.png)
At Ingage Partners, we believe that great software is built by great teams - and great teams never stop learning.
That belief drives everything we do, from how we work with clients to how we grow our own people. One of the ways we live that out is through C3: Code, Craft, Community - a monthly meetup we host that brings together developers from all levels and backgrounds to sharpen their skills, pair program, and explore the deeper questions behind great software development.
We don’t just talk about learning. We practice it, publicly and together.
September’s Meetup: Plugging a Leaky API
September’s kata was a little out of the ordinary in that we didn’t develop something from scratch. Instead, we conducted what we refer to as a ‘debug’ kata. We analyzed existing code with known bugs and fixed them. The bugs in this case were in the implementation of an Application Programming Interface (API), which is a way for programs to expose their services to third parties. Bugs in any program are a bad thing, but in the case of an API, bugs usually result in security vulnerabilities.
Security of APIs is extremely important–so important in fact that OWASP (Open Worldwide Application Security Project) publishes an OWASP Top 10 API Security Risks, a list of vulnerabilities that commonly occur in the development of APIs. It is the standard against which anyone developing APIs should test them. The use of APIs has grown significantly in recent years and consequently has attracted a growing share of bad actors (and I don’t mean William Shatner!). If a company decides to expose their APIs to the public, they had better make them secure!
The Kata: Uteeni and Co Parts and Scrap
(Star Wars nerd alert!)
In the harsh, desert environment on Tatooine, sand crawlers tend to break down, droids need replacement parts, and moisture farmers routinely need vaporator seals and filters. And never ones to miss an opportunity to make a quick Galactic Credit, the Jawas have opened an online business to meet those needs: Uteeni and Co Parts and Scrap. Business is booming but they have a problem: the API at the heart of their system is leakier than the Millenium Falcon’s hydraulics. Consequently, they have been the target of several serious cyberattacks since they moved their backend to an API-driven architecture.
We paired up and took a look at Uteeni’s API. Not surprisingly (it was a kata after all) all five of their endpoints violated a different OWASP vulnerability. One endpoint allowed dynamic content (code) to manipulate objects, resulting in a security misconfiguration (OWASP #8). Another allowed a user to view orders created by another user. (OWASP #1) One returned more data than was necessary (OWASP #3)
Once we identified the vulnerability, it was relatively straightforward to plug the leak. This is the irony of API development: it’s easy to create insecure endpoints, but almost as easy to write them securely in the first place.
This was a valuable and eye-opening experience, particularly for the junior developers that were present. In a 90-minute kata, however, we barely scratched the surface of API security and best practices in developing APIs. If only there was a meetup dedicated solely to developing good APIs.
Wait a minute! While Ingage Partners sponsors Code, Craft, Community, the company also sponsors APIs and IPAs, a monthly meetup focused on good APIs (and good beer!). It occurs on the second Wednesday of the month from 6:00-7:30pm at Ingage Partners, 2943 Riverside Dr, Cincinnati, OH 45226. Join us next time!
