Chapter 6. Operational Security: Threat Modeling for APIs
At this stage you have explored the full API Lifecycleâtaking into consideration design and testing, options for deployment, and strategies for releasing APIs. The Attendee API may appear like it is ready to be exposed to external systems. APIs are quick to build, tricky to design for future compatibility, and even harder to secure. The truth is that developers and architects focus on delivering functionality, and security is often not considered until toward the end of a project.
In this chapter, you will see why security is important and how not having proper security in place can damage your reputation and be expensive. You will learn how to examine a systemâs architecture for security weaknesses and determine the threats that could be encountered within a production environment. Of course, you wonât be able to identify all the threatsâattackers are devious, and the threat landscape continually evolvesâbut the critical skill for architects is to be able to âshift leftâ the design and implementation of security concerns, both for themselves and for the wider development teams.1 The earlier you consider security within your software development lifecycle (i.e., the further left this can be shifted), generally speaking, the easier and more cost effectively you can adapt to the evolving threat landscape. This will help you make informed decisions when engaging in the security design for APIs.
Get Mastering API Architecture now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.