DEV Community


Discussion on: We Need To Talk About API Security

_khaledfarah profile image
Khaled Farah

Hi Adam,

Great article. I was hoping if you could demonstrate more by adding technical examples.

bytebodger profile image
Adam Nathaniel Davis Author • Edited

It's more of a concept than a technical example. But to try to be a little more specific, I've recently been working on a system that manages compliance on individual machines. "Compliance" is a concept that is derived from many different factors. If the device doesn't have updated antivirus files, or if it's outside its acceptable geographic area, or if it's not encrypted, or if many other factors - it's noncompliant.

But when you look at the API for the software, there's a PUT /v1/device/{id} endpoint that allows you to update - directly - the "compliant" true/false value. But that makes no sense. You shouldn't be able to just set a device to be "compliant". It should be calculated to be compliant (or non-compliant) based on all the other factors.