The API Lifecycle
Tuesday, October 26, 2021
APIs are much more than technology. It becomes increasingly apparent that by only focusing on their technology aspects, you're missing out on the biggest opportunities that APIs create for your organization and your business. In our work with large organizations we have realized that one essential aspect of realizing the value proposition of APIs is to API-enable all of the organization. This is particularly important for product managers, who need to start thinking about every single product of an organization as a digital building block. We present our way of how we make sure that "Thinking the API Way" becomes the default for everybody in the line of business. Because in the end, the value of APIs critically depends on how much of an organization's business and value chains are exposed using APIs. Only then it becomes possible to benefit from the loose coupling and the increased velocity that APIs can deliver.
One of the key functions of APIs are for enabling integration with other applications. During integration, there are many commonly occurring integration errors and issues related to data, connectivity etc. Today, the approach to resolve the issues is predominantly manual with a few parts automated. The session will present a forward-looking approach on building Self-healing APIs. Self-healing APIs is a concept where fault tolerance is built in to resolve common issues on data and connectivity. The APIs could also monitor themselves and report the need for additional infrastructure. AI and Machine Learning play a role in enabling self healing by improving the quality of the fixes and resolutions.
When defining APIs the most common considerations are from what our payload looks like, and then from a implementer perspective. However, good APIs whether they’re internal or public are far more than just a payload description and need a consumer’s perspective. In this session we look at what makes up a good API; from OWASP Top 10 implications to ISO and data definitions, to how to make it easy for your consumers, why these points are important and the implications. We’ll explore techniques to overcome of the challenges seen when producing good APIs. Whilst we all think we know how to define APIs, you’ll be surprised at the things that get overlooked or opportunities to be better.
You’ve got thousands of automated tests running, multiple test and coverage reports and logs – but you can’t see the forest from the trees. The problem is you don’t know: Is it safe to release? With refined, specific metrics, you can define reports (or dashboard) that tell you the real quality of the product. You can then decide what to do about it. This is a case-study of building a quality dashboard with metrics and reports that matter for an application with hundreds of APIs, and multiple front-ends. Some features were better covered than others, but what that coverage meant was vague. The dashboard was built, collecting information from multiple sources – test reports and coverage reports from Jenkins, custom logs that were farmed for information, SonarQube and more. We then added some “brains” to show the analyzed metrics, in terms of covered and uncovered test cases, test quality and more. We then presented a confidence level calculated from the metrics. The effort was done by developers, quality advisors, dev-ops people and others. This session is about this project.The dashboard helps managers see what features are ready, where the gaps are, and gave back feedback to the developers how well their tests are working for them. With this session you may be inspired to build a quality reports that tell you how well your team is doing.
Access to APIs is usually controlled through authentication and authorization. Authentication establishes the identity of the API client and authorization verifies if an identity can invoke an API and perform the requested actions on the desired resources. API keys, session cookies, signed tokens and client certificates are some of the mechanisms used for authentication and authorization. In this talk, we explore how the posture of the API client can be also used to determine if the API can be accessed. The geo-location of the client and the trust level of its host machine are examples of postures. Some API implementations have used the client posture as a decision point but they have been either unreliable (e.g. using the source IP address to infer the geo-location) or ad hoc solutions for specific postures that cannot be generalized to other cases.This talk examines how a posture can be part of a generic API invocation flow. We define a framework that can support any type of posture or a combination of types. The framework uses signed claims that can be challenged by the API owner. We focus on hardware-backed claims, which are much harder to spoof than software claims. We also look at how posture verification can be integrated into existing authorization frameworks like oAuth. The talk uses 3 examples of postures: geo-location, host trust level and clients running in a Trusted Execution Environment (TEE).
