brijpandeyji

API Terminology

Handbook

The Ultimate Guide

to Rest API Terms
and Glossary

swipe
 brijpandeyji

Contents
AP CI/C
API Cal CRU
API Econom Cach
API Endpoin Clien
API Integratio DDo
API Gatewa Resourc
API Lifecycl Reques
API Reques Respons
API Key Response Cod
API Laye Payloa
API Porta Paginatio
API Securit Metho
Apige Query Parameter
APIse Authenticatio
Applicatio Rate Limitin
Framewor API Documentatio
Burp Suite Logic Flaw

swipe
 brijpandeyji

Contents
JSO RES
Microservice Red Team
Monetizatio SD
OWAS SDL
ZA SOA
Parameter SQL Injectio
Penetration Testin Webhoo
Production Over-Permissioned
Environment Container

END

swipe
 brijpandeyji

API
Application Programming Interface is
what API stands for. API is a set of
definitions and protocols that allow
technology products and services to
communicate via the internet.

API Call

The API call is simply the process of

sending a request to your API after
setting up the right endpoints. Upon
receiving your information, it is
processed, and you receive feedback.

By entering your login and password into a website and

hitting ‘enter’, you made an API call.

swipe
 brijpandeyji

API Economy
The API economy is a term to
describe the exchange of value
between a user and an organization.

It enables businesses to leverage

APIs from other providers such as
Google to power their own apps,
allowing an ecosystem that makes it
possible for users to get value from
a platform without having to build
the APIs from scratch.

For Example: Uber uses API calls to connect

with Google Maps.

swipe
 brijpandeyji

API Endpoint

An endpoint is the end of a

communication channel. When APIs
interact with other systems, each
touchpoint of interaction is
considered an endpoint.

For example, it could be a server, a service, or a database

where a resource lives.

API Integration

In simple terms, API integration

connects two or more applications
to exchange data between them and
connect to the outside world.

swipe
 brijpandeyji

API Gateway

An API gateway is an API

management tool that serves as an
intermediary between the client
and a set of different backend
services.

API gateways act as gatekeepers

and proxies that moderate all your
API calls, aggregate the data you
need, and return the correct result.

Gateways are used to handle common tasks such as API

identification, rate limiting, and usage metrics.

swipe
 brijpandeyji

API Lifecycle
The API lifecycle is an approach to
API management and development
that aims at providing a holistic
view of how to manage APIs
across its different life stages,
from creation to retirement.

The API lifecycle is often divided into three stages, the

creation stage, the control stage, and the consumption
stage.

API Request
APIs are everywhere and are part of
every aspect of the web. An API request
happens when a developer adds an
endpoint to a URL and uses that endpoint
to call the server or the database.

swipe
 brijpandeyji

API Keys
An API key is a unique identifier
that enables other software to
authenticate a user, developer, or
API calling software to an API to
ensure that this person or
software is who it says it is.

API keys authenticate the API instead of a user and offer a

certain degree of security to API calls.

API Layer
An API layer is a proxy that joins together all your
service offerings using a graphic UI to provide
greater user interactivity. API layers are
language-agnostic ways of interacting with apps
and help describe the services and data types
used to exchange information.

swipe
 brijpandeyji

API Portal

An API portal is a bridge between

the API provider and the API
consumer.

API portals serve to make APIs

public and offer content to
educate developers about them,
their use, and how to make the
most of them.

An API portal provides information about the

APIs at every stage of the API lifecycle.

swipe
 brijpandeyji

API Security

API security is an umbrella

term that defines a set of
practices that aim to prevent
malicious attacks, misuse, and
exploit APIs.

API security includes basic

authentication and
authorization, tokens, multi-
factor authentication, and other
advanced security measures.

The ubiquitous nature of APIs makes them

one of the favorite targets for hackers.

swipe
 brijpandeyji

Apigee
Apigee is an API gateway
management tool offered by
Google to exchange data
across cloud services and
applications.

As a proxy layer, Apigee

enables you to expose your
backend APIs in abstraction or
facade and helps protect your
APIs, limit their rate, and
provide analytics and other
services.

It enables developers to build and manage APIs.

swipe
 brijpandeyji

APIsec

APIsec is an API security

company. It leverages
automated testing tools to
find logic flaws before your
code hits the production stage.

APIsec addresses the business

need to secure APIs before they
reach production and provides
the industry's only automated
and continuous API testing
platform that uncovers security
vulnerabilities in APIs.

swipe
 brijpandeyji

Application
Application software is commonly
defined as a program or a bundle
of different programs designed
for end-users.

Every program can be called an application, and often the

terms are used interchangeably.

