The week in API strategy, news, articles, and upcoming events.
James Higginbotham, Curator  A hand-curated weekly newsletter for API developers, sponsored by LaunchAny and CaseySoftware

Find this via Twitter? Subscribe now so you don't miss out

API Developer Weekly

May 5, 2022 - Issue #405
Spring is in full-swing and we have lots of articles being planted this week 🌻. First, we have an article from Google Cloud that brings to light a multitude of API security concerns that everyone should be considering. We also see the impact of GraphQL flexibility on API security (something many of you have been trying to socialize for some time), and an exploration of APIs adopting a 'least privilege' security model. Plus, a look at Server-Sent Events (SSE), a REST-based approach to server push compared to Websockets and GraphQL Subscriptios. Async API specification reaches 2.4.0, SoundCloud ends their public API strangler strategy as they have now moved to a full BFF approach, and more. 

Happy Reading!
-- James

Hot Topics
Google Cloud sees storm brewing over API security
If you're developing software or working with anything serverless, you'll know that remote and as-a-service APIs are what make the clouds float. It's debatable whether the proliferation of cloud APIs is a good thing, and taking remote API advice from Google may strike some people as unusual given its past. []

GraphQL APIs: Greater Flexibility Breeds New Security Woes
In complex application environments where APIs are the bridge between a multitude of data stores, containers, functions and microservices, the more flexible and dynamic the API is, the better. This is why GraphQL is an increasingly popular language among developers for writing APIs. But don't be fooled: Considerable risk lurks behind all this development innovation. by Peter Klimek []

How Should APIs Adopt a 'Least Privilege' Security Model?
The Principle of Least Privilege (POLP) has been around for some time - the term appears in the Department of Defense's Computer System Evaluation Criteria, published in 1985. And Michael Gegick and Sean Barnum wrote about Least Privilege for the US government's Cybersecurity and Infrastructure Security Agency (CISA) back in 2005. []

GraphQL Subscriptions: Why we use SSE/Fetch over Websockets
This blog was written by our CEO and Founder Jens Neuse. If you enjoy our blogs and topics, join our Discord! WunderGraph exposes GraphQL Subscriptions over SSE (Server-Sent Events) or Fetch (as a fallback). This post explains why we've decided to take this approach and think it's better... by WunderGraph 🚀 []

AsyncAPI Spec 2.4.0 Release Notes | AsyncAPI Initiative for event-driven APIs
AsyncAPI 2.4 is now released. This brings really helpful additions, such as the new `messageId` field, Server Variables reusability, and security at Operation level []

SoundCloud Chronicles the End of the Public API Strangler
SoundCloud has recently announced they have completed their 8-year-long migration journey using the Strangler pattern from a monolithic codebase to a fully-fledged Backend For Frontend(BFF), an architecture pattern pioneered by and at SoundCloud. The announcement examines the SoundCloud team's steps to have a successful migration, the learnings from the migration journey, and the benefits and risks of the Strangler pattern. []

12 Helpful Tips For Using A Currency API - ABC Money
APIs have been increasingly popular over the years. It's understandable since they facilitate data flow and interaction between apps. Furthermore, APIs save developers from recurring activities and boost work effectiveness by directing their attention whenever required. In this article, we will be discussing 12 helpful tips for using a currency API, more specifically, currencylayer API. []

7 Uses of cURL: Testing Your APIs Conveniently
You don't need to download Postman at all Trying some APIs is a common operation for software developers. Postman is a famous GUI tool for this purpose. However, life is not always easy, is it? You probably cannot use a pretty GUI tool in some scenarios. by Yang Zhou []

Ensure API Excellence with Free Data Validation Tools (like Prism!)
We're highlighting free tools that can help you validate requests against an OpenAPI description & diving into open-source HTTP mock server tool, Prism. by Janet Wagner []
The Business of APIs
Design-First Approach to API Development: How to Implement and Why It Works
With the rapid growth of the API industry, developers and technology leaders alike need to know how to create a successful and scalable API program that will drive business value. Developers should consider prioritizing a design-first approach to building APIs which will ensure a positive experience for all stakeholders. []

When internal API development and hosting costs collide with API-First strategy
An often unintended consequence of an internal API-first strategy is having teams with not much IT jumping, willingly or not, in the API train. That inevitably will raise budget questions which answers will determine the success of the API-first strategy. by Arnaud Lauret []
Event-Based Architectures: the Hard Parts
Breck: I work in real-time systems, and have for a while. I think Astrid's talk, talked about thinking of the electrical grid as a distributed system, and how are we going to manage all these renewable devices on the electrical grid. That's inherently a real-time problem. []

10+ Cloud Storage APIs Compared
Automated data backups sound too good to be true, right? Well, if you're using WhatsApp, then you're probably already aware of the Chat Backup feature. It automatically creates chat backups and uploads them on Google Drive, so the next time you install WhatsApp on a new device, you can quickly restore your chats and media files. []

Airbnb's Microservices Architecture Journey To Quality Engineering
Achieving balance is an endless beginning. An equilibrium even harder to maintain when the business depends on software quality and speed to survive. Companies have the challenge of continuously delivering Quality at Speed software , constraining the software lifecycle with Quality Engineering. by Antoine Craske []

Keeping Swagger documentation in sync with SwaggerHub API & the GitLab pipeline
The SwaggerHub API-design and documentation platform is a useful tool when you're trying to update API documentation immediately for both external and internal parties. We use it at Haven Technologies to keep track of changes to our existing or new APIs that our third-party partners use (such as our prefill APIs that help our partners automatically prefill insurance applications for their users), and also for internal APIs that communicate between different products. by Rita Kaufman []

A File Format to Aid in Security Vulnerability Disclosure
When security vulnerabilities are discovered by researchers, proper reporting channels are often lacking. As a result, vulnerabilities may be left unreported. This document defines a machine-parsable format ("security.txt") to help organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities. by Edwin Foudil []
Want to share something?
As always, if you want to chat, share a link, or make a suggestion, feel free to drop us a quick note or tagging us on Twitter (@launchany and @caseysoftware) or by emailing us at:
Follow on Twitter    Forward to Friend    Subscribe
Copyright © 2022 LaunchAny, All rights reserved.
unsubscribe from this list