Categories
APIs Community

What makes up a high-quality API

With third-party APIs, developers can leverage the power of external expertise to enhance the functionality of their applications. However, to ensure success, they must carefully evaluate the quality of APIs before incorporating them into their applications. This chapter aims to investigate the key characteristics that make third-party APIs high-quality, according to developers.

In recent years, application programming interfaces (APIs) have become a key part of modern software development. APIs act as intermediaries that facilitate communication between different applications through established protocols and definitions. By using APIs, developers can leverage the power of other applications without needing custom integrations. In turn, this allows them to focus more on building the core parts of their applications and less on recreating features that already exist or are not feasible.

With this in mind, it is unsurprising that almost all developers (89%) report using APIs in their projects. According to our data, 74% of developers use third-party APIs while 15% state that they only use private or internal APIs. Using private/internal APIs makes it easier for developers to link their in-house applications together and ensures that only authorised personnel can access their systems and internal information. On the other hand, using third-party offerings gives them access to external expertise but introduces additional dependencies that can affect their projects.

high-quality API

74% of developers use third-party APIs

With so many developers relying on third-party APIs to expand the scope of their applications, modern services are becoming increasingly more likely to offer public APIs. However, not all APIs are created equal. Just as high-quality APIs can enhance the capabilities of a given application, adopting a low-quality API can be detrimental to its success. Implementing low-quality solutions can create a wide range of issues such as poor performance, negative user experience, and security vulnerabilities. Therefore, developers must carefully evaluate the quality of APIs before incorporating them into their applications.

In the latest edition of our global developer survey, we asked developers who use third-party APIs to identify the most important characteristics of high-quality API offerings. Our results indicate that developers consider security, documentation and sample code, reliability, ease of use, and performance to be the most important characteristics of high-quality APIs. These five qualities separate themselves from the rest as the core pillars of strength developers look for when considering third-party APIs. In fact, 89% of those who use third-party APIs mention at least one of these characteristics in association with high-quality APIs.​

Security is the most important factor in evaluating the quality of third-party APIs, according to 42% of developers. Using third-party offerings opens up a line of communication with external services that can expose their users to unauthorised access to sensitive data and other security risks. To keep up with the rapidly evolving landscape of threats, developers and modern businesses must ensure that the APIs they use are secure to protect their assets.

Developers consider security to be the most important attribute of a high-quality API

Having access to clear documentation and sample code can make it substantially easier for developers to incorporate APIs into their applications. Our data suggest that 39% of developers consider documentation and sample code to be among the most important qualities in third-party APIs.

These features allow developers to quickly understand the capabilities and limitations that a given API brings and make it easier for them to get started. This goes hand in hand with ease of use, which is mentioned by 37% of developers who use third-party APIs.

On the other end of the spectrum, reliability (38%) and performance (36%) of third-party APIs can directly impact the success of a given project. If an API proves to be unreliable, it can lead to issues ranging from minor errors to system failures and data breaches.

On the other hand, reliable APIs help developers minimise the risk of something going wrong and ensure the highest chances of success in their projects. Similarly, applications can only perform as well as the APIs they use.

Therefore, it is essential for APIs to be fast and capable of handling high volumes of requests to be used in modern applications.

high-quality API

Those who are new to the field of software development tend to work on less challenging problems and can often turn to their peers and mentors for support. As such, they are the least likely (20%) to cite documentation and sample code as an important characteristic of a high-quality API and tend to prioritise other features.

However, as they gain expertise and take on more complex projects, developers begin to appreciate the benefits that clear documentation and sample code bring to the table. In fact, 65% of developers with 16+ years of experience mention documentation and sample code among the most important characteristics of high-quality third-party APIs, surpassing even security (51%).

