Wednesday, October 27, 2021
More and more companies are faced today with unique challenges of how to authenticate and authorize their APIs. This is so common and now Broken Access Control has taken the number #1 vulnerability on the OWASP top 10.
In this session, we will go over the best practices on how to authenticate and authorize your APIs, from design phase to real time implementation phase. We will handle authentication, authorization, access control and multi-tenancy aspects of API management including real life examples from RESTFUL and GraphQL based APIs.
APIs are everywhere, leading the digital transformation age. With 90% of all web traffic being via API calls, the attack surface and threat model has changed exponentially.
Agile development and rapid release cycles with iterative changes leaves APIs vulnerable to attack, however security testing of APIs has not kept up with this pace.
Security testing automation is key, integrated as part of your pipelines to put developers into the security testing driving seat, to rely less on manual testing and produce secure APIs by design.
Traditional security scanners are a blocker to this automation. They are hard to use, impossible to integrate, not developer friendly and produce too many false positives. This results in crippling human bottlenecks that stifle CI/CD, whether it's the need for security to constantly tweak scanners or the drain of manually validating vulnerabilities.
Either way, technical and security debt is compounded, resulting in insecure product hitting production. Change is needed, and fast.
In this session Oliver will discover:
1. Key features that your dev-first security tools needs to enable developers to take ownership of security
2. How you can detect, prioritise and remediate security issues early, automated in the pipeline, for your REST, SOAP and GraphQL APIs
3. Insights into reducing the noise of false alerts to remove your manual bottlenecks to shift left
4. Steps you can take to achieve security testing automation as part of your CI/CD, to test your applications and APIs
API development is challenging. Effective API development involves understanding API usage patterns, managing user feedback, ensuring the system can handle heavy API usage, and making difficult tradeoffs to ensure that end-users, API users, and developers supporting the system are all happy. So, how should you do it?
In this talk, I'll cover some guidelines for API development that can help reign in these challenges: writing an effective API spec, understanding what to get out of an API review, and getting feedback from early adopters through a beta testing program.
I'll also make the case that incorporating telemetry and observability tooling into the process can help you achieve more confidence in what you're building as you're building it. By capturing wide events across your entire API surface area, you can do things like correlate usage of one API with another to see if people are doing what you would want them to do and understand who is pushing your systems to its limits without getting paged in the middle of the night about a problem in the wild.
Throughout the talk, I'll reference real-world examples of building APIs at Honeycomb. We've seen tangible benefits to utilizing observability tooling in the development process. After this talk, you should have the information you need to reap similar benefits.
Organizational efforts to adopt microservices will more easily fail because of how our understanding of what a microservice is has shifted from its original meaning. In this presentation, we will look at the current communication paradigm of microservices and how this leads us down the road to massive amounts of unnecessary operational complexity compared to proper microservices or even a monolith. We will further discuss ways to avoid these common pitfalls to improve the likelihood of success.
APIs help drive efficiency and faster innovation so that organizations can support their business. Attackers also know this reality and zone in on APIs as a primary attack vector. The end result is a potential nightmare for organizations with API-driven business applications as they face the risks of data breach, privacy incident, and more.
In this session, we review first hand API threat research gleaned from a large financial institution. Its SaaS platform provides API services to thousands of partner banks and financial advisors, and security researchers found many alarming API vulnerabilities. Researchers were able to demonstrate exploits of these vulnerabilities, showing that anyone could:
- Read any financial records of any customer, despite lacking the proper authorization
- Delete any customer’s user accounts across the financial platform
- Tamper with authentication parameters and take over any account
- Launch an application-level denial of service attack that would render entire applications unavailable
Unfortunately, this financial institution isn’t unique. Attend this session to gain insights into API security best practices to prevent this nightmare from being yours.
A few years ago DataStax launched a new offering of Cassandra-as-a-service in the cloud named ASTRA (astra.datastax.com). You might think that starting databases from web pages would have nothing to do with APIs, well you are wrong.
During this session we will go over the different APIs that have been designed, how and why. Most choices made will be detailed covering wide categories such as technology, languages, interface, versioning, maintenance or billing. The tooling needed to make your product a success (SDK, CLI, Terraform...) will be also presented. No surprises, the platform leverages on cloud providers services and API. Come and learn why a DBaaS is just an API calling other APIs.