If we had to define the most significant benefit Kubernetes provides, that would not be the ability to run containers, fault-tolerance, or immutability. The main benefit is its API. It is well defined, versatile, and extensible. It might be the main culprit behind the "explosion" of the ecosystem created around Kubernetes.Can we take Kubernetes API to the next level? Can we use it to manage not only the workloads running inside Kubernetes clusters but for everything else? Wouldn't it be beneficial if we had a **single API** and a **universal control plane** responsible for managing applications, infrastructure, services, and everything else, no matter whether we are in the public cloud and on-prem?In this hands-on session, we'll explore the principles behind the **universal control plane** implemented through the open-source project **Crossplane**.
Every thriving API program leverages the elements from business and technology equally. Alignment of business and technology strategy, the synergy between business and technical teams, and adaptability to the changes coming from either business or technology are fundamental characteristics of such an environment. Asanka will look at four areas, federation and business models, moving to the cloud, polyglot and heterogeneous approach, and modernizing development during this talk. He will also share real-world examples based on his involvement in numerous success stories.
Digital transformation and application modernization are exponentially driving up the use of APIs. We’re using more APIs than ever, and they’re more functional than ever. They’re also more attractive to hackers than ever, but lots of organizations are hanging onto old ways of thinking about API security.
Join our lively discussion on the top five common industry myths surrounding API security. You’ll learn the pitfalls of some misguided API security approaches, cut through the hype around a few security trends, and get recommendations on how to improve your organization’s API security strategy.
The impact trends such as zero trust, cloud migration, containerization, and shift-left are having on API security
The role of traditional security controls in API security – what they deliver and where they fall short
The value of a full lifecycle approach in grappling with API security
How to deploy dedicated API security that fits today’s automated, agile, and cloud-first environments
API security is hard. API breaches now account for the majority of application/data breaches. Most web, mobile apps lack basic API-centric firewalls and gateways to protect app/data. This session will cover what developers need to know about the top API vulnerabilities and how to build an automated & continuous API security strategy
We recently built an in-house ledger in KOHO to reduce our dependence on a third-party payment processor. This change resulted in the addition of a few high traffic endpoints to our system which touch payment operations, the core functionality of our product. As a result, we expect these endpoints to be always available, fast, secure and reliable. To make sure everything is battle-tested and ready for tens of millions of requests from thousands of customers every day, we have rigorously stress-tested these endpoints.This talk will focus on describing how to successfully run a stress test on your API. We will start with a brief overview of stress testing, some well-known available tools and different types of performance testing techniques. Then, we will explore how to find the root cause of your performance problem. Stress tests are helpful when the test traffic is as identical as possible to the load in the production environment. So, we will also talk about how to gather usage data from your API. We will continue the talk by sharing our decision process of choosing a stress testing tool for our Go API and how to interpret the reporting of these tools. We will finish the workshop by giving you a set of practical steps to utilize stress testing for performance improvement of your projects.
Document digitization is needed now more than ever to help us modernize from paper and manual workflows. In this session, you’ll learn how to develop a uniform PDF workflow for your end-users leveraging Adobe’s cloud-based APIs. We’ll cover how you can programmatically generate PDFs from data using PDF Services API or our new Document Generation API. Then we will demonstrate how to render the output on a webpage using PDF Embed API.
Building Idiomatic API Client Libraries across multiple languages is hard. Maintaining them is doubly hard. Learn how we programmatically generate API client libraries from OpenAPI Specification files to optimize our time & value for API users.
Wednesday, October 27, 2021
More and more companies are faced today with unique challenges of how to authenticate and authorize their APIs. This is so common and now Broken Access Control has taken the number #1 vulnerability on the OWASP top 10.
In this session, we will go over the best practices on how to authenticate and authorize your APIs, from design phase to real time implementation phase. We will handle authentication, authorization, access control and multi-tenancy aspects of API management including real life examples from RESTFUL and GraphQL based APIs.
APIs are everywhere, leading the digital transformation age. With 90% of all web traffic being via API calls, the attack surface and threat model has changed exponentially.
Agile development and rapid release cycles with iterative changes leaves APIs vulnerable to attack, however security testing of APIs has not kept up with this pace.
Security testing automation is key, integrated as part of your pipelines to put developers into the security testing driving seat, to rely less on manual testing and produce secure APIs by design.
