Security is the biggest API concern for Kin Lane


Kin Lane

Kin Lane

In 2010, when Kin Lane launched his API Evangelist site, self-service APIs weren’t necessarily rare, but they were far from mainstream. Eight years on, even the most conservative companies are launching developer portals to support their newly minted APIs.

For Kin, this isn’t of itself a good thing.

“A lot of people assume I’m on Team API, that I’m always pro-APIs,” Kin said in a recent interview with “I prefer to advise people to slow down, do things thoughtfully, securely and in a way that respects privacy.”

The risk comes, Kin says, when companies offer APIs for the wrong reasons or jump in too quickly. Crafting an API, he says, doesn’t just need technical design and deployment, but hinges also on good communication, outreach and training. And as others agree, it pays to take the same approach for both internal and external users of the API.

Security is the number one problem

Top of mind for Kin today is security. With memories of the Equifax breach fresh, as well more recent stories involving Facebook and Cambridge Analytica, it’s clear that not all API providers do enough to secure their offerings.

“People think that if you require developers to register and authenticate with a key then that’s security,” Kin says. Security comes from active scanning, granular security policies and continual monitoring.

“You can end up with security holes where lots of data gets out because companies are not even logging, they’re not looking at it all. Having that management layer in place, but also paying attention to it actively, and knowing what your consumers are doing is a big part of security,” he adds.

“A lot of companies are just moving too fast and they may have that layer in place, but they’re not tuned into it. They’re not actively responding to it.”

It’s not that companies have no security plan, Kin believes, but rather that security is not a priority.

Offering a healthy API experience

So, what does it take to offer a healthy API developer experience? Kin breaks it down to three simple guidelines.

Firstly, the consumer’s initial interaction with an API should be simple. This can be done by creating user-friendly landing pages with documentation, an easy sign-up process and an effective feedback loop – the consumer needs to feel listened to and supported.

Secondly, looking for evidence that a company is actually supporting and listening to its users, whether through blogs, Twitter, GitHub, FAQs or ticketing system – all ways of highlighting that a company is genuinely engaging and not just ticking an API box.

Thirdly, it’s crucial that the developer’s experience with an API is trustworthy – the needs of the developer should come first.

That last point is, perhaps, the most important and comes down to business model. If a company is charging for their API –– i.e. the API is their business model –– then it’s easier to trust that the API will still be around in future. The alternative is less certain.

“If it’s just eyeball-based, they don’t really care about us as API consumers,” Kin adds.

There’s no point in an API no one uses

With so many companies building APIs, the role of developer relations becomes critical.

“Developer relations has got to build a bridge between sales and development. It’s an important discipline but it’s also tough to justify,” says Kin.

Some companies, he says, simply look at the numbers of users and don’t recognise or measure the human touches. Going to events and actually helping people is harder to measure than how many leads are generated.

Kin recognises that dev rel is difficult – evangelising internally and externally while all the time justifying your existence is a tough gig, especially when your boss and your co-workers may not understand the value of the role.

“Evangelizing internally is super-critical and it’s an important discipline,” he adds. “You have to really help people understand what it is you’re doing and why it brings value to the organisation.”

What the future holds

As for the future of APIs, Kin is cautiously optimistic. He feels that – partly thanks to the bad press around Facebook and Equifax – people are waking up to their existence and understanding what they are and how personal privacy and security can be affected

For Kin, this is the reason he evangelises APIs – to bring them out of the shadows of the developer world and into the light. By doing so, he suggests, we are likely to see more regulated use and transparent information about how personal data is used.

“So, I’m optimistic that’s what the future’s gonna hold. We’re going to move out of the Wild West and APIs are going to become more mainstream and normal and actually help people.

“But”, he adds a final caveat, “I don’t usually get what I want so I may not get that.”

Photo by Alan Levine.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.