From API Security in Action by Neil Madden

This article covers the definition of an API and what it means for an API to be secure.


Take 37% off API Security in Action. Just enter fccmadden into the discount code box at checkout at

Application Programming Interfaces (APIs) are everywhere. Open your smartphone or tablet and look at the apps you have installed. Almost without exception those apps are talking to one or more remote APIs to download fresh content and messages, poll for notifications, upload your new content, and perform actions on your behalf.

Load your favorite web page with the developer tools open in your browser, and you likely see dozens of API calls happening in the background to render a page which is heavily customized to you as an individual (whether you like it or not). On the server, those API calls may themselves be implemented by many microservices, communicating with each other via internal APIs.

Increasingly, even the everyday items in your home are talking to APIs in the cloud-from smart speakers like Amazon Echo or Google Home, to fridges, electricity meters, and lightbulbs. The Internet of Things (IoT) is rapidly becoming a reality in both consumer and industrial settings, powered by ever-growing numbers of APIs in the cloud and on the devices themselves. Understandably, the rise of cloud computing has raised a number of cybersecurity concerns. For more information about cybersecurity and cloud technology, including cloud security posture management, go to

Although the spread of APIs is driving ever more sophisticated applications that enhance and amplify our own abilities, they also bring increased risks. As we become more dependent on APIs for critical tasks in work and play, we become more vulnerable if they’re attacked. The more APIs are used, the greater their potential to be attacked. The property that makes APIs attractive for developers, ease of use, also makes them an easy target for malicious actors.

This article is about how to secure your APIs against these threats allowing you to confidently expose them to the world.

Taking your driving test

You finish work at 5pm as usual, but today is special. Rather than going home to tend to your carnivorous plant collection and then flopping in front of the TV with a pre-peeled avocado and tasting platter of organic pea shoots, you have somewhere else to be. Today you’re taking your driving test.

You rush out of your office and across the park to catch a bus to the test center. As you stumble past the queue of people at the hot dog stand, you see your old friend Alice walking her pet alpaca, Horatio.

“Hi Alice!” you bellow jovially, “How’s the miniature recreation of eighteenth century Paris coming along?”

“Good!” she replies. “You should come and see it soon.”

She makes the universally recognized hand-gesture for “call me” and you both hurry on your separate ways.

You arrive at the test center a little hot and bothered from the crowded bus journey. If only you could drive, you think to yourself! After a short wait, the examiner comes out and introduces himself. He asks to see your learner’s permit and studies the old photo of you with the ill-advised haircut you thought was pretty cool at the time. After a few seconds of quizzical stares, he eventually accepts that it’s you, and you can finally begin the test.

Oh dear, it doesn’t go well. Better luck next time. I think that may be the first time a driving test was failed due to a UFO sighting, but if you’d hit the brake rather than the gas