Traditional security scanners are a blocker to this automation. They are hard to use, impossible to integrate, not developer friendly and produce too many false positives. This results in crippling human bottlenecks that stifle CI/CD, whether it's the need for security to constantly tweak scanners or the drain of manually validating vulnerabilities.
Either way, technical and security debt is compounded, resulting in insecure product hitting production. Change is needed, and fast.
In this session Oliver will discover:
1. Key features that your dev-first security tools needs to enable developers to take ownership of security
2. How you can detect, prioritise and remediate security issues early, automated in the pipeline, for your REST, SOAP and GraphQL APIs
3. Insights into reducing the noise of false alerts to remove your manual bottlenecks to shift left
4. Steps you can take to achieve security testing automation as part of your CI/CD, to test your applications and APIs
In 2020 the worldwide annual cost of API development reached 100bn USD. As the global pandemic further accelerated the push for digital transformation, the need for connecting business digitally reached the all-time maximum. Yet, we are still manually wiring our systems together. We hard-code our applications in a process hardly scalable and borderline reliable.The autonomous integration pattern enables applications to discover, contract, and connect automatically without worries about maintenance. Private and public registries of business capabilities will form the backbone of Autonomous Integration Mesh and replace word-of-mouth and web search. Self-navigating and self-healing API clients will reduce the need for tedious work and provide blazing-fast resilient connections. Finally, API clients will contract and purchase digital capabilities opening the new era of all-digital sales and AI trading.This talk will explore autonomous API integration and discuss its practical implementation, cost, and time reduction impact on current API practices.
Over the past decade, we have witnessed a growing attempt to put security in the SDLC and to promote the "virtuous cycle." It is also true with API development. However, risk assessment campaigns still come too late in the dev cycle, and IT Security teams struggle to identify the risk earlier in cooperation with Dev teams. The OpenAPI Specification provides a set of rules and best practices to keep the interoperability in the ecosystem, and OWASP's API Security Top 10 gives an overview of the risks at play. In this talk, we'll present several use-cases of public APIs and their level of compliance with OAS standards, and we will suggest ways to remediate faster through a simple workflow between GRC, Security Operations, and Development Teams.
Gartner predicts that by 2025, more than 80% of organisations identify themselves to have implemented advanced or expert level API strategies. Surely, APIs are not just technical services or programs anymore. APIs that are conceptualised and managed end to end as a product can do wonders for the business. In this talk, Sreeram Narayan will take cues from running a successful API platform program for managing over 450+ Open APIs for an enterprise fintech solution and also take a look at the key strategies that can be counted as best practices in defining, developing and scaling the next generation API experience that can unlock digital revenue opportunities for business. You will learn about how to productize the API development program across multi dimensional and cross functional teams, prioritisation lessons for API roadmap, taking right decisions on open source and API tools, API monetisation techniques and using rich APIs as the sales enabler for your community.
It has been said that “an API is the front door to your business”. But, is an API only a front door? What other kinds of doors do you need? And, perhaps most importantly, what makes a good door?
PRO TALK (API): Who in Your Organization Is Responsible for Protecting APIs in a Modern Application Architecture?Join on Hopin
Modern applications and systems today are built by multiple teams, in multiple environments, and with more dependencies than ever. In this increasingly complex landscape, who is responsible for making sure that every API is protected, and which team should be accountable for ensuring the entire system is protected? In this session we will explore different patterns and best practices seen across thousands of customer applications and determine how developers can best work with devops and security teams to better protect APIs and larger applications in an increasingly complex and unsafe landscape.
API development is challenging. Effective API development involves understanding API usage patterns, managing user feedback, ensuring the system can handle heavy API usage, and making difficult tradeoffs to ensure that end-users, API users, and developers supporting the system are all happy. So, how should you do it?
In this talk, I'll cover some guidelines for API development that can help reign in these challenges: writing an effective API spec, understanding what to get out of an API review, and getting feedback from early adopters through a beta testing program.
