20+ Resources To Nail Down Tough API Security Concepts

Last updated: July 30, 2024

API concepts, especially those around security, can often be confusing. While we generally understand basic concepts like “credentials,” trying to explain how the ROPC Flow differs from the Client Credentials Flow can often devolve relatively quickly into acronyms and diagrams. Accordingly, we’ve compiled a list of 20 resources that help to nail these concepts down.

1 – OAuth.Tools

OAuth.tools, the world’s first OAuth playground, is a great website to test out a variety of OAuth flows. This site will not only demonstrate how each flow looks and feels, but it’ll also give some insight into how JWTs behave and interact with each flow.

2 – OAuth Documentation Materials

Considering how ubiquitous the OAuth standard is, the documentation as provided is perhaps the best way to get started with understanding these complex concepts, terms, and issues. Ultimately, this resource is a broad set of coverage documents, all couched within the IETF OAuth Working Group.

3 – Nordic APIs Book Offerings

Nordic APIs has established itself as a thought leader in the API space for some time. For those looking for deeper dives into related topics, this great selection of free eBooks can be a good starting point for a more holistic view of topics including Microservices Architectures, API Security methodologies, and emerging languages and frameworks.

4 – IBM Knowledge Center

IBM is a monolith in the industry, so any advice they have to give is often something to pay attention to. In addition to their generally awesome knowledge center content, they’ve written a great primer on OAuth 2.0 concepts that is relatively authoritative and serves as an entry point to the rest of their resources.

5 – Okta Content Library

Okta is a big name in the security space, so it’s no shock that they have ample documentation behind their offerings. While much of their content library dives into specific Okta application methods and solutions, there’s also a great amount of specific security information, API security concept walkthroughs, and general security topic explanations.

6 – API Security GitHub Repo

Github’s platform is most probably not news to anyone working in software development. In this API security repository, you can find a collection of API security tools and resources as well as open-source tools, that are gathered by members of the community.

7 – APIsecurity.io

APIsecurity.io is a great source for API security content. Covered topics include vulnerabilities, major news stories, and more. APIsecurity.io also has a wonderful API Security Encyclopedia, which defines a broad range of terms and concepts in the security space.

8 – Curity Resource Library

The Curity Resource Library offers a great amount of documentation categorized by areas of interest. Focusing on architectural focuses, use cases, development solutions, and operation and deployment models and practices, this library is a wealth of information for OAuth 2.0 and associated topics.

9 – The API Evangelist’s API Lessons

While the API Evangelist itself is already a great resource, the API 101 lessons provided in the API.Lessons page are a good primer for what an API is. While those in the industry tend to take the definition of an API for granted, this is an awesome resource to use in conversations around APIs, especially in the context of business development. There’s also a wealth of white papers published by the API Evangelist that go into further detail on a huge range of topics.

10 – The IETF RFCs Landing Page

Much of the API space is driven by the RFC landscape. Thankfully, there’s a powerful search system and data tracker provided by the IETF to browse and research these RFCs.

11 – Any API

Any API is a great collection of documentation and test consoles for a ton of public APIs. When diving into security concepts, it’s often best to see them in action – having a wealth of APIs against which to test calls provides a lot to this end. Public APIs are often going to have some very specific security caveats and implementations, so this is a great resource to see what an API security plan looks like “in the wild”.

12 – The OpenID Connect FAQ and Q&As Page

One of the best resources around OpenID Connect is, predictably, the documentation from the OpenID Foundation. This FAQ and Q&A page dives a bit further than the standard documentation, and answers many of the questions that seem to pop up around this topic – this, it’s a great resource for clarity.

13 – Red Hat Security Primers

Red Hat is a huge player in the enterprise space, so anything they have to say about APIs and API security should be taken with proper weight. While their general guide to API security is decent enough, their additional resources compound this offering by diving into concepts like continuous IT security, API management, and enterprise agility, and more.

14 – OWASP

OWASP, or the Open Source Web Application Security Project, is an organization dedicated to developing open-source security guidance, methodologies, and technologies. To this point, their wiki is rather interesting and gives a wide range of information

15 – The CSA Research Artifacts database

The Cloud Security Alliance is an organization dedicated specifically to promoting API and cloud application security. Their collection of research artifacts includes whitepapers, reports, and models, and more, provided for free.

16 – Zapier’s “An Introduction to APIs”

Zapier has created a ton of guides, but perhaps one of the best (if only for its simplicity) is An Introduction to APIs. This guide dives into a lot of basic concepts around APIs and dives into broad concepts like Protocols, Authentication, and Implementation really well.

17 – SCIM Documentation

Though specific to a certain subset of security concepts, SCIM, or the System for Cross-domain Identity Management specification, is a quite popular and, at times, complex specification. The documentation provided here is ample and should help express not only what SCIM is designed for, but the basic models and designs upon which SCIM does what it does.

18 – CA Technologies API security guides

While this is admittedly a collection of advertisements of a sort, this is a recommended resource for two very specific reasons. CA Technologies offers a lot of common solutions that are leveraged by regulated industries, so for many, what they have to say about things like control access are notable. Secondly, their extended coverage on their blog offers great insight into concepts like JSON link handling, which are often significant conversation starters around vulnerabilities and exposures in the modern space.

19 – WSO2 Library

The WSO2 Library is a wonderful resource for open-source API development and security concepts. In addition to some specific articles (such as this great piece on Federated Identity Management), the general knowledge and wisdom shared here is extremely valuable.

20 – restfulapi.net

Restfulapi.net serves as an excellent primer guide for REST concepts in general, but it has a particularly good guide that focuses entirely on security concepts in the RESTful space.

21 – Medium

Even though Medium is an online publishing platform that hosts a plethora of topics, it also contains an API security tag, with contributors providing unique insights and thought leadership articles and stories.

22 – Hacking APIs GPT

Designed by cybersecurity expert Corey J. Ball, Hacking APIs GPT is a ChatGPT plugin that is smartly trained on a fine-tuned corpus of API security knowledge. You can use it to run endpoint analysis, scan OpenAPI definition files, spot vulnerabilities, and more. Be sure to read our review here.

Conclusion

This list is not meant to be exhaustive – it’s a great starting point for understanding some basic API concepts, but it should be augmented by newly discovered resources and trusted providers alike. Did we miss anything major? Let us know in the comments below by sharing your resource!