API Testing & Usability (DX) / CI/CD / Deployment
Wednesday, October 27, 2021
APIs are everywhere, leading the digital transformation age. With 90% of all web traffic being via API calls, the attack surface and threat model has changed exponentially.
Agile development and rapid release cycles with iterative changes leaves APIs vulnerable to attack, however security testing of APIs has not kept up with this pace.
Security testing automation is key, integrated as part of your pipelines to put developers into the security testing driving seat, to rely less on manual testing and produce secure APIs by design.
Traditional security scanners are a blocker to this automation. They are hard to use, impossible to integrate, not developer friendly and produce too many false positives. This results in crippling human bottlenecks that stifle CI/CD, whether it's the need for security to constantly tweak scanners or the drain of manually validating vulnerabilities.
Either way, technical and security debt is compounded, resulting in insecure product hitting production. Change is needed, and fast.
In this session Oliver will discover:
1. Key features that your dev-first security tools needs to enable developers to take ownership of security
2. How you can detect, prioritise and remediate security issues early, automated in the pipeline, for your REST, SOAP and GraphQL APIs
3. Insights into reducing the noise of false alerts to remove your manual bottlenecks to shift left
4. Steps you can take to achieve security testing automation as part of your CI/CD, to test your applications and APIs
API development is challenging. Effective API development involves understanding API usage patterns, managing user feedback, ensuring the system can handle heavy API usage, and making difficult tradeoffs to ensure that end-users, API users, and developers supporting the system are all happy. So, how should you do it?
In this talk, I'll cover some guidelines for API development that can help reign in these challenges: writing an effective API spec, understanding what to get out of an API review, and getting feedback from early adopters through a beta testing program.
I'll also make the case that incorporating telemetry and observability tooling into the process can help you achieve more confidence in what you're building as you're building it. By capturing wide events across your entire API surface area, you can do things like correlate usage of one API with another to see if people are doing what you would want them to do and understand who is pushing your systems to its limits without getting paged in the middle of the night about a problem in the wild.
Throughout the talk, I'll reference real-world examples of building APIs at Honeycomb. We've seen tangible benefits to utilizing observability tooling in the development process. After this talk, you should have the information you need to reap similar benefits.
Application security is shifting into the development pipeline - that’s no longer up for debate.
But, as we shift where we test for vulnerabilities in the SLDC, we also need to rethink how we test. Protecting our most sensitive data requires evolving from testing that focuses on client-side web apps to automated security testing of our backing APIs.
Join StackHawk Chief Security Officer Scott Gerlach as he dives into why API security is a critical component of modernizing any AppSec program, and provides practical suggestions for attendees to start implementing API-first security testing.
APIs are central to digital transformation. Public cloud adoption and cloud-native designs capitalize on APIs as a foundational building block. Meanwhile, Gartner predicts that APIs will become the most frequently targeted attack vector by 2022.
This discussion will highlight strategies for security and risk management of the modern API ecosystem — API discovery and inventory, API cyber attack prevention, API misconfiguration detection, and continuous API vulnerability identification and testing.
We’ll share best practices for orchestration across business, technology, and security teams to empower API-centric business and technology strategies with a shared, complete picture of API risks from code to production.
Thursday, October 28, 2021
Functional and performance tests of API infrastructures offer little value if they cannot produce detailed error reporting and highly usable feedback loops plus detailed reporting, especially in agile and CI/CD pipelines. Too many developers rely on tests that give them (and security teams) a “false sense of security,” resulting in low developer confidence when releases are rushed to market.
Many developers fear that more robust testing becomes a bottleneck that delays releases. Additionally, multiple teams throughout an organization may be using different toolchains with different development languages, testing tools, and QA processes. There’s no way for managers to gain centralized visibility into all of the local and pipeline testing happening (or not happening) across the entire organization. Siloed processes also raise the risk of human error as a build, for instance, passes a test designed for the goals of one team, but may not support the goals of other teams.
In this API World 2021 session, Sangit Patel, Solutions Engineer at Sauce Labs, will explain how to drive developer confidence at any speed with improved API design and more productive and usable API testing and monitoring.
Top five points covered will include:
1. Make it fast and easy to write or generate API contract tests and E2E functional tests from spec files or recorded API traffic.
2. Make it fast and easy to reuse the functional tests as end-to-end tests, which may then be reused as E2E functional load/performance tests.
