This presentation covers best practices for securing your APIs, including everything from encryption, to UUIDs, the differences between authentication and authorization, OAuth and OpenID Connect, and a host of other information around SSL, TLS, and more ways you can secure your APIs from those pesky would-be hackers.
Much has been said around securing APIs and fortunately people do try to implement some of these practices. Unfortunately, most do not implement multiple legged security thereby relying solely on a single measure or two simplistic and easy-to-defeat mechanisms to secure their APIs. Alas, some even rely on not publishing the documentation for their APIs as a measure of “security”. These methods are simply not acceptable and it’s important to approach security by believing that “there are indeed smarter hackers than you out there and that your information is always at risk.”
It is critical that you pay careful attention to security not as an afterthought, but as a well-formed strategy as you build your interfaces. Security should be engrained in every resource, every action, and truly everything you do as you build and design APIs!