Highly experienced developers value API documentation and sample code significantly more than beginners

With a greater reliance on self-guided learning, experienced developers become less likely to focus on the community when evaluating the quality of third-party APIs. However, technical issues can arise regardless of experience and may be difficult to resolve or diagnose without expert-level knowledge. In turn, technical support appears to retain its above-average importance for all but the most experienced developers.

high-quality API

With more years of experience, developers gain a deeper understanding of what is essential for their projects. For some, performance may be critical, while others may focus more on ease of use. By focusing on the right characteristics of third-party APIs, developers can enhance the functionality of their applications and deliver better products.

Would you like to contribute to similar findings?

Participate in our latest wave of the Developer Nation survey!

Complete the survey to access our amazing virtual Goody Bag filled with subscriptions, resources, and more!

Sign up for the chance to win prizes, earn loyalty points, and receive updates on survey results and future opportunities.

Take the survey anonymously here

Categories
Community

Taking a Proactive, Governance-Based Approach to API Security

Security breaches are among the greatest threats confronting enterprises today, and application programming interface (API) abuse is typically central to the attacks. For that reason, API governance is critical to the success of any digital business.

Ensuring that governance results in a long-term stabilizing strategy requires following strategic API security, monitoring, and open cultural practices.

Common Errors

Just knowing when something is not right with a system or that a bug requires fixing isn’t enough knowledge to make informed decisions about security. What is required is a keen understanding of the health of a specific project throughout its entire life cycle. This includes knowing its current state, having proper visibility into the traffic running through apps and infrastructure, and recognizing error patterns – and being able to act upon any issues before they impact the customer experience.

When it comes to APIs Lifecycle and management, we’ve discussed it in great detail in this workshop recording that can be found here.

The problem with most enterprises in this regard is that they tend to be project- instead of product-driven; budgets and deadlines are tied to delivering features rather than holistically examining a product and its capabilities. This, coupled with the failure to see APIs as adding value, are why many brands have failed in their API journeys and digital transformation. They’ve simply lost sight of the return on investment (ROI) properly governed APIs can deliver.

As a result, these enterprises leave API security to the end of its life cycle when regression tests are run to determine whether it is working properly, declaring it “secure” if it passes a confined set of tests. It is a last-mile mindset that is behind the daily reports of personal healthcare data, payment information, and billing address breaches – and why API security must be everyone’s responsibility at every stage of the life cycle and built into the product design itself. 

Governance can work only when API security is considered at the outset and supported with the proper tools to ensure the team is prepared to stave off attacks from every angle.

Creating a Governance Mindset

The first step toward effective API governance is to create an organization-wide mindset rather than having it rest solely with those who develop processes. Governance must go beyond ensuring that a specific set of projects functions in a certain way and adds value. Transformational success requires continuous feedback that bridges the gap between the consumer and provider.

Adopting a dedicated API management platform to automate API security best practices throughout the API life cycle is a smart way to automate many aspects of governance. Doing so provides a top-down approach that leverages a powerful security toolkit and knows what questions to ask and when. 

Among the questions required for governance in the API are:

  • Why do I need this API?
  • Who are my API’s consumers?
  • What are consumer’s usage patterns?
  • Do they need this API?
  • What is the behavioral design for this API?
  • What is my ROI?
  • Does this API add value to my consumers?
  • How is this API being integrated with my partners?
  • Which devices are calling this API
  • What barriers are there for people to access this API?
  • How could my APIs be compromised?
  • What is being cached on local browsers?
  • How many retries are permitted when trying to access your API?

When and How to Pose Questions

When a company is scaling, taking a manual approach to continually asking and answering these critical questions becomes far too error-prone to be effective. It becomes too easy to lose track of data and too tempting to cut corners to meet deadlines. Thus, API security needs to be built into API modeling – in both test-driven design and communications with every aspect of the business.

For example, information must be continuously evaluated to determine if it is sensitive, as API governance has different security policies for internal APIs, external APIs, open-source APIs, and partner APIs.