I'll also make the case that incorporating telemetry and observability tooling into the process can help you achieve more confidence in what you're building as you're building it. By capturing wide events across your entire API surface area, you can do things like correlate usage of one API with another to see if people are doing what you would want them to do and understand who is pushing your systems to its limits without getting paged in the middle of the night about a problem in the wild.
Throughout the talk, I'll reference real-world examples of building APIs at Honeycomb. We've seen tangible benefits to utilizing observability tooling in the development process. After this talk, you should have the information you need to reap similar benefits.
Organizational efforts to adopt microservices will more easily fail because of how our understanding of what a microservice is has shifted from its original meaning. In this presentation, we will look at the current communication paradigm of microservices and how this leads us down the road to massive amounts of unnecessary operational complexity compared to proper microservices or even a monolith. We will further discuss ways to avoid these common pitfalls to improve the likelihood of success.
Modern digital ecosystems generate revenue by connecting users and data. This is where APIs play an integral role; APIs are instrumental in achieving revenue goals and the overall success of a business. They are everywhere nowadays, allowing developers to unlock new opportunities for innovation. This presentation outlines the importance of the API-first strategy that enables agile business, adds a lot of flexibility, and is a prerequisite for getting great at digital. The audience will learn about the consumer-centric approach, the consumption with an outside-in perspective, and the value of the feedback loop when designing APIs. It is meant for technical people involved in creating interfaces that empower 3rd-party developers and API evangelists.
Ping Identity is part of the Decentralized Identity Foundation, which aims to develop an open ecosystem for decentralized management of digital identities and ensure interoperability between all participants. Richard can discuss how the foundation is helping people gain control of their online identities and why an open-standards based approach to identity management is the key to better privacy, lower fraud, and a more ethical user experience.
APIs help drive efficiency and faster innovation so that organizations can support their business. Attackers also know this reality and zone in on APIs as a primary attack vector. The end result is a potential nightmare for organizations with API-driven business applications as they face the risks of data breach, privacy incident, and more.
In this session, we review first hand API threat research gleaned from a large financial institution. Its SaaS platform provides API services to thousands of partner banks and financial advisors, and security researchers found many alarming API vulnerabilities. Researchers were able to demonstrate exploits of these vulnerabilities, showing that anyone could:
- Read any financial records of any customer, despite lacking the proper authorization
- Delete any customer’s user accounts across the financial platform
- Tamper with authentication parameters and take over any account
- Launch an application-level denial of service attack that would render entire applications unavailable
Unfortunately, this financial institution isn’t unique. Attend this session to gain insights into API security best practices to prevent this nightmare from being yours.
A few years ago DataStax launched a new offering of Cassandra-as-a-service in the cloud named ASTRA (astra.datastax.com). You might think that starting databases from web pages would have nothing to do with APIs, well you are wrong.
During this session we will go over the different APIs that have been designed, how and why. Most choices made will be detailed covering wide categories such as technology, languages, interface, versioning, maintenance or billing. The tooling needed to make your product a success (SDK, CLI, Terraform...) will be also presented. No surprises, the platform leverages on cloud providers services and API. Come and learn why a DBaaS is just an API calling other APIs.
API Specifications are extremely useful for security teams to monitor API security/compliance conformance and make suggestions to keep your APIs secure. Many organizations however, are generating specs that security teams are unaware of and often are found by would-be attackers. In this session I will show some of the frameworks and tools utilized by attackers to find your API endpoints and enumerate endpoints that are missing standard security measures and are open for attack.
APIs are no longer a nice to have, they are the lifeblood of a modern organization. Whether powering integrations or building user interfaces, APIs are a part of our everyday lives. This session is about Fiserv’s personal journey moving far beyond traditional APIs into the realm of microservices.We will discuss the business and technical drivers that launched our journey and will share our learnings and experiences along the way.
