As some of you may already know, I have been working on a book on API security for Manning in my spare time: API Security in Action. The book has now reach a point where the publisher are happy for it to go into early-access release (MEAP as they call it), so you can now pre-order and download the first 3 chapters on their website.
The book covers the basics of securing remotely accessible APIs (REST) taking a ground-up approach, and then moves on in the later chapters to look at the specifics of securing microservice APIs in Kubernetes and even APIs for the Internet of Things (IoT). It covers lots of things you’d expect, like JSON Web Tokens and OAuth 2, and some things you perhaps wouldn’t like Waterken-style capability URLs and Macaroons. I’ve also taken an opinionated approach, which will come as no surprise to anybody who knows me. JWT is covered because its an important technology, but that doesn’t mean it gets a free pass. I’ve tried to separate the good parts from the bad, and warn you away from the real foot-guns.
The principle I’ve followed so far is that good practical advice (the “in Action” part) requires having a good understanding of how things actually work and what security properties each component provides. So rather than just throwing together a JWT library and an API gateway and showing a few deployment patterns, you’ll learn some of the deeper principles involved first. I start off with some basic secure development techniques and common attacks against REST APIs. We then look at the basic security controls of authentication, rate-limiting, access control, and audit logging. You’ll build primitive (but secure) versions of all these mechanisms from scratch before moving on to look at more fully-featured alternatives as the book progresses.
I hope you take a look. If you do, please leave feedback (good or bad) in the forum or email me personally. It’s been a much harder process writing it than I originally expected, trying to balance the desire to teach everything with a need to keep it simple enough to engage readers. Hopefully I’ve struck the right balance, but let me know either way. And of course, if you spot anything outright wrong then let me know about that too so I can fix it.