Posted on

The Web Performance APIs Reference

Each of the following performance APIs is in different stages of the W3C’s specification maturity process. You can see each spec’s stage next to their title. Visit this article for a concise graphic of all the performance APIs’ maturity levels.

The use of APIs to Boost Performance

If you are actively wondering why you need to look at getting APIs into your system in the first place, you are not alone. Plenty of people have questioned what is so important about APIs and why it is that they need to focus on them, to begin with. They have a multitude of questions, but the answer all boils down to the fact that APIs provide real data that programmers can use to judge their own performance. 

Posted on

5 Steps to Strengthen API Security

APIs are the connective tissue of scalable websites — fundamental to functioning in today’s digital world. But much like the physical world, weaknesses in connections and associated protocols can result in significant, sometimes existential, trouble.

A recent instance includes data leaks that stemmed from the misconfiguration of Microsoft Power Apps portals to enable public access. When examining this case, UpGuard found that the type of data varied between portals, and even included personal information that was used for COVID-19 contact tracing and COVID-19 vaccination appointments — as well as Social Security numbers, employee IDs, and millions of email addresses and names. 

Posted on

APISIX: An API Gateway the Apache Way

During the pioneer area of the World Wide Web, the content was static. To serve it, a group of developers created a web server, which is now known as the Apache Web Server.

The Apache Web Server is built around a module architecture. Developers created a module to run CGI scripts to add dynamic content to the lot. Users wrote early CGI scripts in Perl. After a while, it became evident that generating a complete HTML page from scratch was not the best way and that templating - providing an HTML page with placeholders - was a much better approach. The PHP language started like this as a simple templating engine interpreted by a module.

Posted on

Supabase and React Quickstart Guide

Intro

This example provides the steps to build a simple user management app (from scratch!) using Supabase and React. It includes:

  • Supabase Database: a Postgres database for storing your user data.
  • Supabase Auth: users can sign in with magic links (no passwords, only email).
  • Supabase Storage: users can upload a photo.
  • Row Level Security: data is protected so that individuals can only access their own data.
  • Instant APIs: APIs will be automatically generated when you create your database tables.

By the end of this guide you'll have an app that allows users to log in and update some basic profile details:

Posted on

API Security Weekly: Issue #144

This week, JustDial has had to re-fix an old API vulnerability that they already fixed in 2019. We also have a set of scripts for automated API key validation, and two videos from recent conferences on the OAuth roadmap and GraphQL security.

Vulnerability: JustDial

JustDial had a regression as they accidentally reintroduced the API vulnerability that they had fixed (and we reported) back in 2019. Ironically, it was found and resubmitted to the vendor by the same reporter as last time, Rajshekhar Rajaharia.

Posted on

API Security Weekly: Issue #140

This week, we take a look at the recent API vulnerabilities reported at LazyPay, API attacks on Western Digital My Book Live NAS systems, and LinkedIn profiles getting scraped. We also have a new detailed mind map for broken object-level authorization (BOLA/IDOR) vulnerabilities.

Vulnerability: LazyPay

LazyPay is a pay-later platform that has over 2 million active users in India.

Posted on

How to Show the Business Value of Your APIs with Embedded Metrics

When you’re providing APIs to your customers, you want to ensure they are getting value from them. At the same time, the best APIs are designed to be fully automated without requiring human intervention. This can leave your customers in the dark on whether your API is even being used by the organization and if you’re meeting any SLA obligations in your enterprise contracts.

Types of metrics to surface

Most API first companies have some sort of developer portal for customers to log into, manage API keys, and customize features. This area is a great way to also expose key metrics to your customers demonstrating how much value they are getting from your API. This can be as simple as a counter showing number of API transactions made within a billing period or provide additional metrics around what those transactions are. Each customer has different metrics they want to look at. Developers will want to look at access logs where as product and engineering leadership are more interested in usage and performance metrics. Finally, the finance department may need to look at billing usage for capacity and financial planning.

Posted on

What is API Observability

API Observability is a key component to properly execute APIOps Cycles and ensure your building something of value for your API users. If you’re not familiar with APIOps Cycles, take a look at this guide which provides an agile framework to quickly build APIs that are business-oriented and serve customer needs. API Observability itself is an evolution of traditional monitoring and born out of control systems theory.