Coding is like gardening; it requires good plan, good supplies, but most importantly continuous nurture and maintenance. In this talk, we will concentrate on refactorings and program transformations that help nurture good code by removing code smells and vulnerabilities. Refactoring code is a second nature primarily for modern language developers. But, why limit refactoring only to make code maintainable and understandable? What if there were refactorings that go beyond behavior preservation and make code more secure, morereliable, and run faster? That would require tools that rewrite code with surgical precision, such that the undesirable behavior of the code is fixed, while the good path behavior of the code remains intact. Being integrated with source code and development process, refactorings and program transformations not only help maintain good code, but also teach developers about how to write and appreciate good code.
KEYNOTE (API): Digibee -- Modern Integration Architecture: A New Approach to Unlock Organizational Agility at ScaleJoin on Hopin
Today the number one challenge companies are facing is how they become more flexible to change. New market demands, disruptive technologies, fierce competition and obsessive differentiation only help to make reality worse.
Organization agility starts with small, independent teams, which organize themselves around a single, but impactful problem, delivering value to users and getting quick feedback.
As these teams deliver value and spread throughout the organization, dependencies between them start to appear, hindering agility all over again. This counterintuitive behavior means organizations need to find a solution to keeping teams independent while making them connected.
In this session we will discuss how a modern integration architecture makes independent teams accelerate and, at the same time, collaborate better at scale.
Polling-based APIs or the RESTful APIs were the main building blocks of traditional integration stories. But with the need to respond to events in real-time, integration architecture has shifted from being polling-based to event-driven. With the emergence of reactive event-driven architecture, the asynchronous APIs were able to hold their distinct position in modern-day integrations.
Even though the event-driven APIs provide their own advantages such as high resiliency, high responsiveness, and more, management of asynchronous APIs continues to be a challenge to the organizations.
The Async API specification plays a major role in the event-driven world by providing a specification to describe and document the asynchronous APIs. This session will explore the entire flow from creating an asynchronous API to exposing it as a managed API by adhering to the Async API specification.
Do you want to take your next generation application to the next level? Have you ever wondered how you can use analytics, Artificial Intelligence and automation to build a better customer experience? Come join us at this session to see how.
The acceleration of digital transformation in the past year brought on by the pandemic means more services and transactions are taking place online than ever before. While digitizing processes adds convenience and efficiency to the process, it’s not enough to remain relevant with your users. As more transactions shift online, so should the social interactions around those transactions. It’s not just about adding social features. It’s about embedding a social layer where social is wired into the DNA of your product. This may sound like it requires a time-consuming overhaul of your app or existing product, but it doesn’t have to. Today’s API ecosystem makes it surprisingly fast and easy to implement a rich social experience within your application. In this session, Shailesh Nalawadi will present how companies across several industries have improved KPIs by developing a social engagement layer with chat, voice and video APIs
The use of GraphQL tends to expand quickly as its capabilities manifest into compelling digital experiences--and users across the organization envision how to tap into its potential. It’s important, therefore, to think proactively about reducing the attack surface area to protect both the performance of your graph and the data behind it. This session will provide prescriptive recommendations for reducing the GraphQL API attack surface area, including best practices and lessons learned based on the experiences of developers integrating GraphQL at companies of all industries and sizes.
Enterprise API environments have changed. Driven by the explosion of APIs, federation of API programs, and push to the cloud, companies are rethinking their entire developer tooling and infrastructure stack. APIs are the fundamental building blocks of modern software, and with the advent of digital initiatives, they are growing in prevalence throughout the ent3erpriseThis presentation examines the evolution of the API development platform and current best practices engineered to support the explosion in APIs in a modern organization. The speaker will examine the key technologies required to build a modern API stack that is integrated across the entire software development lifecycle, enabling organizations to bring products and services to market more rapidly.
With APIs serving as the connective tissue across all applications, API Management capability is critical to achieving successful outcomes. The rise of DevOps movement has fostered a culture of self-service supported by distributed infrastructure. What are the characteristics of distributed API Management? How do you drive innovation by accelerating API release velocity. Attend this session to find out answers to these questions.
