20+ Resources To Nail Down Tough API Security Concepts Kristopher Sandoval September 12, 2019 API concepts, especially those around security, can often be confusing. While we generally understand basic concepts like “credentials,” trying to explain how the ROPC Flow differs from the Client Credentials Flow can often devolve relatively quickly into acronyms and diagrams. Accordingly, we’ve compiled a list of 20 resources that help to nail these concepts down. 1 – OAuth.Tools OAuth.tools, the world’s first OAuth playground, is a great website to test out a variety of OAuth flows. This site will not only demonstrate how each flow looks and feels, but it’ll also give some insight into how JWTs behave and interact with each flow. Read our in-depth review of OAuth.Tools here 2 – OAuth Documentation Materials Considering how ubiquitous the OAuth standard is, the documentation as provided is perhaps the best way to get started with understanding these complex concepts, terms, and issues. Ultimately, this resource is a broad set of coverage documents, all couched within the IETF OAuth Working Group. 3 – Nordic APIs Book Offerings Nordic APIs has established itself as a thought leader in the API space for some time. For those looking for deeper dives into related topics, this great selection of free eBooks can be a good starting point for a more holistic view of topics including Microservices Architectures, API Security methodologies, and emerging languages and frameworks. Download our eBook Securing the API Stronghold for free here 4 – IBM Knowledge Center IBM is a monolith in the industry, so any advice they have to give is often something to pay attention to. In addition to their generally awesome knowledge center content, they’ve written a great primer on OAuth 2.0 concepts that is relatively authoritative and serves as an entry point to the rest of their resources. 5 – Okta Content Library Okta is a big name in the security space, so it’s no shock that they have ample documentation behind their offerings. While much of their content library dives into specific Okta application methods and solutions, there’s also a great amount of specific security information, API security concept walkthroughs, and general security topic explanations. 6 – APIacademy APIacademy has a wonderful collection of resources for API developers. In addition to a wealth of books and guides, the site provides extensive video and audio resources, explaining key concepts, security systems, and complex discussions on business and functional design. 7 – APIsecurity.io APIsecurity.io is a great source for API security content. Covered topics include vulnerabilities, major news stories, and more. APIsecurity.io also has a wonderful API Security Encyclopedia, which defines a broad range of terms and concepts in the security space. 8 – Curity Resource Library The Curity Resource Library offers a great amount of documentation categorized by areas of interest. Focusing on architectural focuses, use cases, development solutions, and operation and deployment models and practices, this library is a wealth of information for OAuth 2.0 and associated topics. 9 – The API Evangelist’s API.Lessons While the API Evangelist itself is already a great resource, the API 101 lessons provided in the API.Lessons page is a good primer for what an API is. While those in the industry tend to take the definition of an API for granted, this is an awesome resource to use in conversations around APIs, especially in the context of business development. There’s also a wealth of white papers published by the API Evangelist that go into further detail on a huge range of topics. 10 – The IETF RFCs Landing Page Much of the API space is driven by the RFC landscape. Thankfully, there’s a powerful search system and data tracker provided by the IETF to browse and research these RFCs. 11 – ProgrammableWeb ProgrammableWeb is often seen as a juggernaut of information on APIs, and for good reason – their API directory is incredibly large and detailed. In addition to this great resource for APIs in general, their coverage of API news is a source any API manager or developer should familiarize themselves with. Their API University boasts an 11-part series Understanding the Reality of API Security, a solid primer to many tough security concepts. 12 – Any API Any API is a great collection of documentation and test consoles for a ton of public APIs. When diving into security concepts, it’s often best to see them in action – having a wealth of APIs against which to test calls provides a lot to this end. Public APIs are often going to have some very specific security caveats and implementations, so this is a great resource to see what an API security plan looks like “in the wild”. 13 – The OpenID Connect FAQ and Q&As Page One of the best resources around OpenID Connect is, predictably, the documentation from the OpenID Foundation. This FAQ and Q&A page dives a bit further than the standard documentation, and answers many of the questions that seem to pop up around this topic – this, it’s a great resource for clarity. 14 – Red Hat Security Primers Red Hat is a huge player in the enterprise space, so anything they have to say about APIs and API security should be taken with proper weight. While their general guide to API security is decent enough, their additional resources compound this offering by diving into concepts like continuous IT security, API management, and enterprise agility, and more. 15 – OWASP OWASP, or the Open Source Web Application Security Project, is an organization dedicated to developing open source security guidance, methodologies, and technologies. To this point, their wiki is rather interesting and gives a wide range of information 16 – The CSA Research Artifacts database The Cloud Security Alliance is an organization dedicated specifically to promoting API and cloud application security. Their collection of research artifacts includes whitepapers, reports, and models, and more, provided for free. 17 – Zapier’s “An Introduction to APIs” Zapier has created a ton of guides, but perhaps one of the best (if only for its simplicity) is An Introduction to APIs. This guide dives into a lot of basic concepts around APIs and dives into broad concepts like Protocols, Authentication, and Implementation really well. 18 – SCIM Documentation Though specific to a certain subset of security concepts, SCIM, or the System for Cross-domain Identity Management specification, is a quite popular and, at times, complex specification. The documentation provided here is ample and should help express not only what SCIM is designed for, but the basic models and designs upon which SCIM does what it does. 19 – CA Technologies API security guides While this is admittedly a collection of advertisements of a sort, this is a recommended resource for two very specific reasons. CA Technologies offers a lot of common solutions that are leveraged by regulated industries, so for many, what they have to say about things like control access are notable. Secondly, their extended coverage on their blog offers great insight into concepts like JSON link handling, which are often significant conversation starters around vulnerabilities and exposures in the modern space. 20 – WSO2 Library The WSO2 Library is a wonderful resource for open source API development and security concepts. In addition to some specific articles (such as this great piece on Federated Identity Management), the general knowledge and wisdom shared here is extremely valuable. 21 – restfulapi.net Restfulapi.net serves as an excellent primer guide for REST concepts in general, but it has a particularly good guide which focuses entirely on security concepts in the RESTful space. Conclusion This list is not meant to be exhaustive – it’s a great starting point for understanding some basic API concepts, but it should be augmented by newly discovered resources and trusted providers alike. Did we miss anything major? Let us know in the comments below by sharing your resource!