High-Level View of Security in APIs

Learn about public and private APIs, along with cybersecurity models.

We'll cover the following

Introduction
Public and private APIs
- Intended users
- Where is the API made available?
Cybersecurity models
- Zero Trust model
- Web Application and API Protection (WAAP)
Conclusion

Introduction

We have explored several topics on API security in this chapter. Before wrapping up, we’ll explore some significant concepts and models in the API security landscape. Studying these concepts will enable us to architect secure APIs. We’ll explain the following topics:

Scope of APIs: Discusses the types and users of APIs
Cybersecurity models: Security models that are applicable to APIs

These concepts aid in the overall security and functionality of APIs, so we’ll go over them before we end the chapter on security. Let's begin by examining the scopes of APIs.

Public and private APIs

When we examine APIs, there are two significant concerns regarding API consumers:

Who is the intended user of an API?
Where is the API made available, and where can someone access the API on the network?

These points may be referred to as the scope of the API, so let's expand on these concepts.

Intended users

There are three categories when we examine who an API is intended/designed for.

Private: These are intended for consumption for users inside the organization, such as employees. These still might be exposed outside of an organization because the company/business itself may have external components outside that require access. An example of such an API could be a messaging portal that the organization solely uses for communication. However, such APIs are not available to the general public.
Partner: These are APIs we design to communicate with established partners. The API is intended to be used outside the organization, perhaps in tandem with other APIs. The usage of such APIs usually comes with special terms and conditions that the partners or consumers have to agree to. Twitter's API is an example of a partner API because it has several tiers (elevated or elevated+Grants additional access within the developer portal, such as additional requests in a specific period of time.) to denote a third party's approval status.
Public: These are open APIs that the general public can access through an API directory. They’re typically easy to sign up for and use, but the developer may not have complete information about the users of the API. Facebook's open API that allows third parties to post on a user's newsfeed is an example of a public API.

Level up your interview prep. Join Educative to access 70+ hands-on prep courses.

Introduction to the Course

Network Intricacies

Different Ways of Client-Server Communication

Common Data Formats for Web APIs

Comparison of API Architectural Styles

Security

Important Concepts in API Design

Back-of-the-Envelope Calculations for Latency

What Are the Foundational API Designs?

Design a Search Service

Design a File Service

Design a Comment Service

Design a Pub-Sub Service

Concluding Foundational Design Problems

YouTube Streaming API Design

Facebook Messenger API Design

Google Maps API Design

Learn to Design a Chess API with AI Mentor

Zoom API Design

Leetcode API Design

Payment Gateway API Design—Stripe

Twitter API Design

Uber API Design

CamelCamelCamel API Design

Gaming API Design

API Failures and Mitigations

Conclusion

High-Level View of Security in APIs

Introduction

Public and private APIs

Intended users