Net API Notes for 2021/11/17 - Issue 182

In this issue, I share an incredible piece on using API First and Mocking to break critical path dependencies, talk API security, and encourage the mapping of API ecosystems. That sounds like a lot so let's get into it! Here are this week's Net API Notes.

Net API Notes is a regular, hand-curated digest of impactful news and analysis for busy API practitioners. Are you reading this and not subscribed yet? Sign up today and be the first to get ad-free, actionable info delivered directly to your inbox.




Wojciech Bulaty wrote a piece on InfoQ that checks quite a few of my boxes. Entitled "Using API-First Development and API Mocking to Break Critical Path Dependencies", Wojciech not only discusses a helpful technique, but backs it with a case study, shares a spreadsheet for others to use, AND addresses how others can get started! That's like winning bingo and tic-tac-toe in the same sitting!

The piece started with observation in a gRPC organization. Wojciech noticed that too many teams had to wait for one another to finish the gRPC microservices before beginning work themselves. This led to blocked timelines between groups, which meant the startup couldn’t deliver at the fast pace required for their customers.

The solution involved gRPC API-mocking. Their custom mocks supported complex message schemas and the latest protocol feature support. This mocking allowed both the producer and consumer of the gRPC APIs to parallelize efforts. Based on the experience, Wojciech then created a spreadsheet capable of generating an estimated ROI for calculating parallelizing work.

Are mocks always the answer? Not exactly. As Wojciech points out, mocks are most impactful when used on work in the critical path - those pieces that have the largest number of dependencies. Leveraging mocks here results in the most prominent time savings.

Perhaps most crucially, individual teams can benefit from mocks right now, rather than requiring the entire organization to buy in all at once. It is a fantastic example of running many small (but valuable) experiments that I described in my recent piece on digital transformation.



Sometime in December, I'll have to share my 2022 API predictions. It should come as no surprise that API security will be a significant, continuing emphasis. During that time, we're most likely going to see lots more articles like Tom Hudson's "Five Common Mistakes Developers Make With API Security".

I'm not crazy about the proposed solution for all five issues: "more vigilance while sanitizing inputs!". However, by raising awareness of specific problems, we can begin to take a big, scary, and ambiguous security hairball and tease out some approachable threads.

Briefly, Tom's five common mistakes are:

  • Exposing Additional API Endpoints That Are Not Required for the Functionality of the Application
  • Enforcing Validation Through the API Rather Than the Client Application
  • Dropping the Ball on Authorization
  • CORS Misconfiguration
  • Path Traversal

For more on API Security, Security Boulevard has a piece on using OWASP's recommendation that API security is a unique beast that requires special handling:

"There is little repeat of issues described in the API Security Top 10 that overlap with the Application Security Top 10, reinforcing the fact that APIs must be treated uniquely and not just as a subset of applications"



API Ecosystems are complex. But mapping where your organization is and which direction you want to move in doesn't have to be. Over on the Postman blog, I've shared "How to Improve API Ecosystems with Mapping". As I've worked with customers of all sizes, I've found that this is a helpful technique for aligning API leadership and forging a shared vision of where to invest future efforts. Have you tried something similar, like James Higginbotham's API Compass? If so, I'd love to hear what was tried and how it went.

Also, check out the nearly 3000 folks on the LinkedIn API and Web Services Professional Group. Lots of great stuff is posted there throughout the week. And if you're looking for events, give a look.

Finally, a big thank you and welcome to Asbjørn, the latest Net API Notes Patreon! Fine folks like Asbjørn ensure that this newsletter remains free of advertising, information selling, or paywalls. Because of that generosity, everyone wins!

Till next time, Matthew

@libel_vox and

While I work at Postman, publisher of API-themed, hardbacked graphic novels, the opinions presented above are mine.

Subscribe to Net API Notes

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.