reviewer system integ.pdf

Full Transcript

API Lifecycle Management and Development - Involves defining the operational, business,
Process and security requirements for a single API or
group of APIs.
1. System Integration
10. Stage 2- Design
- The process of creating a complex
information system that may include - Involves making intentional decisions about
designing or building a customized how an API will expose data to consumers
architecture or application, integrating it with and capturing these decisions in an API
new or existing hardware, packaged and definition.
custom software, and communications.
11. Stage 3- Develop
2. Architecture
- Tasks developers with writing code that
- The organization of a system, including all implements the API's intended functionality,
components, how they interact with each using version control and repositories to
other, the environment in which they operate, manage changes.
and the principles used to design the
12. Stage 4- Test
software.
- Involves confirming that an API is working as
3. Application Program Interfaces
expected through manual or automated
- Interfaces that allow different software testing, including different types of tests like
applications to communicate with each other. contract and performance tests.

4. JSON 13. Stage 5- Secure

- is a standard text-based format for - Involves checking an API for common
representing structured data based on security vulnerabilities to ensure the
JavaScript object syntax, commonly used for application's overall security posture.
transmitting data in web applications.
14. Stage 6- Deploy
5. Extensible Markup Language (XML)
- Refers to the process of publishing APIs to
- Let you define and store data in a shareable development, staging, and production
manner. environments using CI/CD pipelines and API
gateways.
6. API First approach
15. Stage 7- Observe
- Prioritizes APIs at the beginning of the
software development process, positioning - Involves collecting, visualizing, and alerting
APIs as the building blocks of software. on API telemetry data in production to
surface errors, latency, and security
7. API Lifecycle
vulnerabilities.
- The series of steps that teams must take to
16. Stage 8- Distribute
successfully design, develop, deploy, and
consume APIs. - Focuses on improving an API's
discoverability through API catalogs, both
8. Benefits of API Lifecycle Management
public and private, to support third-party
- Increased productivity, greater visibility, and consumers and internal teams.
organizational alignment within an
17. XAMPP
organization.
- A free and open-source cross-platform web
9. Stage 1- Define
server solution stack package.
18. Notepad++ Understanding API Security and JSON Web
Tokens
- A text editor and source code editor for use
with Microsoft Windows. 1. API Security

19. SQLyOG Community - Process of safeguarding APIs from attacks
due to their access to sensitive functions and
- A database management tool for MySQL.
data.
20. Thunder Client-VSCode Plugin
2. REST
- A Visual Studio Code plugin for API testing
- Simpler API approach using HTTP/S, often
and debugging.
with JSON for data transfer.
21. Slim Framework
3. JSON Web Token (JWT)
- A PHP micro-framework that helps you
- Open standard for secure data transmission
quickly write simple yet powerful web
between parties in JSON format.
applications and APIs.
4. Authorization
22. Composer
- Common use of JWT where users access
- A tool for dependency management in PHP,
permitted routes and resources.
allowing you to declare the libraries your
project depends on and it will manage 5. Information Exchange
(install/update) them for you.
- Securely transmitting data between parties
23. Jsend using signed JWTs.
o Single-Sign On – feature that widely
- A specification that lays down some rules for
uses JWT nowadays. Small
how JSON responses from web servers
overhead and its ability to be easily
should be formatted.
used across different domain.
24. Endpoint
Structure of JWT
- contact between an API client and server.
6. Header
25. HTTP Method
- Part of JWT specifying signing algorithm and
- are used to indicate the action an API client token type.
would like to.
7. Payload
POST – retrieve data from a server
- Contains claims or JSON object in a JWT.
GET – send data to the server to create new
8. Signature
resource.
- Unique hash created with secret key to verify
PUT – update or replace an existing resource
JWT integrity.
DELETE – remove a resource from the server - Generated via cryptographic algorithm.

PATCH – only update data Header Component

9. HS256

- Symmetric algorithm using one secret key
for JWT signing and verification.

10. RS256
 - Asymmetric algorithm using private key for - Ability of JWTs to carry additional user data,
JWT signing and public key for verification. reducing API calls.

Payload Component 22. Performance

11. Issuer (iss) - Enhanced application speed by minimizing
database lookups.
- Claim in JWT indicating the entity issuing the
token. 23. Mobile-Friendly

12. Subject (sub) - Suitable for offline-first apps, improving
mobile user experiences.
- Claim in JWT identifying the subject of the
token. Consideration in using JWT

13. Audience (aud) 24. Token Size

- Claim in JWT specifying the intended - Keeping JWT payloads under 4kb to avoid
audience for the token. performance issues.

14. Expiration time (exp) 25. Token Management

- Claim in JWT defining the token's expiry - Challenges in revoking tokens before
time. expiration in stateless JWTs.

15. Not before (nbf) 26. Weak Signature Algorithms

- Claim in JWT indicating the earliest time the - Risks associated with using weak signature
token can be used. algorithms in JWTs.

16. Issued at (iat) 27. XSS Attacks

- Claim in JWT specifying the token's issuance - Security threat when storing JWTs in
time. localStorage instead of HttpOnly cookies.

17. JWT ID (jti) 28. Token Replay

- Claim in JWT providing a unique identifier for - Mitigating risks by using short expiration
the token. times and token rotation.

Benefits of using JWT Tokens 29. Insufficient Validation

18. Stateless Authentication - Importance of validating token signature and
claims on the server side.
- Authentication without server session
storage, enhancing scalability. 30. Token Expiration and Refresh

19. Compact and Self-Contained - Balancing security and user experience by
setting appropriate token lifetimes.
- All necessary info in token, reducing
database queries. 31. Security Best Practices

20. Cross-Domain / CORS Friendly - Using HTTPS, avoiding sensitive data in
JWT payload, and secure token storage.
- JWTs facilitate single sign-on across
distributed systems. 32. Storage on the Client Side

21. Flexibility - Considerations for secure token storage,
avoiding vulnerabilities like XSS attacks.