We deal with HTTP based APIs for many of our common interactions between services and system components. Not all services we want to communicate with use HTTP, and when confronted with a service that doesn’t use it, getting started can be intimidating. In this talk, we’ll use RabbitMQ Streams as our example service and cover all of the design and implementation considerations needed to work with a non-HTTP API.
I am a big believer in the philosophy of working backwards from the customer. Although there has been a lot of focus and impetus on working with Specifications first and Code last; my aim in this talk is to take this one step further.
I believe that one should start with the developer and their integration experience first and then work backwards from there to define the specification and finally resulting in code.
There are significant advantages to this approach and I plan to use the talk to share about how do I do so in practice and how teams can build the muscle although it initially feels not natural to do so.
Mergers and acquisitions are one of the most important ways to grow a business, and deliver a customer benefit faster. When the acquisition strategy calls for a capability integration into a customer facing product, leveraging APIs is the key to success. But have you found yourself wondering how to reconcile customer identities from both sides? In this talk I will explore practices Intuit has been applying to resolve typical integration issues companies face while looking to fulfill the M&A deal promise.
In this new world, enterprises are acting more like startups. As enterprises seek to meet their customer’s needs, get an edge on their competitors, and help their employees achieve outstanding results, they need to re-imagine how they implement their technology. Modern App Development provides a framework to help developers build highly available, resilient, fully secure, and compliant apps. APIs are a key element of this framework that cross the boundary of traditional integration, to modern app development. In this session, we will outline the Modern App Development Framework with core requirements, design principles and architecture patterns. We will share some of our experience from our journey modernizing enterprise applications with APIs. We discuss where we are in the journey and offer some insights on the evolution of APIs.
Jonas Iggbom, Director of Sales Engineering at Curity will provide an overview of what a Hypermedia API is and how it can be used for browser-less authentication on iOS and Android. This coupled with the WebAuthn standard for passwordless authentication provides a great user experience especially on mobile devices where the browser context does not have to be invoked and for example FaceID can be used to authenticate the user. Jonas will demo an approach where both technologies work in synergy to provide the most seamless user authentication possible on mobile devices today.
OPEN TALK (API): How a Combined Shift-Left and Shield-Right Approach Enables Continuous API SecurityJoin on Hopin
Are you struggling to keep up with the increasing volume and scale of API development ? Are you finding that traditional security solutions simply cannot address all API security challenges ? You’re not alone! APIs have given us unprecedented integration capabilities, but are also greatly increasing our attack surface. Trying to cope with issues by deploying tools after APIs are done and delivered is simply not going to work. Instead we need to take a proactive approach to API security.
Isabelle explores how a continuous approach to API security can be achieved, combining design-time security measures driven by development with continuous API threat analysis, API-specific vulnerability detection and runtime policy enforcement. She proposes an approach known as security as code to establish a common language across Dev, Sec and Ops teams and demonstrates an automated workflow, from design through deployment that ensures API issues are caught and addressed as early as possible in the API lifecycle.
Large public GraphQL endpoints have all advertised a notion of GraphQL cost for years, and various GraphQL servers and open source projects have implemented GraphQL cost calculations. In 2021, an effort has begun to standardize how systems communicate GraphQL cost to each other, which has promise to dramatically ease securing these systems and thus opening up many more big public GraphQL endpoints. Join us to learn about this effort, and how it can benefit you and your GraphQL strategy.
Adoption of API centric cloud platforms in general and microservices, in particular, introduces great engineering benefits for organizations in terms of runtime scalability, agility, autonomy and reuse but growing API landscapes can also become increasingly difficult to manage and evolve as the number of services and teams creating them increases.API Federation, as a strategic architectural pattern, can be a key element on the API strategy of a company to deal with the complexity that the adoption of APIs at scale introduces and provide an essential tool to manage the long term evolution of a healthy and consistent API landscape without sacrificing the benefits of agility and autonomy that a service-oriented approach introduce.In this talk we will review API Federation from the conceptual, technical, operational and API productization points of view, clarifying some of the misconceptions about the relationship of API federation with specific technologies like GraphQL or data management concepts like canonical schemas, and using our experience introducing API Federation inside Salesforce and partnering with our customers releasing API Federation as a commercial product in MuleSoft.
