Net API Notes for 2021/02/10 - Issue 153

Rally the camels and pop the sparkling soda! It's Wednesday! And that must mean it's time for another Net API Notes! On deck we have not one, but TWO pieces on API security. But first, however, is a bit about boundaries.

NOTES

TROND HJORTELAND ASKS WHY BIG BALLS OF MUD STILL EXIST

Any API architect around for any amount of time will talk about the importance of good boundaries. However, despite their importance, big balls of mud remain the norm.

Trond explores this paradox in his slide deck, "Good Fences Make Good Neighbours". As Trond explains in his description:

"this talk will help you piece together all of the good modularisation practices and understand the theory behind them, improving your holistic system design skills, and enabling you to create requisite coherence in your designs."

Great stuff. And if you're interested in reading more about the 'Big Ball of Mud' phenomenon, see Brian Foote's 1997 whitepaper on the subject.

AVOIDING GRAPHQL SECURITY PITFALLS

GraphQL has its advantages. However, because of how it tunnels the entirety of its communication over a POST call, it sidesteps the observability and access permission regimens REST-ish API shops are familiar with.

Himasha Guruge recently shared GraphQL APIs: Avoiding Security Pitfalls. As Himasha hints, the traditional endpoint-based access controls fail when all requests are to a single endpoint. Delegating access control to the business logic layer is a step back for many used to modern gateways. Thankfully, API management tools are increasingly able to use OAuth scopes for this function.

Throttling is another area where REST-ish approaches are an ill fit. The complexity of a request query can be just as problematic as the rate at which those requests are made. Only limiting the number of requests is not sufficient protection. Himasha explains how both query depth and query complexity are important considerations.

NOXPLAYER UPDATE API HACKED TO LOAD MALWARE

NoxPlayer is an Android emulator for PCs and Macs. Gamers, for example, use it to broadcast mobile games on a platform like Twitch. Unfortunately, security researchers from ESET discovered that its API was delivering malware instead of regular software updates.

So what happened? APIsecurity.io has not only a writeup on what happened but a solution. They show why data validation is necessary not only for API requests but the responses too. In this case, a regular expression for the response update URLs returned by the API could have prevented the attack.

MILESTONES

• Google announced the launch of Apigee X, the latest release of their API management platform. The notable factoid here is Apigee saw API calls up 47% last year, despite the pandemic. Why the X? Because Apigee just celebrated its ten year anniversary.
• Kong closed a $100 million series D round led by Tiger Global.
• Stoplight.io announced a round of funding.
• 42Crunch, an API security firm, also received an investment from Adara Ventures.
• Vonage has joined the OpenAPI Initiative.
• Visa has announced a pilot program of APIs to offer a variety of Bitcoin-based services. In related news, Bitcoin now consumes more energy than Argentina and is fast approaching Norwegian levels of latterlighet.

WRAPPING UP

That's it! Another week for the archives.

Thank you for reading this far. Also, thanks to the Patreons! With your support, this newsletter continues to be ad and paywall-free for the benefit of others.

Till next time,

Matthew @libel_vox and matthewreinbold.com