Posted on

API Security Weekly: Issue 162

This week, we have details of compromised Google Cloud accounts being used to mine cryptocurrency (mainly with weak or no passwords on API connections), there’s an article on how GraphQL can be used as an API gateway (including security controls), a very comprehensive guide to all things relating to API security, and a new API security training course from AppSecEngineer.

Vulnerability: Compromised Google Cloud Accounts Used to Mine Cryptocurrency

The main story this week comes from HackerNews and describes how attackers are able to exploit improperly secured Google Cloud Platform (GCP) tenants. The impact on affected users included compromising their cloud resources, like uploading cryptocurrency mining software, and ransomware and phishing attacks.

Posted on

API Tools for Every Phase of the API Lifecycle

When you set out to build your first API, it can very well be that you are either overwhelmed or forget essential points. The ecosystem for API tools is vast, and it’s vital to get the right tool for every phase of your project.

In this article, we will go through the different phases an API project usually has. For every phase, I will list the significant points and tools that help there.

Posted on

API-First Product Managers’ Popular API Tools and API Metrics

We interviewed the product managers at a number of the larger API-first companies that are based in San Francisco. The companies are all publicly traded, have TTM revenue of more than $100M and are in the fields of billing, security, communications and workflow automation.

The PMs were asked what were their favorite tools and what API metrics they cared most about. Where possible we identified tools and metrics that were common across all market segments, excluding the (many) edge cases that you’d expect when your customer base numbered in the 1,000s.

Posted on

Absolutism Around API Tools Increases Friction And Failure

I know you believe your tools are the best. I mean, from your vantage point, they are. I also know that when you are building a new API tool, your investors want you to position your tooling as the best. The one solution to rule them all. They want you to work hard to make your tools the best but also make sure and demonize other tooling as being inferior, out of date, and something dinosaurs use.

I know this absolute belief in your tooling feels good and right, but you are actually creating friction for your users and potentially failure or at least conflict within their teams. Absolutism, along with divide and conquer strategies for evangelizing API tooling, works for great short term financial strategies but doesn't do much to help us on the ground actually developing, managing, and sustaining APIs.