a check/weight pair, click the trash icon in the row for that pair.

Duplicate security profiles

To duplicate an existing security profile (to create a new custom profile), selectDuplicate from the Actions menu in the row for that profile or click the profile name from the profiles list to see the profile metadata, and then clickDuplicate.

When duplicating a custom security profile, you can add the new security profile to the same Apigee instance or for use with your Apigee API hub gateways, if you're using API hub.

SeeCustom security profile for security profile naming requirements.

Delete custom security profiles

To delete an existing custom security profile, selectDelete from the Actions menu in the row for that profile or click the profile name from the profiles list to see the profile metadata, and then clickDelete.

Note that you cannot delete the default system profile (google-default).

Deleting a custom security profile is effective immediately and removes the ability to assess proxies against that profile or see previous assessments against that custom profile.

Manage monitoring conditions and alerts from the Apigee UI

This section shows how to view, create, edit, and delete monitoring conditions and create monitoring alerts using the Apigee UI. SeeMonitoring conditions and alerts for information on this feature.

Start byViewing risk assessments in the Apigee UI and then selecting theMonitoring Conditions tab.

View, create, and edit monitoring conditions

The main page lists any existing monitoring conditions. To view the details for an existing monitoring condition, click theMonitored proxies/total deployed value in the row for that monitoring condition. To edit an existing condition, selectEdit from the Actions menu in the row for that monitoring condition. To create a new monitoring condition, click+ Create monitoring condition above the results list.

Monitoring conditions include these settings:

Environment: The environment where the monitoring condition is created. Not editable after creation of the monitoring condition.
Security profile/Profile: The security profile assessed against.
Condition(s): Whether toInclude all orInclude specified proxies from the environment. IfInclude is selected, select each proxy to include by checking next to the proxy name.

View monitoring metrics

View the metrics for a monitoring condition in Cloud Monitoring. To see the metrics, clickView in the row for the monitoring condition.

Delete monitoring conditions

To delete an existing monitoring condition, selectDelete from theActions menu in the row for the monitoring condition, and then confirm.

Important: Deleting a monitoring condition in Apigee does not delete the metrics tracking for that monitoring condition in Cloud Monitoring. See Disable collection of metrics for instructions on deleting the Cloud Monitoring metrics.

There is a small delay before Cloud Monitoring metrics stop publishing.

Create monitoring alerts

To create a new monitoring alert, selectCreate monitoring alert from theActions menu in the row for the monitoring condition. This action takes you to the Cloud Monitoring alerting page in Google Cloud console and prepopulates some values based on the monitoring condition. SeeSecurity alerts for more information.

Risk Assessment v1

This section describes Risk Assessment v1. For information on Risk Assessment v2, seeRisk Assessment v2 instead.

Security scores

Security scores assess the security of your APIs, as well as their security posture over time. For example, a score that fluctuates a lot could indicate that the API behavior is frequently changing, which might not be desirable. Changes in an environment that could cause the score to drop include:

Deploying many API proxies without the necessary security policies.
A spike in abuse traffic from malicious sources.

Observing changes to your security scores over time provides a good indicator of any unwanted or suspicious activity in the environment.

Security scores are calculated based on yoursecurity profile, which specifies thesecurity categories you want your scores to evaluate. You can use Apigee's default security profile, or you can create a custom security profile that includes only the security categories that are most important to you.

Security scores assessment types

There are three assessment types that contribute to the overall security score calculated by Advanced API Security:

Source assessment: Assesses the detected abuse traffic, using the Advanced API Securitydetection rules. "Abuse" refers to requests sent to the API for purposes other than what the API is intended for.
Note: Source scores are calculated based on a time window starting at 0:00 UTC on the current day and ending at the current time.
Proxy assessment: Assesses how well proxies have implemented various security policies in the following areas:
- Mediation: Check if one of the following mediation policies is configured for all proxies in the environment:OASValidation or SOAPMessageValidation.
- Security:
  - Authorization: Checks if one of the following authorization policies is configured for all proxies in the environment:
  - CORS: Checks if CORS is configured.
  - Threat: Checks if one of the following policies is configured for all proxies in the environment: XMLThreatProtection or JSONThreatProtection.
SeeHow policies affect proxy security scores for more information.
Target assessment: Checks if mutual transport layer security (mTLS) is configured with the target servers in the environment.

Each of these assessment types is assigned a score of its own. The overall score is the average of the scores of the individual assessment types.

How policies affect proxy security scores

For proxy assessments, security scores are based on the policies you are using. How those policies are assessed depends on whether and how they are attached to flows:

Only policies that are attached to a flow (preflow,conditional flow, post flow in proxies, or shared flow) affect scores. Policies that are not attached to any flow donot affect scores.
Proxy scores take into account shared flows a proxy calls via flow hooks andFlowCallout policies in the proxy, provided the FlowCallout policy is attached to a flow. However, if the FlowCallout is not attached to a flow, policies from its linked shared flow do not affect security scores.
Shared flow chaining is not supported. Policies included via shared flow chaining are not assessed when calculating security scores.
For policies attached to conditional flows, security scores only take into account whether the policies are present; it does not take into account whether or how the policies are enforced at runtime.

Note: If you add an environment after enabling Advanced API Security, you will need to re-enable it, by running the command shown in Enable Advanced API Security again, to view security scores for the new environment.

Security profiles

A security profile is a set ofsecurity categories (described below) that you want your APIs to be scored on. A profile can contain any subset of the security categories. To view security scores for an environment, you first need to attach a security profile to the environment. You can use either Apigee'sdefault security profile, or you can create acustom security profile that contains only the security categories of importance to you.