Security is job #1 in API development.
Security as a core design requirement
Unless security is a core design-level requirement, it will not be given the attention it deserves and will likely be retrofitted under pressure — which will very likely result in a weak security posture.
At Cloudize, we decided to address this.
By making security a core design requirement within Tesseract (our internal API Design Technology), we ensure that every API we design and develop is secure by default. During the design process, and in collaboration with a client, we identify and define security personas that map to expected real-world API consumers. Every endpoint (and action) in the design requires that penetration test cases be defined for each persona that validates the security policies associated with the endpoint (and action).
The result is a set of unit tests within the API testing framework that validate the API's security posture for each persona the business expects to engage with. This ensures that if a developer inadvertently makes a change that compromises the expected behaviour, the tests fail.
Role-based policy management
A vital aspect of the security implementation within the Cloudize API Framework is the definition of role-based security policies at resource, endpoint, object, and even field level within the API's design. Endpoints that expose resources cannot offer broader access to the resource than the resource allows (i.e. they can only implement a subset of the resource-level policy).
Security roles can be assumed or denied based on a combination of scopes within the Auth token or, in the case of API Keys, are defined in the associated material.
Support for any Authentication scheme
The Cloudize API Framework allows integration with various standard and custom Authentication Providers, including the Cloudize Auth Platform Service. The implementation provides JWKS key caching to boost performance, with periodic refreshing of the keys from the upstream Authentication provider. Where API Keys need to be supported, standard options are provided and supported, including the capability to lock API Keys down to source networks and timeframes.
Related topics
- An Overview of our API Technologies
- How Cloudize API Technologies Accelerate Innovation
- How our API Technologies Inteligently Scale
- The Extreme Performance Capabilities of our API Technologies
- The Incredible Search Features in our API Technologies
Cloudize is a leader in API design and development. By leveraging our skills and technologies, you can radically accelerate your next innovation.