API Security and the Developer

As our world becomes ever more interconnected, developers rely more and more on code and data sources outside of the environment in which the application runs. Using external code and data sources has a considerable number of advantages, not the least of which is keeping application development on schedule and within budget. However, working with APIs, whether local or on someone else’s system, means performing additional levels of testing. It isn’t enough to know that the application works as planned when used in the way you originally envisioned it being used. That’s why I wrote API Security Testing: Think Like a Bad Guy. This article helps you understand the sorts of attacks you might encounter when working with a third party API or allowing others to use your API.

Knowing the sources and types of potential threats can help you create better debugging processes for your organization. In reality, most security breaches today point to a lack of proper testing and an inability to debug applications because the inner workings of that application are poorly understood by those who maintain them. Blaming the user for interacting with an application incorrectly, hackers for exploiting API weaknesses, or third parties for improperly testing their APIs are simply excuses. Unfortunately, no one is interested in hearing excuses when an application opens a door to user data of various types.

It was serendipity that I was asked to review the recent Snapchat debacle and write an article about it. My editorial appears as Security Lessons Courtesy of Snapchat. The problems with Snapchat are significant and they could have been avoided with proper testing procedures, QA, and debugging techniques.This vendor is doing precisely all the wrong things—I truly couldn’t have asked for a better example to illustrate the issues that can occur when APIs aren’t tested correctly and fully. The results of the security breach are truly devastating from a certain perspective. As far as I know, no one had their identity stolen, but many people have lost their dignity and privacy as a result of the security breach. Certainly, someone will try to extort money from those who have been compromised. After all, you really don’t want your significant other, your boss, or your associates to see that inappropriate picture.

The need to test APIs carefully, fully, and without preconceived notions of how the user will interact with the API is essential. Until APIs become more secure and developers begin to take security seriously, you can expect a continuous stream of security breaches to appear in both the trade press and national media. The disturbing trend is that vendors now tend to blame users, but this really is a dead end. The best advice I can provide to software developers is to assume the user will always attempt to use your application incorrectly, no matter how much training the user receives.

Of course, it isn’t just APIs that require vigorous testing, but applications as a whole. However, errors in APIs tend to be worse because a single API can see use in a number of applications. So, a single error in the API is spread far wider than a similar error in an application. Let me know your thoughts on API security testing at John@JohnMuellerBooks.com.

Browser-based Applications and APIs

Both HTML5 Programming with JavaScript for Dummies and CSS3 for Dummies place an emphasis on the developer who needs to create a unique site in the shortest time possible, and yet achieve this feat with low support costs. The task might seem impossible. Both books achieve their goals by focusing on free or low cost tools, development aids, and Application Programming Interfaces (APIs). However, the API is the lynchpin that holds everything else together and makes everything work. The idea is to obtain a functional application that does everything it needs to do in an incredibly short time using resources that have been created, tested, and maintained by someone else.

My books discuss a few of the most popular APIs and provide pointers to other APIs that you might want to try. In addition, both books provide some best practices for working with APIs. However, I wanted to explore the concept of what makes a great API further, so I wrote “Avoiding Problematic API Choices.” The goal of this article is to help you weed out the great APIs from those that could actually damage data or leave your organization exposed to unwanted risk. The time saved developing an application is quickly used up when the APIs used to create that application cause support issues, so it’s best to use reliable APIs.

Using tools, development aids (such as free art), and APIs is a no brainer.  Creating browser-based applications makes it possible for your application to run anywhere and on any device. These free (or sometimes low cost) aids add extra incentive to develop browser-based applications because now you also avoid a large amount of the cost and upkeep of an application. Organizations that don’t avail themselves of these technologies will eventually be left behind, especially as the Bring Your Own Device (BYOD) phenomena becomes even more prevalent.

There are many tools, development aids, and APIs out there and I have yet to explore even a modicum of them. I can say that I’ve worked with a considerable number of the most popular offerings online, plus a few private (paid) offerings. Still, I’m looking forward to my continued exploration of this particular area of development. I find it incredibly interesting because I started out at a time when assembler was considered the state of the art (and a time saving approach to development when compared to other methods available at the time). Computers have come a long way since I began and every new day brings something exciting my way. It’s the reason I continue to pursue this technology with such diligence.

Of course, I’m always interested in hearing what you have to say. Do you see APIs as being safe and helpful, or as a source for problems in your organization? Which tools, development aids, and APIs do you use most often? Let me know your thoughts at John@JohnMuellerBooks.com.


The Role of APIs in Application Development

More people are coming to understand that the PC will constitute just one of several devices that users will rely upon to perform daily computing tasks in the future. Articles such as, “Life in the Post-PC Era” are appearing more and more often because the trend is clear. However, unlike many people, I don’t see the PC going away completely. There really are situations where you need to size and comfort of a larger system. I can’t imagine myself trying to write an entire book on a tablet. If I did, the resulting Repetitive Stress Injury (RSI) would be my own fault. However, the higher reliability and slow rate of technological change also means that my systems will last longer and I won’t be buying them as often. In other words, I’ll continue to use my PC every day, but people won’t be making as much money off of me as I do it. This said, a tablet will figure into my future in performing research and reading technical materials that I would have used a PC to accomplish in the past.

The nature of computing today means that any application you write will need to work on multiple platforms. Users won’t want a unique application for each platform used. Unfortunately, new platforms arrive relatively fast today, so developers of most applications need some method of keeping their applications relevant and useful. Web-based applications are perfect for this use. These applications are the reason I chose to write CSS3 for Dummies and HTML5 Programming with JavaScript For Dummies. These books represent the future of common applications—those used by users every day to perform the mundane tasks of living and business.

When reading these two books, you’ll find a strong emphasis on not reinventing the wheel. In fact, a lot of developers are now finding that their work is greatly simplified when they rely on third party Application Programming Interfaces (APIs) to perform at least some of their work. The stronger emphasis on APIs hasn’t gone unnoticed by the media either. Articles such as, “How the API Movement is Transforming the Telecom Industry” describe how APIs have become central to creating applications for specific industries. In fact, you’ll find targeted articles for API use all over the Internet because APIs have become a really big deal.

I plan to write quite a lot more about APIs because I see them as a way of standardizing application developing, creating more reliable applications, and reducing developer effort in creating the mundane parts of an application. What will eventually happen is that developers will become more creative and APIs will put the art back into the science of creating applications. However, I’d like your input too. What do you see as the role of APIs in the future? What questions do you have about them? Let me know at John@JohnMuellerBooks.com.