Foreword
I entered the world of information security almost 20 years ago, as often occurs in our industry, by accident. I was a software engineer excited to be working on a very large software system that was being created for the New York Port Authority - right after 9/11. The system was complex and the problems we were solving were genuinely interesting and intellectually gratifying. And because of our customer, keeping the system and its users secure was of the utmost importance. I went from being somewhat naive about how applications were secured to being thrust into a team that was responsible for securing one of the most important computer systems in the country given events at the time. It made software security very real - in a very concrete in a way I hadn't experienced before. When the project was done, I was proud to have helped in some small way to making New York a safer place.
I learned immensely from that experience, and realized how much technology then and since was advancing at break-neck speeds. The learning curve was really steep and all the while, technology was advancing rapidly, and you constantly had to keep learning. It's easy to forget about security when you've got 20 other things to learn just to get an application out the door! But if I take a step back and look at our industry with a wider perspective, I can't help but be intrigued by this exponential growth and innovation - and how security will always play a part.
Humanity has always had the drive to innovate, but we've also been determined to undermine our own advancements for selfish gain through surreptitious means. As a result, it is incumbent on us, the builders and innovators of the world, to protect ourselves. From the Mesopotamian potter 3500 years ago who wanted to keep his glazing techniques secret from competitors to modern banks who safeguard the world's digital financial transactions - there has always been a need to keep information secret. And there have always been people trying to steal those secrets.
What's important about this dichotomic dance between information holder and information thief is that the dance never ends - a safeguard today will eventually be bypassed tomorrow, which then must be be supplanted by a better safeguard. Unfortunately, even smart, capable people and corporations forget this or even ignore it, which is why we have the Equifax and Yahoo data breaches of the world.
So what does this mean in the current climate of exploding connectivity between millions of devices in the world, and the HTTP APIs that are shared and consumed between them?
To put it simply, it's the Wild West out there!
Of course, no one expects you to wear leather chaps and ride a horse to work (but if that's your thing, you do you, and do it proudly!), but we software developers are constantly looking down the barrel of a hacker's metaphorical six-shooter.
And while a bit tongue-in-cheek, the Wild West metaphor is valid - the Western frontier in the United States' early years was expanding and changing quickly, and law enforcement often wasn't available. Individuals and companies had to protect themselves using the best strategies and technologies at their disposal. Similarly, our computer and information technology industry is soberingly new - the first digital computer was invented only 70 years ago, in the time of a single human life span! Our still-nascent industry clearly reflects the same opportunity to expand and build, and for some, to engage in nefarious activity.
So what about us? The web and mobile application developers? The API developers? How do we address this expanding frontier when even massive companies fall victim every day?
I believe the answer is that we be smart, informed, and proactive. We focus on known best practices and never stop looking for new ones. We implement modern approaches that have been proven successful in real, practical experience. We stay diligent and learn from those who have come before us, thus standing on the shoulders of giants, like the authors of the book in your hands right now.
So you don't have to be afraid of the Wild West. There are amazing opportunities ahead and the Internet is still the Great Equalizer for today's builders and innovators. And for the API builders among you? Armed with the wonderful information in this book, I'm confident you'll be ahead of (and safer than) 99% of all other APIs today.
Head 'em up, move 'em out!