API Specifications are extremely useful for security teams to monitor API security/compliance conformance and make suggestions to keep your APIs secure. Many organizations however, are generating specs that security teams are unaware of and often are found by would-be attackers. In this session I will show some of the frameworks and tools utilized by attackers to find your API endpoints and enumerate endpoints that are missing standard security measures and are open for attack.
Many eSignature technologies have seen rapid, steady growth for the same reason: digitizing approval workflows creates so much value for the parties involved. But what if there was a way to build even more trust and value with customers into this process? By leveraging the blockchain, it’s possible to facilitate digital agreements with significantly deeper levels of security and transparency. In this session, we’ll explore the topic of writing digital agreements to the blockchain and demo a working proof of concept that writes to the Polygon PoS (Proof of Stake) chain using open source tooling. We’ll have some time for questions at the end.
Applications and APIs today are expected to evolve rapidly and continuously, or to face disruption. This has driven the need for the agility enabled by Microservices. Meanwhile, mobile has driven both a dramatic increase in data volumes and levels of interaction, while also driving expectations for always-on applications and faster response times.
This talk will cover key architectural elements of cloud-native Microservices that can process at Giga-scale, where event streams or user interactions can require or even one billion events per second. Distributed computing architectures for delivering this scale while also achieving 99.999% uptime will be explored, including in-memory and data locality, elasticity and resilience. The talk will also cover new challenges for building transactional apps in these architectures, such as: service discovery, retrying, load balancing, tracing causes of failures, transactional semantics.
Polling-based APIs or the RESTful APIs were the main building blocks of traditional integration stories. But with the need to respond to events in real-time, integration architecture has shifted from being polling-based to event-driven. With the emergence of reactive event-driven architecture, the asynchronous APIs were able to hold their distinct position in modern-day integrations.
Even though the event-driven APIs provide their own advantages such as high resiliency, high responsiveness, and more, management of asynchronous APIs continues to be a challenge to the organizations.
The Async API specification plays a major role in the event-driven world by providing a specification to describe and document the asynchronous APIs. This session will explore the entire flow from creating an asynchronous API to exposing it as a managed API by adhering to the Async API specification.
Do you want to take your next generation application to the next level? Have you ever wondered how you can use analytics, Artificial Intelligence and automation to build a better customer experience? Come join us at this session to see how.
The acceleration of digital transformation in the past year brought on by the pandemic means more services and transactions are taking place online than ever before. While digitizing processes adds convenience and efficiency to the process, it’s not enough to remain relevant with your users. As more transactions shift online, so should the social interactions around those transactions. It’s not just about adding social features. It’s about embedding a social layer where social is wired into the DNA of your product. This may sound like it requires a time-consuming overhaul of your app or existing product, but it doesn’t have to. Today’s API ecosystem makes it surprisingly fast and easy to implement a rich social experience within your application. In this session, Shailesh Nalawadi will present how companies across several industries have improved KPIs by developing a social engagement layer with chat, voice and video APIs
In today's world of APIs, microservices, and cloud-native applications there's a common denominator, open-source software. Enterprises all over the world are not only moving to containerized or cloud-native applications, they are adopting the latest open-source innovations. From DevOps tools and containerized orchestration to the deployment of AI applications in production environments.
In this session, Perforce Chief Evangelist Javier Perez will examine the state of APIs, cloud-native applications, and open-source software in the context of today's application development and how enterprises can define strategies putting all the new trends together.
In this talk, attendees will learn:
• What open source technologies are driving application development and API strategies
• What does it mean to develop a cloud-native application
• What API integration strategies are being used with cloud-native and AI applications
• AI, ML, and DL in the context of API strategies
• Trends and future of software development
With APIs serving as the connective tissue across all applications, API Management capability is critical to achieving successful outcomes. The rise of DevOps movement has fostered a culture of self-service supported by distributed infrastructure. What are the characteristics of distributed API Management? How do you drive innovation by accelerating API release velocity. Attend this session to find out answers to these questions.
We deal with HTTP based APIs for many of our common interactions between services and system components. Not all services we want to communicate with use HTTP, and when confronted with a service that doesn’t use it, getting started can be intimidating. In this talk, we’ll use RabbitMQ Streams as our example service and cover all of the design and implementation considerations needed to work with a non-HTTP API.
