Net API Notes for 2021/09/15 - Issue 175
Net API Notes is a regular, hand-curated digest of impactful news and analysis for busy API practitioners. Are you reading this on the web and not subscribed yet? Sign up today and be the first to get ad-free, actionable info delivered weekly to your inbox.
Hey there! I'm having a great week, and I hope that you are, too. And if you're not, maybe this latest round of notes helps takes your mind off the troubling bit for a moment (or three).
Let's get into it.
NOTES
AVOIDING RECENT SECURITY GAFFES
STRAT / DESIGN / DOC / DEV & TEST / DEPLOY / SECURITY
/ MONITOR / DISCOVERY
There have been several API security-related snafus in the news lately. Whether we're talking about Microsoft, CISCO, or Valve (the company behind the popular game portal, Steam), each mistake provides an opportunity for us, as an industry, to reflect and do better.
Joseph Krull does that in his piece, "Some Recent API Security Related Gaffes, And How They Might Have Been Avoided". There is the odd "Mission-Impossible" style super hack. However, unfortunately, many problems are well known enough to be listed (along with remediation) in the OWASP top 10.
DREAM11'S LESSONS FROM RUNNING GRAPHQL AT SCALE
STRAT / DESIGN / DOC / DEV & TEST
/ DEPLOY
/ SECURITY / MONITOR
/ DISCOVERY
Dream11 is an Indian fantasy sports platform. On their engineering blog, the team has posted a comprehensive number of lessons learned. Real-world experience always gets my attention, doubly so when those lessons feature GraphQL deployed at scale.
How big of scale? According to the post, they had 13 thousand EC2 instances for GraphQL queries at one point. I always assumed that retail had incredibly bursty traffic due to seasonal trends (Cyber Monday, for example). However, my experience seems dwarfed by the crush of fantasy players during a championship final.
There are lots of infrastructure and architecture lessons to be learned.
UNIFYING API DESIGN, DEVELOPMENT LANGUAGES
STRAT / DESIGN
/ DOC / DEV & TEST / DEPLOY / SECURITY / MONITOR / DISCOVERY
I review lots of articles for inclusion in the notes in any given week. These are almost entirely from the backend developer perspective. Imagine my surprise, then, when I came across this front-end designer piece by Nathan Curtis entitled "Crafting Component API, Together".
What Nathan advocates for is a unification of properties across code and design tools. In larger design shops, design systems have become a way to organize common interaction patterns. Tools like Figma allow designers to connect backend API properties to front-end representations. The challenge, as Nathan points out, is when the models of how a system work diverge.
I do worry about the coupling that is suggested between models. Allowing for "translation" between models is one of the strengths of an API abstraction, not a weakness. However, I remain taken how designing an API for designer tools might change how things are represented. That reframing is rare enough to warrant a second look.
MILESTONES
- Do you use Travis CI for your continuous integration? If so, I have some bad news. It seems that for a week, secure environment variables for all public repositories were compromised. This includes singing keys, access credentials, and API tokens. The leak has (hopefully) been plugged. If you are affected, be sure to rotate pronto.
- Neosec, an API security startup, emerges from stealth with a nearly $21M investment.
- OOooooh - this is interesting: there's a new IETF draft proposal for a new SEARCH HTTP method. 'Login' and 'Search' on an overloaded POST method were always contradictions #1 and #2 when training resource design.
WRAPPING UP
I've been (slowly) building up my series for aspiring change agents. The latest piece, "How to Create Compelling Stories for Systems Change," is over on my blog. Do you frequent Medium or Dev.to? I've started republishing there, as well. Likes, reactions, comments, and even catcalls are welcome.
APIDays Australia is going on as I write this. The ASC 2021 event is just around the corner. For these and other, conferences check out Net API Events. Do you have an event that should be added? Let me know.
Lastly, a thank you to my Patreons, including the newest supporter, Jon! Everybody, if you could give Jon a high-five the next time you see him (or a socially responsible set of finger pistols), that would be great. Folks like Jon are the reason this newsletter is free of advertising, information selling, or paywalls. Thank you.
Till next time, Matthew
@libel_vox and matthewreinbold.com
While I work at Postman, a Wonkaesque portmanteau of postulate and manicure, the opinions presented above are mine.