Decent enough presentation, but was really expecting a majority of the talk to be out schemes and approaches to securing your API. The information about securing that was presented wasn't anything that couldn't have been gotten from a quick overview from a variety of sources.
Your recommendation to not pass the API key across the wire but instead to pass a generated value from it instead still doesn't solve the original problem of someone being able to steal your credentials. Whether they have your API Key or a value generated from it, if someone has it and can send it and act as you, nothing was accomplished. If your intent was that there was a rotating private key in use, then that should be communicated.
Lots of info to get through in 45 minutes, so kudos for that. You gave a lot of good info on tips and caveats about each security implementation. Given the time slot and the different technologies to cover, I think this is a great talk.
If you had more time, it would be cool to see PHP code wrappers for some of those security implementations, just to show how difficult or simple they could be.
I really enjoyed the comparison between the different protocols. The best-practices part was particularly interesting. I would have liked short code examples for protocol implementation.
I agree with everyone else. It was a lot of info to cover, and covered well for 45 minutes. Some code examples would have bene great, but not sure if you could fit them in with the time given. Maybe next year you could do a tutorial.
Comments
Comments are closed.
Decent enough presentation, but was really expecting a majority of the talk to be out schemes and approaches to securing your API. The information about securing that was presented wasn't anything that couldn't have been gotten from a quick overview from a variety of sources.
Your recommendation to not pass the API key across the wire but instead to pass a generated value from it instead still doesn't solve the original problem of someone being able to steal your credentials. Whether they have your API Key or a value generated from it, if someone has it and can send it and act as you, nothing was accomplished. If your intent was that there was a rotating private key in use, then that should be communicated.
Not sure how I would use it, but interesting and well presented
Lots of info to get through in 45 minutes, so kudos for that. You gave a lot of good info on tips and caveats about each security implementation. Given the time slot and the different technologies to cover, I think this is a great talk.
If you had more time, it would be cool to see PHP code wrappers for some of those security implementations, just to show how difficult or simple they could be.
Enjoyable overview of API authentication and security.
Really enjoyed the talk. I"m excited to starting working on some of the ideas that you have me.
Excellent overview of security considerations in relation to API design and development.
I really enjoyed the comparison between the different protocols. The best-practices part was particularly interesting. I would have liked short code examples for protocol implementation.
I agree with everyone else. It was a lot of info to cover, and covered well for 45 minutes. Some code examples would have bene great, but not sure if you could fit them in with the time given. Maybe next year you could do a tutorial.