Our task was to write security requirements which reduce the risks of a data sharing API. I found this very useful to think about, as I assumed a public API didn't really have many security requirements, but actually a public API can be abused. I may find this useful in my future work, as I could be making data available via an API.
I decided to use the Open Notify API for people in space. This returns the details of current humans in space.
I wrote this Python code to use the API.
import requests
response = requests.get("http://api.open-notify.org/astros")
print(response.json())
Here is the response showing 12 astronauts currently in space.
{
"message": "success",
"number": 12,
"people": [
{
"craft": "ISS",
"name": "Oleg Kononenko"
},
{
"craft": "ISS",
"name": "Nikolai Chub"
},
{
"craft": "ISS",
"name": "Tracy Caldwell Dyson"
},
{
"craft": "ISS",
"name": "Matthew Dominick"
},
{
"craft": "ISS",
"name": "Michael Barratt"
},
{
"craft": "ISS",
"name": "Jeanette Epps"
},
{
"craft": "ISS",
"name": "Alexander Grebenkin"
},
{
"craft": "ISS",
"name": "Butch Wilmore"
},
{
"craft": "ISS",
"name": "Sunita Williams"
},
{
"craft": "Tiangong",
"name": "Li Guangsu"
},
{
"craft": "Tiangong",
"name": "Li Cong"
},
{
"craft": "Tiangong",
"name": "Ye Guangfu"
}
]
}
The API is public, so there's no need to consider access control, confirming the correct destination, or encryption. However, the API could be abused by an attack such as denial-of-service, or the API could suddenly become massively popular (if a link to it was posted on a very popular site) or possibly a user could write a script which has unintentionally too many or too frequent requests.
A good way to protect the API would be to detect and analyse unusual access, which could be achieved in a number of ways.