Framework

A framework contains libraries

of code, instructions, and APIs
from which developers and API
consumers can obtain
information from an app.

swipe
 brijpandeyji

Burp Suite
Burp —also called Burp Suite—
is a set of tools used for
penetration testing of web
apps.

Burp is an all-in-one
penetration testing suite
that offers users a one-stop
shop for all their pen testing
needs.

BurpSuite contains an intercepting proxy that lets the

user see and modify the contents of requests and
responses while they are in transit for granular
control of your APIs.

swipe
 brijpandeyji

CI/CD

Continuous integration (CI) and

continuous deployment (CD) are a set
of operating principles and a collection
of practices and agile methodologies
that enable development teams to
deliver better and faster changes to
their code.

CI/CD is one of the most

important DevOps practices as it
gives teams the tools to focus on
meeting their business
requirements, code quality, and
security needs.

swipe
 brijpandeyji

CRUD

CRUD is an acronym for create,

read, update and delete. It
refers to the necessary
functions to implement a
storage application, such as a
hard drive.

Unlike random access memory

and internal caching, CRUD data
is typically stored and organized
into a database, which is simply
a collection of data that can be
viewed electronically.

swipe
 brijpandeyji

Cache
The cache is a software or hardware
component that stores data so users can
access and retrieve that data faster.
Cached data might be the result of a copy
of certain data stored elsewhere.

Cache reads data and retrieves it faster

than you would otherwise.

Client

A client is a device that communicates with

a server. A client can be a desktop
computer, a laptop, a smartphone, or an
IoT-powered device. Most networks allow
communication between clients and servers
as it flows through a router or switch.

swipe
 brijpandeyji

DDoS

A distributed denial of service

(DDoS) attack is a malicious
attack that aims at disrupting
the target's traffic.

It usually overwhelms the

target's infrastructure with
a flurry of internet traffic
aimed at saturating the
servers and causing them to
shut the page down.

swipe
 brijpandeyji

Resource
An entity that can be
represented by a URI and can
be accessed through an API.
Resources can be anything
from data (such as a list of
users or a single user's
profile) to operations (such
as creating or updating a
resource).

Request
An HTTP request sent by a
client to a server to retrieve or
modify data. A request
typically includes a method, a
URI, and a set of headers and/
or a body.

swipe
 brijpandeyji

Response
An HTTP response sent
by a server to a client in
response to a request.

Response Code

A numerical status code

returned in an API response to
indicate the success or failure
of a request. Common response
codes include 200 (OK), 404
(Not Found), and 500 (Internal
Server Error).

swipe
 brijpandeyji

Payload
The data sent in an API
request or response,
often in the form of a
JSON object.

Pagination

A technique used in APIs to divide

a large dataset into smaller, more
manageable chunks or pages. This
allows a client to request a
specific page of data rather than
receiving the entire dataset all at
once.

swipe
 brijpandeyji

Method

The HTTP verb used in an API

request, such as GET, POST,
PUT, or DELETE.

Query Parameters

Key-value pairs that are

added to the end of an API
endpoint URL to specify
certain criteria or filters for
the data being requested.

swipe
 brijpandeyji

Authentication
The process of verifying the
identity of a client or user before
allowing them to access an API. This
is often done using an API key or
other form of credentials.

Rate Limiting

The process of limiting the number

of API requests that a client can
make within a certain timeframe to
prevent abuse or overuse of the
API.

swipe
 brijpandeyji

API Documentation
Detailed documentation or
reference material provided by the
creator of an API, explaining how to
use the API and its various
endpoints and parameters.

Logic Flaw

Business logic flaws result from faulty

application logic. In simple terms, a
logic flaw happens when an application
behaves unexpectedly. A logic flaw
allows attackers to misuse an
application and circumvent its rules to
change how it performs.

swipe
 brijpandeyji

JSON
JSON (JavaScript Object Notation)
is a lightweight data-interchange
format based on a subset of
JavaScript programming language
standards.

JSON has the advantage that it

is both easy for humans to read
and write and for machines to
parse and generate.

It is a format that is completely agnostic to languages and

uses conventions that are familiar to programmers of C-
family languages.

swipe
 brijpandeyji

Microservices

Microservices are also known

as microservices architecture.
It is a software architecture
style that structures apps as a
collection of loosely coupled,
independent.

Microservices are highly

maintainable services that
are organized to enhance an
app, website, or platform's
business capabilities.

swipe
 brijpandeyji

Monetization
API monetization is a
process by which a
business can create
revenue from its APIs.

