Copy
The week in API strategy, news, articles, and upcoming events.
James Higginbotham, Curator  A hand-curated weekly newsletter for API developers, sponsored by LaunchAny and CaseySoftware

Find this via Twitter? Subscribe now so you don't miss out
 
 

API Developer Weekly

May 19, 2022 - Issue #407
This week's articles include an interesting discussion on the role of every person when it comes to protecting APIs. We also have a performance test between gRPC and REST, we ask if GraphQL is a trap based upon a recent Twitter thread. We also have a spotlight on API security, which seems to have been a hot topic for authors this week. For those familiar with Heroku, there is a thoughtful article on the degradation of DevEx over the years. Plus, some great items in the "(Un)Related" section. 

Happy Reading!
-- James

 
Hot Topics
Who Is Responsible for Protecting APIs?
With the meteoric rise in API attacks, someone needs to be responsible for securing APIs. One trouble is that "responsible" maintains nuances in meaning. When someone says, "You're responsible for getting this done," they mean that person is supposed to supervise the project to completion. [nordicapis.com]

gRPC vs. REST - Performance Test using JMeter
gRPC is an open-source Remote Procedure Call, initially developed at Google in 2015. In 2017, it became a Cloud Native Computing Foundation (CNCF) incubation project due to increasing popularity. The gRPC framework is used to build scalable and high-performance APIs. Many top organizations leverage it to power their user cases, from... by DLT Labs [medium.com]

GOTO Book Club Interview: Principles of Web API Design: Delivering Value with APIs and Microservices
James Higginbotham, the author of “Principles of Web API Design: Delivering Value with APIs and Microservices”, outlines the key points about creating and using APIs in today’s world, in a discussion with Mike Amundsen. You will discover the principles of the ADDR process and how jobs stories and event storming can contribute to a successful API launch and structure. They also touch upon key terms such as Minimum Viable Portal and using API boundaries to bundle API products for specific market segments. [gotopia.tech]

GraphQL is a Trap?
This twitter thread blew up on twitter yesterday and I thought I'd go over some of the author's points in a longer format so we can clear up some misconceptions. Let's go over them one by one! [Tweet 1] GraphQL makes your public API equal to a generic database and - worse - a generic graph database. by Marc-André Giroux [xuorig.medium.com]

Announcing the Cloudflare API Gateway
Today we’re announcing the Cloudflare API Gateway. We’re going to completely replace your existing gateway at a fraction of the cost. And our solution uses the technology behind Workers, Bot Management, Access, and Transform Rules to provide the most advanced API toolset on the market. [blog.cloudflare.com]

Principles of Web API Design (Teaser) * James Higginbotham & Mike Amundsen * GOTO 2022
James Higginbotham, author of "Principles of Web API Design", outlines the key points of creating and using APIs in today's world. In the conversation with M... [youtube.com]

A powerful, flexible, Markdown-based authoring framework
From personal blogs to massive documentation sites, Markdoc is a content authoring system that grows with you. Markdoc is a Markdown-based syntax and toolchain for creating custom documentation sites. Stripe created Markdoc to power our public docs. Markdoc uses a fully declarative approach to composition and flow control, where other solutions... [markdoc.io]

I Miss Heroku's DevEx
A 7 minute read. If you've never really experienced it before, it's gonna sound really weird. Basically the main way that Heroku worked is that they would set up a git remote for each "app" it hosted. Each "app" had its source code in a git repo and a "Procfile" that told Heroku what to do with it. by Xe Iaso [christine.website]
 
Spotlight: API Security
Researchers discovered a simple malware builder designed to steal credentials, then pinging them to Discord webhooks. [threatpost.com]

GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations
graphql-threat-matrix was built for bug bounty hunters, security researchers and hackers to assist with uncovering vulnerabilities across multiple GraphQL implementations. The differences in how GraphQL implementations interpret and conform to the GraphQL specification may lead to security gaps and unique attack vectors. by nicholasaleks [github.com]

