% API Security % Michael Stone % November 30, 2021 A friend and colleague recently asked for an overview of the relevant language of "API security". Here was my reply:
First off, API security is a very messy topic, so I am quite curious how you & others are parsing + thinking about it. Briefly though: API security is much broader than just *web* API security (though that may be your interest) since it also includes OS APIs, language/library APIs, as well as APIs used over nominally private transports. That said, IMO, the usual major decomposition is into * authentication, * authorization, * the access control to implement them, * key distribution + recovery protocols, * logging + log usability, * LANGSEC concerns (gadgets, injections, chimaeras), * confused deputies, * insider monitoring, and * systems + implementation abusability considerations like * DoS-protection, * cache purgeability, and * harassment/doxxing/accessory hazards — just to start. There is a fairly long reading list behind the above outline. However, to simplify, I like to say that: * authentication is about agreeing on who said what, * authorization is about deciding how to act on what was said, * key distribution + recovery is very system-specific, * logging should be searchable, machine-readable, and retained a long time, * the LANGSEC stuff is just tricky and mostly needs to be brute-forced -- i.e. by requiring safe languages / libraries / etc. since normal humans cannot avoid these issues unaided. * capabilities probably are the right solution for deputies but are too hard to understand (maybe should have been called “caller allocates [access]”), * insider monitoring = squeaky floor boards + N-party control + delays for reaction time + vetos for coercion?, and * the systems-stuff is mostly either situation specific details or rules-of-thumb like: * “caches must be purgeable”, * “storage will store bad stuff”, * “compute will be mined”, * “you need a bigger pipe than the adversary”, * “users will stalk + harass each other with all available means”, * “backups will fail unless they are frequently restored from + end-to-end verified”, etc.