The API Lifecycle
Tuesday, October 27, 2020
Integrating into an API is not always as easy for partners as it can be. Shutterstock’s API was built to provide easy access to the company’s content and technologies so that partners such as Facebook, Google and IBM can leverage it in their own their platforms. The goal is to ultimately drive business results for partners by making user workflows frictionless and providing flexibility for developers. In this session, learn the tools and solutions that allow partners to easily plug into your content and provide a seamless experience to their users. Shweta will discuss using modern technologies and API standards such as OpenAPI, building sandboxes, auto generating SDKs, and self-documentation to allow for efficient integration and faster results.
22,000 is the number of public APIs referenced on ProgrammableWeb. In such a competitive environment, providing good APIs is not enough.
How long does it take for your users to understand what your API does? How long to create an account? How long to make the first API call? Do you provide guides? Code samples? SDKs (generated or manually written)? Do they need to write code to test your APIs? What tooling are you offering? Are you open and transparent with your users?
In this talk, we will take a look at the things that need to come in addition to your APIs to offer the best on-boarding process and an outstanding user experience.
By extensive use of APIs to a myriad of back-end citizen service applications, municipalities can provide a full-service, round-trip, 24x7 experience and resolution to all customer requests for service. Whether it be a Water start/stop, bill payment, trash collection, library book request, fire inspection or a police non-emergency request, APIs can revolutionize the entire resident service request fulfillment, by municipalities, via a single customer facing portal.ent
While APIs have clear and obvious benefits, they’re also creating a rapidly-growing attack surface that isn’t widely understood and is sometimes completely overlooked by developers and software architects. With recent reports suggesting that by 2022, API abuses will be the most responsible vector for data breaches within enterprise web applications, securing them is a top challenge and must be a bigger priority.
The first step in accomplishing this goal is generating awareness around the most critical API-related vulnerabilities and ways of protecting these programs.
This significant gap in knowledge drove me to spearhead the development of the OWASP API Security Top 10 list, which was officially published at the end of 2019, to inform organizations, developers, and security professionals about the top issues impacting API-based applications. Since deploying, it has been adopted as the de-facto standard by many organizations and security specialists.
In this talk, I'll emphasize the uniqueness of API-centric design from the security angle, highlight the risks presented by API use, and show why an increased level of awareness is required to mitigate the risks. From there, I'll dive into the top security risks presented in the OWASP API Top 10 list, and provide example attack scenarios for each. Finally, I will share what we can expect to see when it comes to API exploitation moving forward as modern software is increasingly targeted by adversaries
API integrations and the reasons a business would want to do them are plentiful. Many are driven by wanting to drive higher user (employees and customers) productivity, greater employee engagement, or reducing busywork and task switching in order to increase, quicker, smoother cross-application workflows. As APIs are built multiple and different types of vendors are involved, fostering some critical business considerations. Steve Wilson will share his insights from building dozens of these integrations, detailing the critical business considerations to keep in mind about business restrictions and terms of service to put around APIs. He will explain how to set up a win-win alliance between your business and other vendors involved so that everybody's business model wins.
Creating APIs is more than just writing reading some docs and writing code. Your API is the interface developers use to access and take advantage of your company's services. And that developer experience (DX) deserves to be first-class whether you are dealing with important third-party devlopers, key partners, or just other teams within your own organization.
This workshop covers the basics of both designing and building APIs through the use of a series of handy command-line tools and existing services and open source tools. You'll learn about API-First design, using diagrams to map out your APIs, and API definition languages like Swagger and others to document your APIs. You'll also learn how to use NodeJS and the Sketch-Prototype-Build pattern to implement the right API design quickly and safely. And, finally, you'll learn how to use automated testing and deployment to get your API up and running on public servers.
Good design and implementation can reduce errors, improve API adoption rates, and contribute to the bottom line. Whether you are an experienced API developers looking to sharpen your skills or you new to APIs and want to start learning, this workshop will help you in your effort to design and build great APIs.
[TL;DR: How you can expose your existing GraphQL API as a customized REST API - without writing a single line of code]
So you’ve decided to write a public API. Great!
Should it be RESTful? Or perhaps a GraphQL API, the new cool kid on the API block? What if you already have an internal GraphQL implementation, but need to expose it publicly as REST?
In this talk, we’ll very briefly review the main differences, benefits and tradeoffs between REST and GraphQL for *public* API implementation, and go over how we at Sisense wrote a Node.js library to automatically generate a RESTful API from our existing GraphQL schema.
GraphQL2REST, which we released as an open-source npm package, allowed us to offer both API interfaces - GraphQL *and* REST - while maintaining only one code path! I'll talk about this case study and end with a live demo showing how your GraphQL API can be exposed as a customized REST API without writing a single line of code.
It might be also relevant to you, if you already have a GraphQL API, but your users want REST; or, if you want to develop a new GraphQL API and get REST on top of it, for free; or, if you wish to benefit from GraphQL internally while exposing a quite different truly RESTful API externally.
