4 Comments

Sure getting started with unsecured apis is EASY. Getting a single endpoint up on single threaded unsecured on overly priced tooling is simple. But then you have to secure it:

- cors

-jwt

-oauth

-sessions

-tokens management

-user management

-caching

-rate limiting

-rule syncronization

-internal/external redirection with rule syncronation

-etc etc

All fairly easy and simple for those who don't want their databases mined and their websites hacked.

Expand full comment

Great points!

How do we, as a group of professionals and company operators, fix all those things for good? Where are the solutions that make the lives of API producers and consumers easier?

Expand full comment

Well first, we are software engineers not 'tool users'. Corporations got evangelists to sell companies on using tools so they could get cheap labor. Unfortunately, they didn't tell these companies everything that they would need to create a secure system.

As software engineers, it is up to us to understand security and evaluate.

- How easily can the tools supply these features?

- How many STEPS are involved?

- How good is the documentation?

- Is there additional cost for each (ie AWS)?

These are not hard things to understand but there are lots of people out there confusing other by spend their time bullshitting with 'storytelling'.

Focus on those who are talking about the technical details and ignore everyone else.

https://a.co/d/dqLUQ23

Expand full comment

-versioning

-observability

-uptime testing and alerting

Expand full comment