Hi neofree,
When it comes to security, we spared no expense in implementing as many security measures as possible. Firstly, and probably most importantly, buffer overruns are out the window. All variables are allocated memory based on the size of the data, no less, no more. Secondly, since we approached the way the commands are issued to DirectAdmin by saying, "these are the commands, you can't use anything else", it prevents people from trying to run things that they shouldn't be. This also ties into the security log; if someone is indeed trying to run a command out of their authority level (ie: create admin as a user), who, what, where when, from what ip, etc. will be logged. Another great security thing that is logged is the "login attempts". When someone attempts to log in, a file will store their ip and information about their attempt. Each additional attempt will be logged to that file, regardless of who they try to log in as. Once they try 10 times or more, each attempt will be placed into the secuirty log showing their ip, the number of attempts, and who they were trying to log in as. Any other out-of-the-normal thing you can really think of will be logged in the security log, or the error log if it applies.
One big one is the extensive form checking. This ensures that you don't try to pass any data that is invalid. Other control panels might not check for newlines, thus allowing someone to post data which will be written in a log giving them the ability to write whatever they which on the subsequent lines. All data passed to DirectAdmin will be thoroughly checked for validity.
If, after ALL of this (and far more smaller things that are not listed) an exploit is found, a bug fix can be made very quickly and updates will be sent to everyone, probably before they even know the bug exists, plugging the hole. Our automatic update feature makes manually updating things such as security holes and new features a thing of the past.
I'm probably forgetting some of the security features, but you can get the general idea that we made security a top priority.
As for the API you requested, we will get on that right away and should be done for you within a few days. We'll post a link under the support section when completed.
Thanks,
John