Big data and AI are present in almost every organization. The challenge is to integrate the AI needs of the enterprise with the Big data capabilities. Real time data is another dimension that adds complexity to this whole setup. There are multiple ways to tackle this issue.
In this talk, I’ll share the design principles and patterns from my experience that can help in building a Real time Big data platform for the AI needs of the enterprise. I’ll demonstrate the methods to integrate asynchronous and synchronous patterns of communication in the context of a Big Data store.
There are no shortage of API metrics you could track, but how do you aligned to business outcomes. This workshop takes a deep dive on how to align metrics to three key goals: Adoption, Engagement, and Retention. Then, we'll discuss changes you can make to your developer experience for improving these areas.
Uptime has become an extinct metric.
With the average business transaction now requiring 30 or more API connections, testing and monitoring teams are challenged to rethink which data points should be collected to improve their analytics and debugging tools. Simply relying on ping, contract, and synthetic testing has proven to be highly unreliable.
A number of API testing teams have begun their journey to go beyond uptime by building sophisticated data-driven and end-to-end functional tests that can check on entire API consumer flows. Yet most monitoring teams do not continue checking on the entire API consumer flow, despite production environments typically containing complex systems and data sets that staging does not. This raises the question: How accurate is uptime if an API is not functioning correctly?
In my demo-focused session, I will introduce attendees to the concept of "Functional Uptime," and show how API monitoring teams can easily reuse data-driven and end-to-end functional tests as monitors in production. My demo will include how to solve the problem of testing with live data in production by turning databases into APIs.
Big Takeaway: API testing and monitoring teams must break out of their siloes - a simple way is to reuse tests created by testers with high domain knowledge as monitors in production environments.
In this session I’ll cover our newly defined and implemented product-led software development lifecycle, centered on API first design. The process has one end-goal in mind: improve our customer's experience with our software and APIs. That is, build our software with end users in mind. Easy to say, more difficult to enact.
Planning is great, but action and implementation must follow. We have created an API first development CI/CD automated pipeline, following design-first industry standards and tooling. We’ve moved away from the siloed dev → test → doc → deploy methodology. The workflow involves multiple teams from the outset. Development, designing, testing, and documentation all have their part to play, with product management coordinating, leading, and owning the entire process.
While I can’t go into details of each step of the workflow, I’ll provide enough conceptual and technical insight to get an idea of what we’re doing, how we’re doing it, and the tools we’re using. I’ll also cover how we’ve worked with our design team to educate the various product teams through design workshops. Finally, I’ll touch on some mid-stream adjustments, lessons learned, and outline the next steps in our journey.
Wednesday, October 28, 2020
The immense growth of API enabled business offerings and services, has placed API traffic as over 80% of the total web traffic. According to Gartner, around 90% of web apps will possess exposed APIs as attack surface than the frontends. This portrays an increased amount of potential API vulnerabilities over the month and year. Though the release of the OWASP Top 10 - API Security will provide a great enablement vehicle to the secure API development professionals but due to the immense growth and market opportunities, it will not be a too difficult ask to any security professionals to predict an increased amount of API vulnerabilities over the next couple of years.
Which key API vulnerabilities dominated over the last year [October'2019 to October'2020 i.e., since Platform Summit 2019 to 2020]? What are the common lessons we could derive from those API vulnerabilities?
This talk will provide an overview of five most noteworthy vulnerabilities (with CVEs) of last year and will bring key lessons to the API professionals in the development of secure API.
The things you've done to secure your previous web apps might not be enough for your APIs. We'll review the OWASP API Security Top 10, reviewing the biggest risks and ways to mitigate them.
According to Gartner, APIs now account for over 40% of web/mobile application attack surface. Most API vulnerabilities come from business-logic, role-configuration, and other non-conventional flaws.
This session will go over the top vulnerabilities in APIs and build an automated & continuous API security testing strategy. The Shift-Left/DevSecOps strategy will deliver secure and faster releases while significantly reducing manual and penetration testing security costs.
When building cloud applications, we should always bear in mind that our services are exposed on the Internet and can be accessed by anyone and may have untrusted users.
Because of this, we need to be proactive and aware of these possible security threats so that we can design our cloud applications to be able to handle them properly. Apart from preventing malicious attacks, cloud applications must also be designed to protect sensitive data and grant access for certain resources to only authorized users.
In this session, I will be talking about 3 security patterns that can be used to prevent malicious or accidental actions outside of the applications designed usage, and to prevent disclosure or loss of information when building for the cloud.
