Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Best Practices for API Design to Keep Your App Secure, Scalable & Efficient

121 views

Published on

With a plethora of best practices for designing APIs, many application teams end up focusing on details that may not be a high priority when compared to design principles that can keep your application secure, scalable and efficient. In this session, we will explore the critical best practices around API design including API versioning, error handling, and microservices architectures for decoupling functionality. We will also explore some the crucial security principles that should be applied when designing the business logic. These include pagination restrictions to prevent DDoS attacks as well as proper identity governance implementation to mitigate API-specific vulnerabilities like data breaches as a result of the incorrect assignment of RBAC roles or ABAC rules that control access to resources.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Best Practices for API Design to Keep Your App Secure, Scalable & Efficient

  1. 1. THE 2018 PLATFORM SUMMIT Amjad Afanah FX Labs, Inc. Intesar Mohammed FX Labs, Inc. BEST PRACTICES FOR API DESIGN TO KEEP YOUR APP SECURE, SCALABLE & EFFICIENT founders@fxlabs.io https://fxlabs.io
  2. 2. AGENDA API Design Best Practices Microservices Architecture for Agility & Scalability Best Practices for Securing APIs Benefits of Continuous Testing & Compliance
  3. 3. API DESIGN BEST PRACTICES HTTP METHODS / URIS FOR COLLECTION
  4. 4. API DESIGN BEST PRACTICES USE NOUNS BUT NO VERBS Prefer Nouns to Verbs Nouns refer to resources Resources are handled with HTTP verbs Verbs can be used for Actions or Calculations /login, /logout /convertTemperature /repositories/123/star
  5. 5. API DESIGN BEST PRACTICES USE SUB-RESOURCES FOR RELATIONS If a resource is related to another resource use subresources. GET /cars/711/drivers/ Returns a list of drivers for car 711 GET /cars/711/drivers/4 Returns driver #4 for car 711
  6. 6. API DESIGN BEST PRACTICES HANDLE ERRORS WITH HTTP STATUS CODES
  7. 7. API DESIGN BEST PRACTICES PROVIDE HELPFUL ERROR PAYLOAD
  8. 8. MICROSERVICES MONOLITH VS. MICROSERVICES Business requirements change rapidly and continuously. The need for shipping updated versions of your app become increasingly critical.
  9. 9. MICROSERVICES MICROSERVICES PRINCIPLES Developed Independently Does One Thing Well Deployment Independence API Focused Decentralized Data Management Easy to Scale Polygot
  10. 10. MICROSERVICES MONOLITH PROS & CONS MICROSERVICES PROS & CONS
  11. 11. BEST PRACTICES FOR SECURING APIS HTTPS Secure REST services must only provide HTTPS endpoints. This protects authentication credentials in transit, for example passwords, API keys or JSON Web Tokens. It also allows clients to authenticate the service and guarantees integrity of the transmitted data.
  12. 12. BEST PRACTICES FOR SECURING APIS PAGINATION LIMITS TO PREVENT DDOS ATTACKS Most endpoints that returns a list of entities will need to have some sort of pagination. Without pagination, a simple search could return millions or even billions of hits causing extraneous network traffic. This is the simplest form of paging. Limit/Offset became popular with apps using SQL databases which already have LIMIT and OFFSET as part of the SQL SELECT Syntax. Very little business logic is required to implement Limit/Offset paging. Client makes request for most recent items: GET /items?limit=20 On scroll/next page, client makes second request GET /items?limit=20&offset=20 Offset Pagination Other Types of Pagination Include�Keyset Pagination and Seek Pagination
  13. 13. BEST PRACTICES FOR SECURING APIS ROLE BASED ACCESS CONTROL Permissions are granted to each role based on requirements Users are assigned to a specific role Users can be assigned to multiple roles What is RBAC?
  14. 14. BEST PRACTICES FOR SECURING APIS ROLE BASED ACCESS CONTROL Determining the permissions to assign to each role is very time consuming RBAC needs attention all the time. The Joiner- Mover-Leaver process is extremely critical. Users can often accumulate unnecessary roles leading to excess permissions. Limitations of�RBAC? Providing fine-grained access to resources can often lead to an explosion of RBAC roles or ABAC rules that can be easily exploited if not properly tested.
  15. 15. 5�BEST PRACTICES�IN API TESTING STANDARDIZING TESTS Leverage a markup language for self-documentation and to enforce standardization across the team DATA-DRIVEN TESTING Move towards data-driven testing to promote reusability of tests and to eliminate the pain of preparing data-sets DISTRIBUTED TEST EXECUTION Build for scale from the beginning with the objective of having distributed, parallelized testing to shorten test cycles AUTOMATED BUG MANAGEMENT Automate bug management or incur huge delays as a result API�SECURITY�TESTING Include security testing with the deepest coverage to prevent vulnerabilities in the future
  16. 16. TRADITIONAL SOFTWARE TESTING COST OF A BUG CAN BE $1,500 IF FOUND IN PROD AVERAGE�COST OF A DEFECT $100 $250 $1,500 COSTTOFIXADEFECT($) DESIGN DEVELOP UNIT TESTS INTEGRATION TESTS TEST MONITOR CURRENT BUG DISCOVERY END-TO-END TESTS LOAD TESTS SYNTHETIC MONITORING
  17. 17. SHIFT LEFT IS YOUR EFFORT DIRECTED AT YOUR RISK? AVERAGE�COST OF A DEFECT $100 $250 $1,500 COSTTOFIXADEFECT($) DESIGN DEVELOP UNIT TESTS TEST MONITOR LOAD TESTS END-TO-END TESTS INTEGRATION TESTS SYNTHETIC MONITORING SHIFT LEFT BUG DISCOVERY
  18. 18. DEVSECOPS PREVENTION VS. DETECTION The most effective DevSecOps programs start at the earliest points in the development process and follow the workload throughout its life cycle
  19. 19. COMMON API VULNERABILITIES RBAC & ABAC VULNERABILITIES DISTRIBUTED DENIAL OF SERVICE SQL INJECTIONS & DATA ATTACKS Providing fine-grained access to resources can often lead to an explosion of RBAC roles or ABAC rules that can be easily exploited if not properly tested. API DDoS attacks are executed�to overload an API service. Since each hacker sends normal traffic volumes, these attacks are difficult to detect. With the right credentials, insiders and hackers can access any system or data. Examples include�Data Extraction or Theft, Data Deletion or Manipulation, Data Injection, Malicious Code Injection, and Extreme Application Activity.
  20. 20. AVERAGE COST OF A DATA BREACH 60% of�startups�go out of business within six months of an attack 89% of breaches and data loss could have been prevented�
  21. 21. FX LABS AUTOMATED API SECURITY & QUALITY TESTING Automatically Generate API Security Tests Run Tests in Parallel Across Any Region [Instant Security Coverage] Automatically generate API security coverage spanning critical categories like login attack, DDoS, RBAC,� ABAC, SQL injections and many others. [Data-Driven Testing] Generate data-driven tests in simple, declarative YAML files with a test composition framework that supports API chaining, all assertions, and local/remote data injection.� Run tests in parallel from any region with the FX Super Bot Network or provision Bots within your VPC on any cloud Automate bug management�(file, triage, validate and close) Set up notifications via Email and Slack View detailed dashboards and wire logs to quickly piinpoint security issues
  22. 22. OUR PLATFORM
  23. 23. THANK YOU! FXLABS.IO founders@fxlabs.io

×