With a plethora of best practices for designing APIs, many application teams end up focusing on details that may not be a high priority when compared to design principles that can keep your application secure, scalable and efficient. In this session, we will explore the critical best practices around API design including API versioning, error handling, and microservices architectures for decoupling functionality. We will also explore some the crucial security principles that should be applied when designing the business logic. These include pagination restrictions to prevent DDoS attacks as well as proper identity governance implementation to mitigate API-specific vulnerabilities like data breaches as a result of the incorrect assignment of RBAC roles or ABAC rules that control access to resources.
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
Best Practices for API Design to Keep Your App Secure, Scalable & Efficient
1. THE 2018 PLATFORM SUMMIT
Amjad Afanah
FX Labs, Inc.
Intesar Mohammed
FX Labs, Inc.
BEST PRACTICES FOR API
DESIGN TO KEEP YOUR
APP SECURE, SCALABLE
& EFFICIENT
founders@fxlabs.io
https://fxlabs.io
2. AGENDA
API Design Best Practices
Microservices Architecture for Agility & Scalability
Best Practices for Securing APIs
Benefits of Continuous Testing & Compliance
4. API DESIGN BEST PRACTICES
USE NOUNS BUT NO VERBS
Prefer Nouns to Verbs
Nouns refer to resources
Resources are handled with HTTP verbs
Verbs can be used for Actions or Calculations
/login, /logout
/convertTemperature
/repositories/123/star
5. API DESIGN BEST PRACTICES
USE SUB-RESOURCES FOR RELATIONS
If a resource is related to another resource use subresources.
GET /cars/711/drivers/ Returns a list of drivers for car 711
GET /cars/711/drivers/4 Returns driver #4 for car 711
6. API DESIGN BEST PRACTICES
HANDLE ERRORS WITH HTTP STATUS CODES
11. BEST PRACTICES FOR SECURING APIS
HTTPS
Secure REST services must only provide HTTPS endpoints. This protects authentication credentials in
transit, for example passwords, API keys or JSON Web Tokens. It also allows clients to authenticate the
service and guarantees integrity of the transmitted data.
12. BEST PRACTICES FOR SECURING APIS
PAGINATION LIMITS TO PREVENT DDOS ATTACKS
Most endpoints that returns a list of entities will need to have some sort of pagination. Without
pagination, a simple search could return millions or even billions of hits causing extraneous network
traffic.
This is the simplest form of paging. Limit/Offset became popular with apps using SQL databases which
already have LIMIT and OFFSET as part of the SQL SELECT Syntax. Very little business logic is required to
implement Limit/Offset paging.
Client makes request for most recent items: GET /items?limit=20
On scroll/next page, client makes second request GET /items?limit=20&offset=20
Offset Pagination
Other Types of Pagination Include Keyset Pagination and Seek Pagination
13. BEST PRACTICES FOR SECURING APIS
ROLE BASED ACCESS CONTROL
Permissions are granted to each role based on requirements
Users are assigned to a specific role
Users can be assigned to multiple roles
What is RBAC?
14. BEST PRACTICES FOR SECURING APIS
ROLE BASED ACCESS CONTROL
Determining the permissions to assign to each role
is very time consuming
RBAC needs attention all the time. The Joiner-
Mover-Leaver process is extremely critical. Users
can often accumulate unnecessary roles leading to
excess permissions.
Limitations of RBAC?
Providing fine-grained access to resources can often lead to an explosion of RBAC roles or ABAC rules
that can be easily exploited if not properly tested.
15. 5 BEST PRACTICES IN API TESTING
STANDARDIZING TESTS
Leverage a markup language for self-documentation
and to enforce standardization across the team
DATA-DRIVEN TESTING
Move towards data-driven testing to promote reusability
of tests and to eliminate the pain of preparing data-sets
DISTRIBUTED TEST EXECUTION
Build for scale from the beginning with the objective of
having distributed, parallelized testing to shorten test
cycles
AUTOMATED BUG MANAGEMENT
Automate bug management or incur huge delays as a
result
API SECURITY TESTING
Include security testing with the deepest coverage to prevent vulnerabilities in the future
16. TRADITIONAL SOFTWARE TESTING
COST OF A BUG CAN BE $1,500 IF FOUND IN PROD
AVERAGE COST
OF A DEFECT
$100 $250 $1,500
COSTTOFIXADEFECT($)
DESIGN DEVELOP
UNIT
TESTS
INTEGRATION
TESTS
TEST MONITOR
CURRENT BUG
DISCOVERY
END-TO-END
TESTS
LOAD
TESTS
SYNTHETIC
MONITORING
17. SHIFT LEFT
IS YOUR EFFORT DIRECTED AT YOUR RISK?
AVERAGE COST
OF A DEFECT
$100 $250 $1,500
COSTTOFIXADEFECT($)
DESIGN DEVELOP
UNIT TESTS
TEST MONITOR
LOAD TESTS
END-TO-END TESTS
INTEGRATION TESTS
SYNTHETIC MONITORING
SHIFT LEFT
BUG DISCOVERY
18. DEVSECOPS
PREVENTION VS. DETECTION
The most effective DevSecOps programs start at the earliest points
in the development process and follow the workload throughout its
life cycle
19. COMMON API VULNERABILITIES
RBAC & ABAC VULNERABILITIES
DISTRIBUTED DENIAL OF SERVICE
SQL INJECTIONS & DATA ATTACKS
Providing fine-grained access to resources can often lead to an explosion of RBAC roles or ABAC rules that can be
easily exploited if not properly tested.
API DDoS attacks are executed to overload an API service. Since each hacker sends normal traffic volumes, these
attacks are difficult to detect.
With the right credentials, insiders and hackers can access any system or data. Examples include Data Extraction
or Theft, Data Deletion or Manipulation, Data Injection, Malicious Code Injection, and Extreme Application
Activity.
20. AVERAGE COST OF A DATA BREACH
60% of startups go out of business within six months of an attack
89% of breaches and data loss could have been prevented
21. FX LABS
AUTOMATED API SECURITY & QUALITY TESTING
Automatically Generate API Security
Tests
Run Tests in Parallel Across Any Region
[Instant Security Coverage] Automatically
generate API security coverage spanning critical
categories like login attack, DDoS, RBAC, ABAC,
SQL injections and many others.
[Data-Driven Testing] Generate data-driven
tests in simple, declarative YAML files with a test
composition framework that supports API chaining,
all assertions, and local/remote data injection.
Run tests in parallel from any region with the FX
Super Bot Network or provision Bots within your
VPC on any cloud
Automate bug management (file, triage, validate
and close)
Set up notifications via Email and Slack
View detailed dashboards and wire logs to quickly
piinpoint security issues