Leaving monitoring of sensitive information in the hands of API analysts, who are tasked with building an API specification under OpenAPI, is a mistake as their focus is solely on the user interface (UI), necessary data models, and consumer demands. Too often this dedicated focus causes them to overlook essential vulnerabilities, resulting in sensitive data being built into API headers and query patterns.

Rather, everyone should be responsible for asking if a user ID is needed as part of the API and, if so, if it should be part of an encrypted payload. The API and the user ID passing through it should be considered part of the query parameter pass-through browsers with sufficient caches and cookies. 

Finally, where requests are coming from must be understood. APIs need to be designed based on the systems and devices they with integrate with as they are a growing threat from hacks – putting sensitive information at risk.

Arming a “Security First” Culture

To create a “security first” culture, proactive companies adopt self-learning systems as part of their API security toolkit that leverage the power of artificial intelligence (AI) to gather information about plan behaviors. These solutions reveal patterns and trigger appropriate actions, for example shutting down vulnerable systems before the clients risk them.

Because a team is only as successful as the tools at its disposal, every API security toolkit should include the following:

  • AI-powered API security, which self learns and self creates rules to recognize and proactively respond to attacks.
  • Straight sets of issue alerts to inform the right people as things go awry.
  • Dashboards, which enable teams to see patterns that contribute to a security-first mindset.
  • Data governance, to ensure data is being securely exchanged and being exposed only in ways that align with security policies.
  • API gateways, which are vital to API orchestration and integration.
  • Firewalls, to protect against threats like SQL injection attacks.

Security must be incorporated into a 360-degree view of the API life cycle from the outset and run through planning, designing, developing, testing, and release management. New threats emerge every day, so it’s imperative that learning be continuous.

Security must also be part of the user story and not just a box to check off in the release plan. As tooling – which should be accessible to everyone within the organization – is used to recognize user patterns, it contributes to that user story and develops a sequence of use cases from API keys to tokens to audit logs and more. This does more than give an enterprise empathy with its users; it provides valuable insight into potential system risks.

Retroactive Governance Repairs

For those organizations that did not build security into the API life cycle from the outset, it is not too late to revisit and rectify the situation. 

One common challenge for these organizations is when the CIO or other key players don’t realize an API exists until it’s already been hacked. This can be overcome with use of proper enterprise-grade API tooling that provides a complete overview of connecting APIs and the resources and information they expose. Tooling can also enable continuous API discovery, so while developers are given DevOps autonomy, others are still aware of every open-source or subscription API to which they connect.

It is also critical for these APIs to be monitored, which is where self-learning security systems play an important role. These powerful solutions detect current anomalies and feed this intelligence back into the system’s coverage and into the company’s new “security first” culture – saving it from public humiliation down the road. 

Getting Proactive with API Security

Enterprises caught up in data leaks tend to be reactive when it comes to API security. As such, they don’t have in place the right systems between consumer and provider. It’s a recipe for certain disaster that leaves the organization searching for the source of the service denial attack and creates distrust among consumers who will think twice about sharing their personal information.

Success requires a proactive approach, one that integrates security into governance at every stage of the agile process. This enables the continuous learning mindset around API security that is the only way to succeed. 

About APIWiz: APIwiz is a low-code, API automation platform allowing developers to build and release reliable APIs quickly. With APIwiz, API teams have complete control, visibility, and predictability over their entire API program, allowing organizations to stay open and connected.

Categories
Tools

API Management tools: How to find the one for you

Launching an API is hard. You need to make sure your service is reliable, secure and well-documented. This is where API Management tools come into play. They provide the means to expose your API to external developers in an easy and affordable manner. One of the best definitions of API management is the one introduced by APIacademy:

But first, let us know which are YOUR favourite API management tools. Take the Developer Economics Survey and you may win amazing prizes and gear.

api-management

“Creating a centralized API architecture that makes the process of composing, securing and managing high-performance interfaces significantly simpler and more consistent.”

Features of an API Management service

API management services have a multitude of features. Their main focus is to make designing, deploying and managing an API easier, as well as to ensure that it is safe, secure and functional. Some of these tools facilitate integrations, transformations or API orchestrations. Ideally, an API management service should at least cover most of the below basics:

  1. Documentation – Sounds boring, right? Still, one of the most common problems of developers is figuring out how an API works. Development time is too precious to waste in trial and error of an undocumented API. An API management service has to provide an easy way to read the documentation and enable developers to “try before they buy”. In some cases it is even possible to provide interactive documentation. Simplicity and usability are the keys!
  2. Analytics and Statistics – It is critical to understand how people use your API and get insights for your business.
  3. Deployment – Should be flexible and support public or private clouds, on-premises implementations, or combinations.
  4. Developer engagement – Engaging with your API consumers, developer or partners is important. Getting an easily accessible developer portal will significantly facilitate onboarding.
  5. Sandbox environment – This feature will increase both the value of an API and its adoption rate. What better than being able to develop and test your code.
  6. Traffic management and caching abilities.
  7. Security – APIs carry sensitive data, so it is important to protect the exposed information. The service has to at least provide identity and access management for users and developers.
  8. Monetization – Provide the capability to monetize your API.
  9. Availability – Should be available, scalable and redundant. An API environment can become demanding and the service should be able to deal with any kind of errors, problems or temporary traffic spikes.
  10. Support of Legacy systems.

To Proxy or not to Proxy?

The vendors in the API management space provide a number of solutions across the above main categories but that does not mean they support everything. They are implementing their solution in three different ways: Proxies, Agents or Hybrid.

  1. API service providers that use the concept of a Proxy. Their solution “sits” between the customer and their users and the traffic goes through them. Proxies provide caching capabilities and protection of customer’s back-end infrastructure from traffic spikes. The main criticism they receive is that they increase the cost and bring up privacy and latency issues. Apigee, Mashape and Mashery are examples of such implementations.
  2. API service providers that use the concept of agents. Agents are plugins that integrate with your server. They do not get in the way of the API calls like proxies. As a result they do not introduce network latencies or 3rd-party dependencies. On the other side, features like caching are not easy to implement. 3scale is an example of such implementation.
  3. API service providers that use a hybrid approach. This means you may get an agent and a proxy. For example you may want to use a proxy for the caching and the agent for authentication. Companies like Apigee or 3scale we talked before are also moving to hybrid solutions.

13 API management tools

Deciding on an API Management Tool, you are faced with lots of choices. Available solutions may focus in one or two or cover many of the features discussed above and vary greatly in price. There are tools that were acquired by bigger vendors like Intel or CA or Microsoft. Open source tools are also available. Last but not least, some tools are heavy enterprise focused and other much less so.

Name Type License Stackoverflow questions Market segment Strong Points
3scale Agent, Proxy Commercial 15 Startups to Enterprises Wide range of tools
ApiAxle Proxy GPL 9 SMBs to Enterprises
Apigee Proxy Commercial 598 SMBs to Enterprises Powerful Analytics
Axway Proxy Commercial 9 SMBs to Enterprises
CA Layer7 Proxy Commercial 35 Enterprises Advanced support for mobile applications
IBM API Management Agent, Proxy Commercial 17 Enterprises Large Scale, User friendly
Mashape Proxy Commercial 106 Startups to Enterprises Monetization, discoverabilty
Mashery Agent, Proxy Commercial 57 SMBs to Enterprises API strategy services
Microsoft’s Azure API Management Agent, Proxy Commercial 262 Startups to Enterprises
MuleSoft Proxy Commercial 134 Enterprises Based on proven open source technology, programmableweb
Oracle SOA Proxy Commercial 213 Enterprises Large scale, SOA
Akana (formely SOA Software) Proxy Commercial 3 Enterprises
WSO2 Agent, Proxy Apache 4421 Startups to Enterprises Open source

3scale

3Scale is very active on the API management space with a wide range of customers, ranging from startups to enterprises. They provide a hybrid solution to help you deploy, manage, distribute and monitor your API. They offer an on premises API management solution along with cloud based API administration, analytics, reports, developer and partner portal.
More about 3Scale: http://www.3scale.net/api-management/

Mashape

Mashape does not offer an API Management service per se. They provide important features that are part of such services though. You may test an API, generate code, and get a developer portal and user management. Most importantly they provide out-of-the-box monetization, a developer community and discoverability through their API marketplace.
More about Mashape: https://www.mashape.com/

Microsoft’s Azure API Management

Microsoft’s Azure API Management became available to the public rather recently. You can provide and manage an API, get developer portals, documentation, security management, performance management, statistics and analytics. They have on-premises and cloud versions (not limited to the Azure cloud).
More about Azure API Management: http://azure.microsoft.com/en-us/services/api-management/

Apigee

Apigee provides a range of services, from free API tools for developers to large API management solutions for enterprises. Their solution can be deployed in the cloud or on-premises. They offer API analytics, developer portal, transformations, traffic and performance management. Apigee seems to provide the richest API analytics platform compared to other companies. In mid-2014, they launched the new version of their big data predictive analytics platform.
More about Apigee: http://apigee.com/

Mashery

Mashery is an Intel company since 2013. They provide an all-around API management solution that supports SaaS and on-premises implementations as well as a few hybrid oriented ones. Their services cover from API technology and infrastructure to business strategy.
More about Mashery: http://www.mashery.com/api-management

CA Layer7

Layer7’s API Management is heavily enterprise directed. They offer on-premises and cloud deployment solutions. Their services range from integration, security management, performance management, mobile API gateways, mobile optimization and developer portals. CA’s support for mobile applications is considered to be more feature reached compared to other solutions.
More about CA: http://www.ca.com/

IBM API Management

IBM’s solution comes either as on-premise or cloud hosted. It covers a lot of the API management needs of a large company and it is considered a much user-friendly platform.
More about IBM API Management: https://apim.ibmcloud.com

Oracle SOA

Oracle provides an API Management solution that consists of its API gateway and SOA suite. The API gateway is used for securing and managing APIs and as a first line of defense in SOA environments.
More about Oracle SOA: http://www.oracle.com/us/products/middleware/soa/api-management/overview/index.html

MuleSoft

MuleSoft’s solutions is based on open source technology. They offer easy API design, advanced integration and testing features. It is widely used and they also work a lot with developer communities.
More about Mulesoft: http://www.mulesoft.com/

Akana (formely SOA Software)

They provide a unified Enterprise level API management and SOA Governance solution. It can be implemented on-premises or in the cloud. They offer a horizontal solution from design and building an API to policies, security and lifecycle management.
More about SOA Software: https://www.soa.com/solution/api-management

Axway

They offer an API Gateway that provides everything you need to develop, integrate and manage APIs. They provide security management and of course an API Portal for developers and partners.
More about Axway: http://www.axway.com/en/enterprise-solutions/api-management

WSO2

WSO2 is considered the most complete open source solution today. It covers API integration, management, identity and mobile. It supports public, private clouds, and hybrid implementations. WSO2 follows an open development process, where customers can provide input.
More about WSO2: http://wso2.com/

ApiAxle

It is an open source API management and analytics solution. It is a proxy that sits in front of your API and manages caching, security, performance and traffic. As an open source project, you may contribute to its code base.
More about ApiAxle: http://www.exiconglobal.com/apiaxle/

Epilogue

Not all companies launch API programs and not all API programs have the same goals. Some APIs are used as a revenue model or part of a product or service, others are free. Certain APIs are used to provide access and information to an ecosystem of companies. As the requirements vary, the tools diversify. So choose your API strategy and pickup the right tool.

 

Which are your favourite tools? Let us know and shape the future of developer economics. Take the survey.