Scaling Token Revocation with Continuous Access Evaluation
In today's app economy, more and more client interactions and transactions are occurring via the web and mobile applications, where predominantly APIs are being used for Information Exchange. This enables modern enterprises to break the traditional barriers and expose their on-premises and cloud-based digital assets and applications to the outside world in a secure manner. by Balaji Radhakrishnan, PMP, CISSP [apiacademy.co]

What is FIDO2? FIDO2 Web Authentication Explained | strongDM
Summary: In this article, we will take a big-picture look at FIDO2 and how it applies to passwordless authentication. You'll learn about the origins of FIDO2, its advantages and disadvantages, the differences between FIDO2, FIDO, and WebAuthn, and how UAF and U2F differ. by Andy Magnusson [cms.strongdm.com]

Your APIs Are Only as Secure as Your JWTs | Blog
API security has over the years. As an industry, we have moved from API-key-based security to token authorization. And most companies today typically leverage either or OpenID Connect standards to secure their APIs with tokens. This is a positive trend (which large API ecosystems can take even further ) that helps increase the security of APIs. [curity.io]
 
The Business of APIs
Why monetizing and crowdfunding internal/private APIs?
Jumping into the API-first train, even only focusing on private/internal APIs, will have an impact on budgets. Organizations need to find ways to redistribute budgets in order to enable any team that needs to provide APIs to do it in the best possible conditions. Is monetizing private/internal API the solution? by Arnaud Lauret [apihandyman.io]

Patent Issued for System and method for fraud detection using event driven architecture (USPTO 11315119): United Services Automobile Association
2022 MAY 12-- By a News Reporter-Staff News Editor at Insurance Daily News-- A patent by the inventors Brandt, Randall Martin, Hendry, Jason Paul, Jimenez, Marco Aldo, Kalich, Rodney, Perry, David, filed on May 31, 2019, was published online on April 26, 2022, according to news reporting originating from Alexandria, Virginia, by NewsRx correspondents. [insurancenewsnet.com]
 
(Un)Related
Oracle really does owe HPE $3b after Supreme Court snub
The US Supreme Court on Monday declined to hear Oracle's appeal to overturn a ruling ordering the IT giant to pay $3 billion in damages for violating a decades-old contract agreement. In June 2011, back when HPE had not yet split from HP, the biz sued Oracle for refusing to add Itanium support to its database software. [theregister.com]

Why You Should Care About Software Architecture
Software development teams have resisted "big upfront designs" in favor of architectural designs emerging from self-organizing teams, which can lead to a mindset that software architecture is not really that important. Greater awareness of the implicit decisions they are making, and forcing these decisions to be made explicitly, can help development teams make better, more informed decisions. [infoq.com]

The advantages of event-driven architecture (EDA)
In the move to a customer-centric, distributed energy system, data is playing an increasingly central role. Utilities are facing a torrent of energy data that must be managed and processed in as close to real time as possible. And this torrent is likely to become a tsunami as grids become smarter and grid edge innovation increases. [smart-energy.com]

Unified Microservices Patterns (UMP)
Most of us remember the beginnings of the visual modeling era in the 90s where a lot of leaders worked individually to develop their own methods. by Haitham Raik [haitham-raik.medium.com]

Enterprise architects take charge of the digital revolution
Enterprise architects have been adding a new designation to their titles: digital enterprise architect. That's because their roles have been expanding over the past few years, particularly with data analytics being added to their repertoires. by Joe McKendrick [zdnet.com]
 
Want to share something?
As always, if you want to chat, share a link, or make a suggestion, feel free to drop us a quick note or tagging us on Twitter (@launchany and @caseysoftware) or by emailing us at: james@launchany.com
 
UPCOMING EVENTS
Follow on Twitter    Forward to Friend    Subscribe
Copyright © 2022 LaunchAny, All rights reserved.
unsubscribe from this list