10 More on API consistency: Custom linting and security checks

 

This chapter covers

  • Writing custom linting functions
  • Running OWASP API linting checks
  • Validating API requests and responses in the gateway
  • Generating OpenAPI from traffic

Having automated ways of keeping your APIs compliant with your API style guide is important in order to maintain an easy-to-use and secure developer experience for developers integrating with your APIs. API linting is a big part of maintaining that API consistency at design time. In chapter 3, I introduced API linting and discussed how to write custom linting rules in Spectral using its built-in functions. But using the core functions that come with a linting tool can only take you so far. To implement a linting rule based on your API style guide, you need to write a custom function because the built-in functions may not meet your requirements. In this chapter, I discuss creating custom functions.

Another aspect of API consistency that you need to keep in mind is API security. Your API style guide should have guidelines on how to design secure APIs. And if it doesn’t, you need to update the style guide! In this chapter, I discuss some common security threats APIs face and how you can run linting checks to catch aspects of them at design time. I also touch on how you can ensure that you integrate security into every aspect of your application development life cycle.

10.1 The need for custom functions

10.1.1 Searching for reusable rules

10.1.2 Writing a test for your linting rule

10.1.3 Writing the custom rule

10.1.4 Defining the custom function

10.1.5 Notes on writing custom functions

10.2 Automated security review of your API definitions

10.2.1 Introducing API Security

10.2.2 API1:2023 - Broken Object Level Authorization

10.2.3 API2:2023 - Broken Authentication

10.2.4 API3:2023 - Broken Object Property Level Authorization

10.2.5 API4:2023 - Unrestricted Resource Consumption

10.2.6 API5:2023 - Broken Function Level Authorization

10.2.7 API6:2023 - Unrestricted Access to Sensitive Business Flows

10.2.8 API7:2023 - Server-Side Request Forgery

10.2.9 API8:2023 - Security Misconfiguration

10.2.10 API9:2023 - Improper Inventory Management