Jonas Iggbom, Director of Sales Engineering at Curity will provide an overview of what a Hypermedia API is and how it can be used for browser-less authentication on iOS and Android. This coupled with the WebAuthn standard for passwordless authentication provides a great user experience especially on mobile devices where the browser context does not have to be invoked and for example FaceID can be used to authenticate the user. Jonas will demo an approach where both technologies work in synergy to provide the most seamless user authentication possible on mobile devices today.
OPEN TALK (API): How a Combined Shift-Left and Shield-Right Approach Enables Continuous API SecurityJoin on Hopin
Are you struggling to keep up with the increasing volume and scale of API development ? Are you finding that traditional security solutions simply cannot address all API security challenges ? You’re not alone! APIs have given us unprecedented integration capabilities, but are also greatly increasing our attack surface. Trying to cope with issues by deploying tools after APIs are done and delivered is simply not going to work. Instead we need to take a proactive approach to API security.
Isabelle explores how a continuous approach to API security can be achieved, combining design-time security measures driven by development with continuous API threat analysis, API-specific vulnerability detection and runtime policy enforcement. She proposes an approach known as security as code to establish a common language across Dev, Sec and Ops teams and demonstrates an automated workflow, from design through deployment that ensures API issues are caught and addressed as early as possible in the API lifecycle.
Large public GraphQL endpoints have all advertised a notion of GraphQL cost for years, and various GraphQL servers and open source projects have implemented GraphQL cost calculations. In 2021, an effort has begun to standardize how systems communicate GraphQL cost to each other, which has promise to dramatically ease securing these systems and thus opening up many more big public GraphQL endpoints. Join us to learn about this effort, and how it can benefit you and your GraphQL strategy.
Edge computing enables you to run your application code as close to the customer as possible, reducing latency and improving the user experience. As your compute moves closer to the edge, what data options deliver the same performance, regardless of where your users are located?
In this session, you learn how to integrate Fauna with edge computing providers to provide a responsive, strongly consistent API. You learn how to build, test, and deploy a basic REST API that includes both authenticated and anonymous routes. Finally, you learn how Fauna delivers low-latency performance to the edge while still integrating seamlessly with your existing, centralized computing resources.
Application security is shifting into the development pipeline - that’s no longer up for debate.
But, as we shift where we test for vulnerabilities in the SLDC, we also need to rethink how we test. Protecting our most sensitive data requires evolving from testing that focuses on client-side web apps to automated security testing of our backing APIs.
Join StackHawk Chief Security Officer Scott Gerlach as he dives into why API security is a critical component of modernizing any AppSec program, and provides practical suggestions for attendees to start implementing API-first security testing.
OPEN TALK (API): Conversation Intelligence: Enabling Conversation Driven AI Is as Easy as Hitting a Few EndpointsJoin on Hopin
Conversation Intelligence (CI) enables developers to take their applications beyond basic speech recognition, and build more intelligent speech and conversation-driven functionalities and product experiences. Applications, enabled by CI, are not only able to understand the spoken words, but are capable of comprehending the context of entire conversations.
CI is a rapidly growing sector of AI, and has given rise to a new generation of AI-driven products such as Gong, Outreach, RingDNA, and more. Applications, driven by CI, are able to monitor, extract, and analyze contextual insights and conversation intelligence in real-time to automate workflows, increase revenue, elevate productivity, and provide more pleasant and innovative customer experiences.
Building and extending applications with CI-enabled functionalities and experiences no longer require developers to have any working knowledge of building or training their own machine learning models. Hitting a few end points is all it takes to enable CI-driven experiences. Some of the real life examples of how CI is being leveraged in everyday applications are products for sales and revenue intelligence, Agent Coaching, webinar platforms, accessibility, compliance, recruitment and more.
In this session, we will cover the key characteristics of the conversation intelligence API that enable developers to easily build and go-live with intelligence. We will talk about various AI aspects of conversation intelligence such as speech-to-text, extracting various contextual insights, summarizing conversations, generating domain-specific insights and intelligence, topics modeling for conversations and accessing advanced conversation analytics. We will discuss the difference between domain-specific and domain-agnostic CI. We will also take a look at an example to showcase the combination of few of these with the actual code.
If you’re working with OpenAPI, the first question you have to solve is how to get that document written. An implementor can generate a server based on a spec, generate a spec based on a server, or write a spec independent of a server. Ed’s done all three, and will share some of his findings from putting each into production.