PRO SESSION (API): Fighting Fraud and Friction in Mobile Apps with Location-Based Behavioral Biometrics SDK and APIs
Mobile fraud is increasing at alarming rates. Traditional web-centric security defenses based on static credentials and cumbersome two-factor authentication are no longer sufficient for protecting against mobile fraud. To ensure that neither user experience or security are compromised, mobile applications require identification and authentication techniques, specifically designed for the mobile experience, that not only protect against fraud but that are completely frictionless for the user. Location-based behavioral biometrics offers the opportunity for frictionless fraud prevention for mobile users, and the best part is, all the user has to do is be themselves.
This session will explore the use of network signals from GPS, Cell, Wi-Fi and on-device sensors to track location behavior and use for mobile fraud detection without the capture or storage of a user’s Personally Identifiable Information (PII). Developers will learn how their companies can make use of a location-based behavioral biometrics SDK and unique location fingerprints, device integrity and address verification APIs for advanced mobile fraud detection.
"Losing my religion" is an expression from the southern region of the United States that means “at my wit's end". While the internet is full of best practices, guidelines, and security tooling, getting software engineers to adopt, understand and remediate threats can be challenging, and can often make one believe that they are “losing my religion”. This talk will outline successful and unsuccessful approaches to API security in a global enterprise, and how companies can actually realize value from their API security efforts, as well as methods to get software engineers to become security advocates.
APIs. They’ve been around for years in one form or another, bringing the benefits of ease of use, efficiency and flexibility to the development community.
The beauty of using APIs for mobile and web apps is that you can build and deploy functionality and data integrations quickly. But that's the huge downside, too. Undermining the power of an API driven development methodology are shadow, deprecated and non-conforming APIs that when exposed to the public, introduce the risk of data loss, compromise or automated fraud.
The stateless nature of APIs and their ubiquity makes protecting them increasingly difficult. A challenge that is amplified by the wide range of API security alternatives. This session will delve into the different approaches to protecting APIs from a range of security risks and how should security and development teams approach a consistent protection philosophy.
How to secure micro service communication via JWT. How to overcome challenges in adopting to the new lightweight security into your Rest, RPC, GraphQL endpoints. Discuss potential issues around onboarding secure communication. Touch upon alternative approaches like SAML, Oauth and others.
PRO SESSION (API): Rethinking API Security: Applying Lessons Learned From Human Secure Authentication
This session will discuss the growing need for better approaches to API Security, in light of increasing attacks against API. The speakers will talk about cybersecurity lessons learned from improvements in how humans securely log into networks and will apply those lessons to security for APIs. The session will tied those lessons learned to vulnerabilities identified by OWASP and other cybersecurity experts.
Planning on introducing a mobile app into your product mix? Expect fresh attacks on your API infrastructure. User credentials try to identify who is calling your API, but they are a frequent target for hackers. Often overlooked is the importance of identifying, not just who, but what is calling your API - is it your authentic, untampered app running in a clean and secure environment, or is it a fake app or malicious bot? Can a hacker get between app and API backend in an insecure channel? These techniques complement user authentication and AI and traditional backend protections to ensure your APIs are not being abused. We'll use the context of a ride-sharing app to show how layering just a few additional techniques bolster both the strength and the determinism of your overall API security.
Thursday, October 29, 2020
Creating a successful API requires a proper process from concept and design, through development, and into ongoing maintenance and good developer support. There are many steps to a good API. As developer expectations for better-quality APIs increase, tools have made it easier to do this well. Looking at the full API Product Lifecycle to design an API people will use, Jeremy Glassenberg will share the newest tools -- and potentially upcoming opportunities -- to better automate the planning and creation of a solid developer program.
In this technical session, Xavier Durand, Co-founder and Developer Advocate at Aircall, will discuss the importance of building your public API for the developer experience. Xavier will speak to:
- The innovations that are key to making your platform a go-to for developers
- How he built a public API that has 70% of integrations built by customers
- Lessons he learned along the way (putting his vision into practice)
Developing internal APIs is a key step in an enterprise's digital transformation journey. Internal APIs help unlock data silos enabling developers to easily connect and access different systems within the organization. This results in efficiencies and enables enterprises to introduce new products faster.
How do you manage all the internal APIs? How do you ensure high performance for your internal APIs? How do you protect these APIs and maintain zero-trust security policies? Attend this session to find out answers to these questions and learn about guiding principles in managing internal APIs.
An excellent developer experience can take many shapes. Since there isn't a one-size-fits-all solution, you should lean on your customers to build the developer experience that caters to their particular needs and use cases.
In this session, we will discuss how to include your customers in the developer experience lifecycle, including identifying areas of improvement, building and testing developer tools, and ongoing maintenance.
This presentation describes how to implement Multi-Cloud native strategies using advanced an open source framework that allows for Cloud-agnostic Multi-Cloud deployment and optimized management of the serverless applications based on flexible monitoring, context aware maximization of the application owner’s utility of the deployed serverless components, and autonomic reconfiguration based on the application’s current execution context.
Observability is taking over as the ideal practice for monitoring and supporting modern applications. But how does this related to APIs? In this talk I will cover how Observability fits in API development and supporting APIs.