Traditional monitoring focuses on tracking known unknowns. This means you already know what to measure like Request Per Second or Errors Per Second. While the metric value may be unknown beforehand, you already know what to measure or probe such as a counter to track requests into buckets. This makes it possible to report on the health of a system (like Red, Yellow, Green), but is a bad tool for troubleshooting engineering or business issues which usually require asking arbitrary questions.

Posted on

API Security Weekly: Issue #137

This week, we take a look at the recent API vulnerabilities in VMware vCenter and Apache Pulsar, how GraphQL implementations may be vulnerable to cross-site request forgery (CSRF) attacks, an upcoming webinar on API Security and Postman, a DZone webinar with this newsletter’s author next week, and a video on how the API security vendor landscape looks like.

Vulnerability: VMware vCenter

A recently patched vulnerability in VMware vCenter is now being actively exploited.

Posted on

[DZone Community Meetup] The Latest API Security Vulnerabilities with Dmitry Sotnikov

Join us live on Tuesday, June 15th at Noon EDT

Dmitry Sotnikov, Chief Product Officer at API security platform company 42Crunch, will cover recent API vulnerabilities and lessons learned in this quick 30-minute live event featuring a Q&A at the end. Dmitry Sotnikov has written over 140 articles on DZone that have generated over 1 million page views.

Agenda

  • Introductions
  • Dmitry Sotnikov will cover recent API vulnerabilities and lessons learned
  • Question and answer will be during the end of this virtual event and DZone community meetup

Live Question and Answer with Dmitry Sotnikov

There will be a live Q&A at the end of this virtual event! Have a question for Dmitry Sotnikov? Ask your questions live during the Q&A!

Posted on

Why Hasn’t the Security Industry Embraced the API-First Revolution?

How the Security Industry Fell a Decade Behind the Broader Tech Industry

I’m not going to sugarcoat it; the security industry has fallen way behind the broader tech industry in the last decade in a really fundamental way. While much of the tech industry has started to pivot away from hardware and software-based solutions – which dominated the 90s and early 2000s – and towards the use of API-first SaaS services, most of the security industry has not.

Now, this reluctance to embrace a new way of delivering security outcomes means that customers are overburdened with acquiring, deploying, and managing security tools in a legacy model. A painful, not to mention expensive, way to defend against threats.

Posted on

API Security Weekly: Issue #136

This week, we check out how API attacks can be used to squash political dissent, a handy OAuth 2.0 security checklist as well as some common OAuth vulnerabilities and the ways to detect and mitigate them, and a case study of API penetration testing.

Vulnerability: Russian Opposition Email List Breach

Companies typically avoid providing details on their data breaches. Today we have a rare exception. The staff of the Russian opposition leader, Alexey Navalny, has posted a detailed report on both the breach they had earlier this year and their investigation into the breach. Unfortunately, the report is in Russian, so you might need to use Google Translate or auto-generated English subtitles in the video version that they posted on YouTube.

Posted on

Deploying an Apache Kafka mock service with Microcks

Developers are working with new applications every day using Apache Kafka as the backbone to implement an event-driven architecture (EDA) to support distributed systems. However, this adds new challenges when sharing across teams, even within the same organization. What endpoints are available? What is the structure of the message? That’s why payload examples became critical to speed up development. For this reason, having a reliable and enterprise-grade service to mock Apache Kafka should be an item in your EDA checklist. This post will do a quick review of the Microcks General Availability (GA) version and their support to Kafka.

What is Microcks?


Posted on

API Security Weekly: Issue #133

This week, we take a look at the API vulnerabilities discovered at Peloton, how India is locking down the APIs for their COVID vaccination portal, how API contracts can be generated from .NET code, and what API security sessions the upcoming RSA Conference (RSAC) offers.

Vulnerability: Peloton

Peloton is a producer of popular treadmills and stationary bicycles, as wells as a subscription service for training on the equipment. Jan Masters from Pen Test Partners found that the APIs behind the service were highly vulnerable and leaking personal user data.