Since APIs enable users to access

and integrate data from different
sources, they can be used by
different developers to integrate
relevant services within their
products, digital services, or
applications, which could, in turn,
become a source of revenue for
both public and private services
and applications.

swipe
 brijpandeyji

OWASP

OWASP (Open Web Application

Security Project®) is a
nonprofit organization
dedicated to enhancing
software security.

OWASP offers a range of tools to

help developers and programmers
secure the web through open-
source software projects,
hundreds of local chapters
worldwide, and educational and
training events.

swipe
 brijpandeyji

Over-Permissioned
Container
An over-permissioned
container is a
container that has all
the root capabilities
of a host machine.

That means that it can access

resources that aren't accessible
to ordinary containers and
users.

The problem with over-permissioning is that it gives

malicious actors a point where they can attack your
infrastructure and compromise your implementation.

swipe
 brijpandeyji

Parameters

Parameters are special types

of variables used in computer
programming to pass
information between
procedures and functions.

An argument to a function is
referred to as a parameter.
Adding three numbers, for
example, may require three
parameters.

swipe
 brijpandeyji

Penetration Testing
Also called pen testing or
ethical hacking, penetration
testing simulates attacks
on your computer system
to identify exploitable
vulnerabilities.

Pen testing identifies, tests,

and highlights vulnerabilities
in an organization's security
posture.

Web application firewalls (WAF) are generally

augmented by penetration testing in the context of
web application security.

swipe
 brijpandeyji

Production Environment
In a production
environment, software and
other products are actually
put into operation in how
their intended users intend
them to be used.

Developers generally use this

term to refer to the setting
where end-users will actually use
the products.

In a production environment, software programs

and hardware are run in real-time, and they are
relied on daily by organizations and companies for
their daily operations.

swipe
 brijpandeyji

REST
Created by Roy Fielding, a computer
scientist, REST, which stands for
REpresentational State Transfer, is an
application programming interface
that conforms to the constraints of
REST architectural style and enables a
quicker interaction between different
RESTful web services.

A stateless Web service

must be able to read and
modify its resources using
a predefined set of
operations and a textual
representation.

swipe
 brijpandeyji

Red Teams

Red teams are cybersecurity

professionals trained in
attacking systems and
breaking into them by finding
compromised entry points or
exploitable logic flaws.

The objective of the red team is

to improve a company's
cybersecurity standing by
showing it how they managed to
gain access and exploit their
system vulnerabilities.

swipe
 brijpandeyji

SDK

SDK stands for software development

kit and is a set of instructions,
integrated practices, pieces, code
samples, and documentation that
enables developers to create
software applications on a specific
software platform.

SDKs can be seen as

workshops with everything
developers need to build
specific software for a
determined platform.

swipe
 brijpandeyji

SDLC
SDLC —also called software
development lifecycle— is
the process for planning,
creating, testing, and
deploying an information
system.

SDLC aims at producing

quality software at the lowest
cost in the shortest time
possible.

SDLC gives developers a structured flow divided

into phases to help companies produce high-quality
software.

swipe
 brijpandeyji

SOAP
Simple Object Access Protocol
(SOAP) is a protocol specification
for exchanging structured
information to implement web
services.

SOAP leverages XML Information

Set for message format and
other application-layer protocols,
such as HTTP or SMTP for
message transmission. The
messaging services provided by
SOAP are exclusively XML-based.

Microsoft originally developed the SOAP protocol to replace

old technologies such as Distributed Component Object Model
(DCOM) and Common Object Request Broker Architecture
(CORBA) that cannot work over the internet.

swipe
 brijpandeyji

SQL Injection
An SQL injection technique
is a way to inject code into
a database that may
damage it.

SQL injections are one of the

most common web hacking
techniques and rely on the
placement of malicious SQL
code in SQL statements via
web input using forms or
other editable fields.

swipe
 brijpandeyji

Webhook
A webhook (also called a
web callback or HTTP
push API) is a way for an
app to provide other
applications with real-
time information.

Webhooks deliver data directly to

other applications, so data is
available immediately instead of
standard APIs requiring frequent
polling for real-time data.

Webhooks are beneficial to both consumers and

providers in this way, but the only drawback is the
difficulty of setting them up at first.

swipe
 brijpandeyji

ZAP
Also called OWASP Zed Attack
Proxy (ZAP) is one of the
world's most popular free
security tools, which lets you
automatically find security
vulnerabilities in your
applications.

By automating penetration
testing and security
regression testing,
developers can automate an
application's security testing
during the CI/CD process.

With ZAP, you can also do nearly everything you can do with
the desktop interface using its powerful API.

swipe
 brijpandeyji

For More Interesting

Content

Brij Kishore Pandey

Follow Me On
LinkedIn
https://www.linkedin.com/in/brijpandeyji/