Net API Notes for 2021/10/27 - Issue 179
API Security, HTTP/3, and Style Guides - each of these things, on their own, can be complex topics. However, this week I've got several experts that do a masterful job of showing just how traversing these significant areas is not only possible but necessary.
To the notes!
Net API Notes is a regular, hand-curated digest of impactful news and analysis for busy API practitioners. Are you reading this on the web and not subscribed yet? Sign up today and be the first to get ad-free, actionable info delivered weekly to your inbox.
NOTES
TAKING CHARGE OF THE API SECURITY LIFECYCLE
STRAT / DESIGN / DOC / DEV & TEST / DEPLOY / SECURITY
/ MONITOR
/ DISCOVERY
The number of API breeches that I mention in this newsletter is, unfortunately, trending upwards. However, so are articles on how to deal with those issues. Omer Primor goes beyond just techniques for a single API and, instead, looks at the entire API development lifecycle.
"To achieve greater collaboration, centralization and consistency, API security can’t be viewed in isolation. Protecting APIs during runtime isn’t enough, and testing APIs during design isn’t enough. Each would give a fragmented perspective that risks both high false positives and false negatives, and most importantly – won’t enable security and development teams to be on the same page and share the responsibility."
Omer proposes that companies serious about security should incorporate security controls across the API lifecycle.
HTTP/3 AND THE FUTURE OF APIS
STRAT / DESIGN / DOC / DEV & TEST
/ DEPLOY
/ SECURITY / MONITOR / DISCOVERY
You'd be forgiven if you weren't aware that HTTP/2 was available for your REST-ish Net APIs. Released in 2015, its efforts to reduce latency with better request and response multiplexing, compression of HTTP header fields, and server push were largely lost on API developers.
So why would HTTP/3 be any different? Erik Wilde covers that and more in his piece on the Axway blog. A highlight of that article is a video that Erik recorded with Robin Marx.
HTTP/3 changes some of the constraints of HTTP, meaning that API designers and developers can take advantage of these improved capabilities of the HTTP protocol stack. If you're looking to learn more, this is a great place to start.
INCREASING STYLE GUIDE ADOPTION
STRAT
/ DESIGN
/ DOC / DEV & TEST / DEPLOY / SECURITY / MONITOR / DISCOVERY
Style guides are a common tactic for any enterprise API governance program. But just creating a list of guidelines and publishing them somewhere is not enough. James Higginbotham goes into detail about increasing usage in his piece, "How to increase adoption of an API Style Guide".
I appreciate James's encouragement for style guide proponents to start small. I know how tempting it is to be comprehensive, attempting to address multiple problem areas in one fell swoop. However, as I wrote about, any change will be met with resistance. The amount of resistance is proportional to the change proposed. In other words, development teams are much more likely to accept and implement small, incremental requirements than they are having the API-equivalent of Robert's Rules of Order dropped on them.
MILESTONES
- The Web Platform Incubator Community Group (WPIC) has published a report for the HTML Sanitizer API. The HTML Sanitizer API lets developers take untrusted strings of HTML and sanitize those strings for safe insertion into a document’s DOM, helpful in avoiding cross-site scripting (XSS) attacks.
- Back in note #127, I mentioned Istio and their choice of monolith over microservices. Their story has now been captured in an IEEE paper.
- Gartner has published a new job description for API Product Managers. Suffice to say, managing an API product is a bit different than other types of software product management.
- API gateway and service mesh company Solo.io raises $135M.
WRAPPING UP
The LinkedIn API and Web Services Professional Group continues to grow. The community continues to share job opportunities and discuss the latest news. We'd love to see you there.
I've also updated the list of upcoming API meetups and events. One positive from the global pandemic is that many of these are now available to anyone anywhere in the world. Check it out.
Finally, thank you to my Patreons! Their support helps keep this newsletter is free of advertising, information selling, or paywalls for everyone's benefit.
Till next time, Matthew
@libel_vox and matthewreinbold.com
While I work at Postman, whose sock swag elicited my mother's notice, the opinions presented above are mine.