John Phenix proposes automating API governance at HSBC to improve the developer experience and ensure consistency. He outlines five tips: 1) Govern only real risks, not preferences; 2) Ensure governance scales with development; 3) Shift governance left to catch issues earlier; 4) Transition from reviewing correctness to reviewing appropriateness; 5) Automate as much as possible while still involving people. Phenix advocates a hybrid centralized-federated model and using tools to automate reviews, integrate with CI/CD, and provide dashboards. Example rules cover security, operations, and style standards.

1. Date: June 2020
Prepared by: John Phenix
Chief API Architect, HSBC Commercial Bank
Automating API Governance
PUBLIC

2. 1
1
HSBC - The World’s Leading International Bank
39million
customers
3,900 offices
65
countries & territories
Present in
Reported Revenue
$53.8bn 254PB of data
Data Centres in 21
countries
96,600+ Servers
$1.5 Trillion
Daily payments processed
235,000
people around the world
46,000 IT Professionals $2.5bn Run / $3.3bn Change (cash)
PUBLIC

3. 2
Challenge
PUBLIC
How to make API governance an accelerator
instead of a brake?

4. 3
Apple’s iOS Standards and Governance platform produces a consistent, market leading App experience
Why HSBC needs API Standards and Governance – an example from Apple
PUBLIC

5. 4
HSBC’s API Standards and Governance platform will produce a consistent, market leading API developer experience
Why HSBC needs API Standards and Governance
Governance
PUBLIC
Governance

6. 5
Tip 1: What to Govern?
PUBLIC
Security Operations Reputation
As little as possible!The minimum needed to deliver value and
manage risks
Tip 1: Focus governance on real risks rather than personal preferences

7. 6
Comprehensive
Tip 2: What does good look like?
PUBLIC
Scalable Consistent
Evidenced
Tip 2: Good governance scales to meet delivery cadence

8. 7
Visibility
Tip 3: Where to invest effort
PUBLIC
Tools Training
Automation
Tip 3: Shift left – make it easier to fall into success

9. 8
Tip 4a: Pick your style - Centralised
Small team(s) of API SMEs who manually review APIs.
You can duplicate the ARB (API Review Board) in different
geographies.
Scalable
Consistent
Comprehensive
Evidenced
PUBLIC

10. 9
Tip 4b: Pick your style - Federated
API Champions from every region and major project to enforce
standards locally and escalate non-compliance.
Scalable
Consistent
Comprehensive
Evidenced
PUBLIC

11. 10
Tip 4c: Pick your style - Automated
Speed and safety at scale requires an automated approach.
Scalable
Consistent
Comprehensive
Evidenced
PUBLIC

12. 11
Tip 4c: Pick your style -– Hybrid
Focus manual reviews on exceptions and qualitative analysis.
Scalable
Consistent
Comprehensive
Evidenced
PUBLIC
Tip 4: Move from “Are we building APIs right?” to “Are we building the right APIs?”

13. 12
Tip 5: How to automate
Audit Trail
API
Engineers
Governance
Engineers
Batch
Rules Setup
CI/CD Pipeline
CAGE UI
Repository
Rules
Lead
Architects
Certification
Dashboard
CAGE
PUBLIC

14. 13
Peer Reviews
Tip 5: How to automate
PUBLIC
Building APIs Right Building the Right APIs
Training
Tip 5: Automate as much as you can, but you still need people

15. 14
5 Governance Tips
Q1: What to govern
Q2: What does good look like
Q3: Where to invest effort
Q4: How to pick your style
Q5: How to automate
PUBLIC
Tip 1: Focus governance on real risks rather than personal preferences
Tip 2: Good governance scales to meet delivery cadence
Tip 3: Shift left – make it easier to fall into success
Tip 4: Move from “Are we building APIs right?” to “Are we building the right APIs?”
Tip 5: Automate as much as possible, but you still need people

16. 15
Example Rules
Security:
• Sensitive info in query parameters
• Standard headers
• Security policies
Operations:
• Naming standard
• Published to API Repository
• Versioning
• Check for duplicate APIs
• Health endpoint
Style:
• camelCase, PascalCase and snake-case
• Always return 2xx, 4xx and 5xx
• Misuse of HTTP verbs
• Plural nouns for resource collections
• Example request and response schemas
PUBLIC

17. 16 PUBLIC