Application Programming Interfaces

Introducing Systems Development Controls 
891
directly with the underlying service through function calls. For example, a social media 
API might include some of the following API function calls: 
■
Post status 
■
Follow user 
■
Unfollow user 
■
Like/Favorite a post
Offering and using APIs creates tremendous opportunities for service providers, but it 
also poses some security risks. Developers must be aware of these challenges and address 
them when they create and use APIs. 
First, developers must consider authentication requirements. Some APIs, such as those 
that allow checking weather forecasts or product inventory, may be available to the general 
public and not require any authentication for use. Other APIs, such as those that allow 
modifying information, placing orders, or accessing sensitive information, may be limited 
to specifi c users and depend on secure authentication. API developers must know when to 
require authentication and ensure that they verify credentials and authorization for every 
API call. This authentication is typically done by providing authorized API users with a 
complex API key that is passed with each API call. The backend system validates this API 
key before processing a request, ensuring that the system making the request is authorized 
to make the specifi c API call. 
API keys are like passwords and should be treated as very sensitive infor-
mation. They should always be stored in secure locations and transmitted 
only over encrypted communications channels. If someone gains access to 
your API key, they can interact with a web service as if they were you!
APIs must also be tested thoroughly for security fl aws, just like any web application. 
You’ll learn more about this in the next section.

Download 19,3 Mb.

Do'stlaringiz bilan baham: