Software Engineering Institute

Application programming interfaces (APIs) are a fundamental component of modern software applications; thus, all software engineers are designers or consumers of APIs. From assembly instruction labels that provide reusable code to the powerful web-based application programming interfaces (APIs) of today, APIs enable powerful abstractions by making the system’s operations available to the end user, limiting the details of how the APIs are implemented.

APIs expose complicated functionality from large codebases worked on by dozens if not hundreds of people, often rotating in and out of projects while simultaneously dealing with changing requirements in an increasingly adversarial environment. Under these conditions, an API must continue to behave as expected, otherwise calling applications inherit the unintended behavior the API system provides. As systems grow in complexity and size, the need for clear, concise, and usable APIs will remain.

In this context, this white paper addresses the following questions concerning APIs:

What is an API?
• What factors drive API design?
• What qualities do good APIs exhibit?
• What specific socio-technical aspects of DevSecOps apply to the development, security, and operational support of APIs?
• How are APIs tested, from the systems and software security patterns point of view?
• What cybersecurity and other best practices apply to APIs?