After 5 years since the first edition was released, I am glad the second edition Advanced API Security is now released. This is a complete re-write of the previous edition, with 15 chapters and 7 appendices.
Enterprise API adoption has exceeded expectations. We see the proliferation of APIs in almost all industries. It is not an exaggeration to say that a business without an API is like a computer with no Internet. APIs are also the foundation of building communication channels in the Internet of Things (IoT) domain. From motor vehicles to kitchen appliances, countless devices have started communicating with each other via APIs. The world is more connected than ever. You share photos on Instagram or Facebook, share a location from Foursquare or Yelp on Twitter, publish Tweets to the Facebook wall, connect to Google Maps via the Uber mobile app, and much more. The list of connections is limitless. All this is made possible only because of public APIs, which have proliferated in the last few years. Expedia, Salesforce, eBay, and many other companies generate a large percentage of their annual revenue via APIs. APIs have become the coolest way of exposing business functionalities to the outside world.
Enterprise APIs have become the common way of exposing business functions to the outside world. Exposing functionality is convenient, but of course, comes with a risk of exploitation. This book is about securing your most important business assets or APIs. As is the case with any software system design, people tend to ignore the security element during the API design phase. Only at the deployment or at the time of integration they start worrying about security. Security should never be an afterthought - it’s an integral part of any software system design, and it should be well thought out from the design’s inception. One objective of this book is to educate the reader about the need for security and the available options for securing APIs.
This book guides you through the process and shares best practices for designing APIs for better security. API security has evolved a lot in the last few years. The growth of standards for securing APIs has been exponential. OAuth 2.0 is the most widely adopted standard. It’s more than just a standard - it's a framework that lets people build solutions on top of it. The book explains in-depth how to secure APIs from traditional HTTP Basic authentication to OAuth 2.0 and the profiles built around OAuth, such as OpenID Connect, User-Managed Access (UMA), and many more. JSON plays a major role in API communication. Most of the APIs developed today support only JSON, not XML. The book focuses on JSON security. JSON Web Encryption (JWE) and JSON Web Signature (JWS) are two increasingly popular standards for securing JSON messages. The latter part of the book covers JWE and JWS in detail.
Another major objective of the book is to not just present concepts and theories but also to explain concepts and theories with concrete examples. The book presents a comprehensive set of examples to illustrate how to apply theory in practice. You will learn about using OAuth 2.0 and related profiles to access APIs securely with web applications, single-page applications, native mobile applications, and browser-less applications.
Writing a book may sound like a one-man effort, but it’s the entire team behind it that makes it a reality. There are many, who I would like to thank, who made this possible. First I would like to thank Jonathan Gennick, Assistant Editorial Director at Apress, for evaluating and accepting my proposal for this book. Then, I must thank Jill Balzano, Coordinating Editor at Apress, who was very patient and tolerant of me throughout the publishing process. Alp Tunc served as the technical reviewer - thanks, Alp, for your quality review comments, which were quite useful. Also, I would like to thank all the external reviewers of the book, Janak Amarasena, Dewni Weeraman, Maduranga Siriwardena, Farasath Ahamed, Jayanga Kaushalya, and Senthalan Kanagalingam who helped to make the book better. Dr. Sanjiva Weerawarana, the Founder and former CEO of WSO2, and Paul Fremantle, the Co-Founder of WSO2, are two of my mentors. I am truly grateful to both Dr. Sanjiva and Paul for everything they have done for me. My wife, Pavithra, and my little daughter, Dinadi, supported me throughout this process. Thank you very much, Pavithra and Dinadi. My parents and my sister are with me all the time. I am grateful to them for everything they have done for me. Last but not least, my wife’s parents - they were amazingly helpful.
I hope this book effectively covers a much-needed subject matter for API developers and I hope you enjoy reading it.