Security as API Requirement

Imagine going to McDonalds and ordering a burger and when you get it there is not MEAT! And when you ask them about it, they say you have to go down the street and get it from another store where it will cost extra.

Security is Optional

This is how almost all API projects work these days... security is OPTIONAL! Don't believe it?!! Take a look at OpenAPI. In fact the OpenAPI lead dev strictly stated the following:

Literally everyone implementing Openapi has taken this approach or attitude towards API's. Even when implementing security at the gateway, there is a security hole with Role Based Access Control (RBAC) in the fact that security is checked FIRST and then API routing takes place... but because RBAC isn't DIRECTLY associated with the endpoint, it doesn't check the request/response data associated with the request/response per endpoint and creates a security hole as pointed out by OWASP API3:2019 : EXCESSIVE DATA EXPOSURE.

Non Compliance With Guidelines

And practically no one is in compliance with the OWASP API top10 because to do so you have to have Role Based Access Control with Roles associated with your endpoints to control request and response data:

This is something that 'standards' like OpenAPI (as shown above) do not want to support to help you better secure your API's... but that places like Amazon and others have to rewrite and create their own private versions of an API schema to be able to support.

About me

I have built an API framework from the ground up and my tools are used by enterprises. I have built videos to explain the API call flow , spoken at multiple conferences, invented API Chaining(tm), created a widely used API benchmark tool and much more.

Feel free to follow me and my work on Github