Chapter 2. Secure API development

Chapter 2 from API Security in Action by Neil Madden

This chapter covers

  • Setting up an example API project
  • Secure development principles
  • Common attacks against APIs
  • Input validation and producing safe output

I’ve so far talked about API security in the abstract but in this chapter, you’ll dive in and look at the nuts and bolts of developing an example API. I’ve written many APIs in my career and now spend my days reviewing the security of APIs used for critical security operations in major corporations, banks, and multinational media organizations. Although the technologies and techniques vary from situation to situation and from year to year, the fundamentals remain the same. In this chapter you’ll learn how to apply basic secure development principles to API development, so that you can build more advanced security measures on top of a firm foundation.

2.1      The Natter API

You’ve had the perfect business idea. What the world needs is a new social network. You’ve got the name and the concept: Natter – the social network for coffee mornings, book groups, and other small gatherings. You’ve defined your minimum viable product, somehow got some funding, and now need to put together an API and a simple web client. You’ll soon be the new Mark Zuckerberg, rich beyond your dreams, and considering a run for President.

2.2      Developing the REST API

2.3      Wiring up the REST endpoints

2.4      Injection attacks

2.5      Input validation

2.6      Producing safe output

2.7      What hasn’t been covered

2.8      Summary