Thursday, October 28, 2021
OPEN TALK (API): The Real World, API Security Edition: When Best Practices Stop Being Polite and Start Being RealJoin on Hopin
API security has emerged as a top priority for protecting vital data and services. Unfortunately, many organizations are just one vulnerable API away from a privacy incident or data breach, and it’s an area where many companies lack expertise.
This “real world” episode shares six essential techniques, drawn straight from the trenches of customer deployments, to help guide your API security best practices.
Join us for a discussion of these key areas:
- API documentation, discovery, and cataloging to improve awareness of your API attack surface
- Runtime protection to prevent sensitive data exposure and protect your APIs from abuse
- API-centric security operations so you're prepared in the event of an API incident or breach
This session will also share ways to make it easier and more automatic to address the many elements of API security.
Come find out what happens…when APIs stop being vulnerable. And start getting secure.
OPEN TALK (AI): Making the World Smaller with NLP: Using AI to Link Data and Make it Easier for Machines (and Humans) to UnderstandJoin on Hopin
Linked Data and the Semantic Web have come a long way in helping to achieve a world that is more understandable to computers, but unstructured data can still be especially challenging when trying to extract concepts and metadata into standardized concepts. In this presentation, you will learn about the background of Linked Data (JSON-LD in particular) and how natural language processing can be used to help take advantage of this increasingly important effort. From more easily enhancing the SEO of a website, to making your application more interoperable, natural language processing can make your projects better understood by humans and machines alike.
Design First approaches are growing in popularity when it comes to API design. This allows all teams working with API to work together, using a common, human-understandable language to define the specifications of the APIs to be implemented. With all stakeholder views being represented, Design First approach allow to create product driven APIs, with short feedback loops, and help drive parallel development of applications.
In this talk, using an example of building a simple API definition, we will:
- Go through the principles of “Design First Approach”
- Examine the benefits this approach brings
- Look at an example workflow from beginning to end using Design First to build a simple application
A modern technology strategy begins with the creation of a base architecture that enables any project and ensures FLEXIBILITY for the organization. A modern integration architecture is precisely this ENABLING INFRASTRUCTURE.
Using the appropriate stack for this challenge is essential for technology teams to be able to meet the growing demands from the business. Professionals who work with systems integration will no longer have obstacles that hinder projects, finding in this new model a true lever for the creation of new products and services.
In this session, we will explain in practice how to implement a modern integration architecture that enables the unlocking of projects, the connection between ecosystems and the acceleration of teams. We will show how the use of sophisticated technology can be abstracted away by a low code platform, bringing quality and control to data flows, as well as standardizing access to multiple endpoints spread across hybrid environments. It's an opportunity to learn how to create this enabling base layer for the agile delivery of new products and services.
Functional and performance tests of API infrastructures offer little value if they cannot produce detailed error reporting and highly usable feedback loops plus detailed reporting, especially in agile and CI/CD pipelines. Too many developers rely on tests that give them (and security teams) a “false sense of security,” resulting in low developer confidence when releases are rushed to market.
Many developers fear that more robust testing becomes a bottleneck that delays releases. Additionally, multiple teams throughout an organization may be using different toolchains with different development languages, testing tools, and QA processes. There’s no way for managers to gain centralized visibility into all of the local and pipeline testing happening (or not happening) across the entire organization. Siloed processes also raise the risk of human error as a build, for instance, passes a test designed for the goals of one team, but may not support the goals of other teams.
In this API World 2021 session, Sangit Patel, Solutions Engineer at Sauce Labs, will explain how to drive developer confidence at any speed with improved API design and more productive and usable API testing and monitoring.
Top five points covered will include:
1. Make it fast and easy to write or generate API contract tests and E2E functional tests from spec files or recorded API traffic.
2. Make it fast and easy to reuse the functional tests as end-to-end tests, which may then be reused as E2E functional load/performance tests.
3. Reuse the holistic E2E functional performance tests as API monitors that can run continuously with or without a CI/CD in any environment, providing accurate and highly usable feedback throughout rapid iteration and changes to code and databases.
4. Simplify refactoring to automate test maintenance and maintain the reliability of API monitors that provide far more coverage and more usable diagnostics (via detailed reporting and dashboards) than synthetic infrastructure monitors or traditional API monitors.
5. Execute and manage API testing from a cloud platform that offers the scalability, flexibility, and interoperability to support centralized API testing and monitoring across all of the toolchains that distributed teams (or individuals) may prefer using - and plan and execute tests that satisfy all goals across all teams.