3. Reuse the holistic E2E functional performance tests as API monitors that can run continuously with or without a CI/CD in any environment, providing accurate and highly usable feedback throughout rapid iteration and changes to code and databases.
4. Simplify refactoring to automate test maintenance and maintain the reliability of API monitors that provide far more coverage and more usable diagnostics (via detailed reporting and dashboards) than synthetic infrastructure monitors or traditional API monitors.
5. Execute and manage API testing from a cloud platform that offers the scalability, flexibility, and interoperability to support centralized API testing and monitoring across all of the toolchains that distributed teams (or individuals) may prefer using - and plan and execute tests that satisfy all goals across all teams.
Developer experience (DX) is similar to how you see and understand user experience (UX) but the difference is DX focus is strictly on developers who consume certain API services, SDKs, or other services owned by a company or an organization.This talk will explore why developer experience matters in every company providing a technical service, what makes a great developer experience team, and the relationship between building a great developer experience flow in a company with the public.The attendees will learn how Developer Experience increases product usage and how users can become advocates themselves for a product that has a great user-centric experience.Lastly, attendees would learn the role and what someone who is into creating a smooth and easy Developer Experience (DX) at a company does and the skills required to attract a similar role to you. Key Takeaways:- Attendees will understand how documenting an API properly over GitHub could improve the developer’s experience.- Attendees will understand best practices in designing API for a great developer experience. - Attendees will understand how commit messages should be committed and pushed. - Attendees will understand how developers would want to use a certain service and can have a bad experience because of bad documentation and product flow.- Attendees will understand how a successful platform makes a developer automatically successful - Attendees will understand how to measure user’s productivity while using their tools.
Time to market and ability to change rapidly while retaining high quality is a key business driver today. Let's talk about how API developers can automate creation of tests for their APIs, with no code required, and how they can leverage AI to improve code coverage and quality faster than ever before.
APIs are the fundamental tenets of the Internet. They enable integrations between different services, and they power the servers that bring our applications to life. API integrations lay at the core of our API-driven world, and delivering successful API integrations is fundamental to sustain it. However, more often than not, API integrations tend to fail due to ineffective development workflows. In this presentation, I want to present various API development workflows that have helped me and my clients deliver successful API integrations. I’ll show how documentation-driven development, using mock servers, robust API testing frameworks, and API visibility tools can help to significantly reduce the chances of API integration failure and to keep errors under control.
With APIs taking center stage in organizations of all sizes, testing them is becoming more imperative. The central role they play also means API testing offers great advantages in bolstering software quality. APIs - being contractual and fixed in nature, also afford an opportunity to create stable and easy to maintain tests. For all these reasons - API testing should be top of mind for every modern software team. But how do you instill the best practices in API testing to ensure seamless interaction between the applications dependent on them? To run API tests successfully, it is recommended to adhere to the same best practices that you would uphold for any software development. This talk will explore the best practices for API testing to enable users to create and manage comprehensive API tests from development through deployment
In this talk, we will understand how you can take your API (based on Open API Standard Spec) and generate really good looking and useful documentation including code samples. We will also look at open source tools to generate SDK for various programming languages. This process can not only save you days of manual work but it can also be automated so when your API changes, everything can be updated quickly, thus providing high quality Developer Experience.
According to Gartner, APIs account for the majority of Public/web/mobile application attack surface. Most exploited vulnerabilities no longer come from web server misconfiguration or SQL injections or browser hacks, instead the majority of widely exploited vulnerabilities now come from application logic, access controls, and other non-conventional flaws. This session will go over the top vulnerabilities in APIs and build an automated & continuous API security testing strategy. The Shift-Left strategy will deliver secure and faster releases while significantly reducing manual and penetration testing security costs.
When you try to improve the experience for using your API you might consider a command line interface. CLIs allow developers to explore the API, automate API usage, and most importantly never leave the keyboard. If you have an OpenAPI spec you can even generate a CLI automatically. But replicating the API for the command line is the baseline, CLIs have so much more potential. In this talk we'll discuss how Twilio built a CLI for our API and the opportunities it gave us to improve the developer experience of working with the API. With the Twilio CLI we enhanced API endpoints with extra features, helped to demystify webhooks, and let the community create their own plugins to supercharge their experience. When done right, an API and a CLI are worth more than the sum of their parts.