1 What is API security?


This chapter covers

  • What is an API?
  • What makes an API secure or insecure?
  • Defining security in terms of goals
  • Identifying threats and vulnerabilities
  • Using mechanisms to achieve security goals

Application Programming Interfaces (APIs) are everywhere. Open your smartphone or tablet and look at the apps you have installed. Almost without exception, those apps are talking to one or more remote APIs to download fresh content and messages, poll for notifications, upload your new content, and perform actions on your behalf.

Load your favorite web page with the developer tools open in your browser, and you’ll likely see dozens of API calls happening in the background to render a page that is heavily customized to you as an individual (whether you like it or not). On the server, those API calls may themselves be implemented by many microservices communicating with each other via internal APIs.

Increasingly, even the everyday items in your home are talking to APIs in the cloud--from smart speakers like Amazon Echo or Google Home, to refrigerators, electricity meters, and lightbulbs. The Internet of Things (IoT) is rapidly becoming a reality in both consumer and industrial settings, powered by ever-growing numbers of APIs in the cloud and on the devices themselves.

1.1 An analogy: Taking your driving test

1.2 What is an API?

1.2.1 API styles

1.3 API security in context

1.3.1 A typical API deployment

1.4 Elements of API security

1.4.1 Assets

1.4.2 Security goals

1.4.3 Environments and threat models

1.5 Security mechanisms

1.5.1 Encryption

1.5.2 Identification and authentication

1.5.3 Access control and authorization

1.5.4 Audit logging

1.5.5 Rate-limiting

Answers to pop quiz questions