Apache Cassandra™ is an incredibly powerful, scalable and distributed open source database. Companies with extremely high traffic use it to provide their users with consistent uptime, blazing speed, and a solid framework. However, many developers find Cassandra to be challenging because the configuration can be complex and learning a new query language (CQL) is something they just don't have time to do.
Stargate is an open source project which sits on top of Cassandra and provides HTTP interfaces to your data - it provides a REST API, a GraphQL API, and a Document API (schema less, similar to MongoDB). You can install it on top of your own Cassandra instance and participate in the community.
Don't just take my word for it, you can get a free Cassandra instance in the cloud from DataStax. The Astra databases do all the configuration for you up front - they're serverless so they scale as your database needs, and you only pay for the traffic you actually use.
With Astra DB, you can set up proof of concepts and create applications to explore whether Cassandra/Stargate is a system that will work for you. In this session Kirsten will demonstrate a TikTok clone which uses React and Netlify to provide a completely serverless application in the cloud.
In a world with countless software and systems that need to be connected, the management of integrations becomes necessary and, at the same time, a great challenge for companies. Therefore, it is necessary to measure how good integration management can improve and optimize productivity, accelerate your digital transformation and enable the creation of new digital solutions for the company.
In this lecture, you will see some examples of integration problems, effective ways to solve these integration issues, some frequently asked business questions. Finally we will discuss a practical framework demonstrating the value of such a solution to the bottom line of the business sharing some use-cases with an integration platform.
The “API First” mantra is great for business innovation, but the end result can often be a wild jungle of APIs that leaves your security team scrambling to ensure adequate API controls are in place to safeguard the business. In this session, we’ll cover a practical strategy to help implement API security across the organization from development through run-time and threat remediation. You’ll see a demonstration of the tools and techniques that, when used with the right methodology, can help your team tame the API jungle.
API gateway technology has evolved a lot in the past decade, capturing use cases in what the industry calls "full lifecycle API management." API gateways allowed developers to expose and consume the APIs, secure them, and govern API traffic. However, today, they provide a series of functionalities to support the complete development cycle, including creating, testing, documentation, monitoring, event monetization, monitoring, and overall exposure of our APIs. Another pattern emerged from the industry around 2017: Service Mesh! Service Mesh is an infrastructure layer for microservices communication. It abstracts the underlying network details and provides discovery, routing, and a variety of other functionality. Many attempted to describe the differences between gateways and service meshes. This talk will also discuss the similarities and differences between the communication layer provided by gateways and service mesh. I want to illustrate the differences between API gateways and service mesh — and most importantly when to use one or the another pragmatically and objectively.
According to Gartner, APIs account for the majority of Public/web/mobile application attack surface. Most exploited vulnerabilities no longer come from web server misconfiguration or SQL injections or browser hacks, instead the majority of widely exploited vulnerabilities now come from application logic, access controls, and other non-conventional flaws. This session will go over the top vulnerabilities in APIs and build an automated & continuous API security testing strategy. The Shift-Left strategy will deliver secure and faster releases while significantly reducing manual and penetration testing security costs.
It’s not enough to just have a open API platform that enables other technology companies to integrate. How do you make it attractive enough for them to stay engaged and keep doing cool stuff, to build the things that haven't even been thought of yet. We want to go even deeper on this idea of making it easy - how we can build the hard things so developers don’t have to.
Foursquare presents the Product Manager's Extra Credit guide to building an A++ Enterprise API. Building an exceptional enterprise API is no easy feat. Earlier this year, Foursquare launched the new Places Enterprise API, built from the foundation of our renowned Developer API. In this session, we'll take you through every step of the process to create a delivery method that can meet enterprise standards and upgrade the developer experience - from understanding your customer's UX criteria and auditing the performance and security of your API infrastructure, to best SLA practices and everything in between.
We, as developers and engineers, love to build new things - it is in our DNA. But as CTOs, engineering leads and product managers, we need to take one step back and look over our strategy. The challenge we often face is that the business side expects us to deliver the best product with the least time without compromising the quality. How can this be done with limited resources and short timeframes?
Whenever planning a new application or improving an existing one, we should constantly evaluate if the next feature is developed in-house or pick an off-the-shelf solution. I believe that one should only build the things that are the core function of their business and add direct value to IP and customers.
Let's dig into the benefits and challenges of using third party APIs to speed up the product development process.