...
API security needs to be made an integral part of the API design process. Yet too often API designers' approach to security (including authentication, authorization, delegation and access control) has been ad hoc and perfunctory. There is as yet no comprehensive set of best practices and the relevant standards work is characterized by contention and lack of finality. nor has a comprehensive set of relevant standards been finalized.
Stakeholders, Influencers and Influences
The primary intended audience for these guidelines is the internal TIER initiative developer community. Second, but probably second only in terms of timeline, is the audience of integrators who will be using TIER-developed APIs in the course of their work. APIs and API clients have to have a shared model and toolset for API security to make progress in this area.
Still different Different audiences will need to be invited to engage on different aspects of this work. It will be important for team members to bring the perspective and represent the interests of at least the following stakeholder groups:
...
The Task Force must sequence its work in a way that provides early guidance to the developers of APIs with the most serious security issues.
...
Membership in the Task Force is open to all interested parties. Keith Hazelton will serve as the chair of the Task Force. Other API WG members who have already expressed an interest in serving on the Task Force include José Cedeño, Gabor Eszes, Warren Curry, Ethan Disabb, Jim Fox, Chris Hyzer and , Chris Hubing and Brian Savage.
Deliverables Timeline
By April 2017: Complete a first draft of a TIER API Security
...
Guidelines document and invite community review
- Work with API developers to build and test a guideline-conforming conformant security solution for a specific API
...
Request for Internet2 Assistance: N/A
See Also
TIER Data Structures and APIs Working Group Home
TIER Entity Registry Working Group
...