Net API Notes for 2021/12/02 - Issue 183

In this issue, I've got a great guide on practical API design, a pair of API security references, and some microservice food-for-thought. So grab that leftover turkey, make yourself a sandwich, and let's enjoy a tasty side of notes.

Net API Notes is a regular, hand-curated digest of impactful news and analysis for busy API practitioners. Are you reading this and not subscribed yet? Sign up today and be the first to get ad-free, actionable info delivered directly to your inbox.

NOTES

PRACTICAL API DESIGN

STRAT / DESIGN / DOC / DEV & TEST / DEPLOY / SECURITY / MONITOR / DISCOVERY

Recently, Ronnie Mitra's 2019 GOTO conference slide deck resurfaced. Typically, I tend to reserve room in my notes for folks sharing new and compelling work. However, there's a host of excellent thoughts in "Practical API Design" that keeping it circulating seemed like a good idea; if I hadn't seen it before, chances are others might not have either.

What I specifically enjoyed was Ronnie's rules of thumb for resolving API design decisions. Having a series of logical, easy-to-understand questions to tease out what matters is clutch in a challenging design situation.

HOW TO PERFORM AN API RISK ASSESSMENT

STRAT / DESIGN / DOC / DEV & TEST / DEPLOY / SECURITY / MONITOR / DISCOVERY

According to Salt security reporting, malicious API traffic has grown nearly 350% alone in the last six months. Companies must have a holistic plan for approaching API security. The increase in traffic necessitates a pair of articles for gauging your API situation.

First, Akana shared a straightforward plan on how to perform an API Risk Assessment.

If this is an area of emphasis, I'd encourage folks to read the entire article. But, to generalize, your risk assessment should include:

• Application of cloud configuration settings
• Implementation of access policies (for some perspective, check out this Twitter thread bemoaning the lousy API key rotation practices used by many SaaS companies)
• Presence of OWASP's Top-10 API Security Risks (including BOLA)
• Evaluation of where your company lies on the API Testing Hierarchy of Needs
• Monitoring (or lack thereof) for threat detection and mitigation

If you're looking for more, that Akana piece pairs nicely with Tim Mackey's "Five Aspects Of A Security Program". Tim talks less about the attributes of a one-time assessment and more about the properties of a cyber-conscious and ongoing effort.

Both Tim and the Akana piece overlap in acknowledging that improperly configured cloud services, and lack of monitoring can cause problems.

MICROSERVICES - THE LETTER AND THE SPIRIT

STRAT / DESIGN / DOC / DEV & TEST / DEPLOY / SECURITY / MONITOR / DISCOVERY

Alaa Tadmori has seen both the good and bad parts of microservices. On the one hand, they can effectively decompose complicated tasks into more autonomous, independently scalable components. On the other, an over-emphasis on size can create management overhead more significant than it is worth.

In "Microservices - The Letter and the Spirit", Alaa does a laudable job explaining why service size doesn't matter. He then continues by reframing the microservice raison d'etre as a decoupling benefit.

My favorite definition of a bounded context is "a bet on those things that will change together" (I first heard the UK architect Nick Tune phrase it this way, although he says he got it from somewhere else). To create that desired decoupled state, it is essential to identify those things that "change together", and combine them within the same service (regardless of size).

Get that right, and you'll be well on your way to what Alaa calls the "spirit" of microservices.

MILESTONES

• Cisco has a new open-source tool for comparing runtime traffic with what was defined in an OpenAPI specification
• StepZen has released two free GraphQL management tools.

WRAPPING UP

Given that we just finished Thanksgiving here in the United States, I wanted to thank the folks at O'Reilly and the authors of the CAM book. I received my second edition copy shortly before the holiday. I'm grateful for the opportunity to contribute to this important industry touchstone as a technical editor. I already use the book's ten pillars as a basis for helping companies assess the state of their API programs.

Can't get enough API discussion? Check out the nearly 3000 folks on the LinkedIn API and Web Services Professional Group. If you're looking for events, give NetAPI.events a try.


Finally, I'll end with thanks to this newsletter's patrons. Supporters keep this publication free of advertising, information selling, or paywalls. Due to their gracious support, everyone can benefit.

Till next time, Matthew

@libel_vox and matthewreinbold.com

While I work at Postman, a bejeweled multi-tool in a sea of sporks, the opinions presented above are mine.