Application security is shifting into the development pipeline - that’s no longer up for debate.
But, as we shift where we test for vulnerabilities in the SLDC, we also need to rethink how we test. Protecting our most sensitive data requires evolving from testing that focuses on client-side web apps to automated security testing of our backing APIs.
Join StackHawk Chief Security Officer Scott Gerlach as he dives into why API security is a critical component of modernizing any AppSec program, and provides practical suggestions for attendees to start implementing API-first security testing.
APIs are central to digital transformation. Public cloud adoption and cloud-native designs capitalize on APIs as a foundational building block. Meanwhile, Gartner predicts that APIs will become the most frequently targeted attack vector by 2022.
This discussion will highlight strategies for security and risk management of the modern API ecosystem — API discovery and inventory, API cyber attack prevention, API misconfiguration detection, and continuous API vulnerability identification and testing.
We’ll share best practices for orchestration across business, technology, and security teams to empower API-centric business and technology strategies with a shared, complete picture of API risks from code to production.
If you’re working with OpenAPI, the first question you have to solve is how to get that document written. An implementor can generate a server based on a spec, generate a spec based on a server, or write a spec independent of a server. Ed’s done all three, and will share some of his findings from putting each into production.
The good news is you've built an amazing API for your customers and partners, but the bad news is that's the easy part. The hard part is getting them to actually use the API, ensure they are successful, and create advocates to tell others about how incredible your platform is. So how do you go about building a vibrant ecosystem of developers around your API? Where do you invest? Do you hire a Developer Relations team? A Developer Marketing team? Technical Writers? Sponsor a million events? And how do you manage budget and expectations to ensure long term success??? In this session we'll take a look at some of the most successful communities, how they've become successful, and how you too can build a vibrant developer ecosystem without breaking the bank.
Thursday, October 28, 2021
Transforming a company to being API First is not just purely technology. It consists of multiple areas - Empowerment, Platform, Culture.
OPEN TALK (API): The Real World, API Security Edition: When Best Practices Stop Being Polite and Start Being RealJoin on Hopin
API security has emerged as a top priority for protecting vital data and services. Unfortunately, many organizations are just one vulnerable API away from a privacy incident or data breach, and it’s an area where many companies lack expertise.
This “real world” episode shares six essential techniques, drawn straight from the trenches of customer deployments, to help guide your API security best practices.
Join us for a discussion of these key areas:
- API documentation, discovery, and cataloging to improve awareness of your API attack surface
- Runtime protection to prevent sensitive data exposure and protect your APIs from abuse
- API-centric security operations so you're prepared in the event of an API incident or breach
This session will also share ways to make it easier and more automatic to address the many elements of API security.
Come find out what happens…when APIs stop being vulnerable. And start getting secure.
In this talk, we will be diving into what really is GRAPHQL, how it's different from REST, and then cover concepts such as schema, queries, resolvers, etc. Furthermore, we will proceed to use GitHub public graphql API to explore how we can retrieve information such as (name, email, avatar, repositories, starred repositories, followers count, and a lot more). We'll be using Postman to explore this and also for folks who aren't vast with the tool it will be a privilege to walk them through. To wrap things up we'll then proceed to publish the collection we will be building courtesy postman which will be used for future learnings
Design First approaches are growing in popularity when it comes to API design. This allows all teams working with API to work together, using a common, human-understandable language to define the specifications of the APIs to be implemented. With all stakeholder views being represented, Design First approach allow to create product driven APIs, with short feedback loops, and help drive parallel development of applications.
In this talk, using an example of building a simple API definition, we will:
- Go through the principles of “Design First Approach”
- Examine the benefits this approach brings
- Look at an example workflow from beginning to end using Design First to build a simple application
Microservices and APIs built for digital transformation products require agile, reliable, and scalable cloud native infrastructure to truly meet customer expectations for a great "always there" user experience. Whether on prem or hosted in a public cloud, understanding and leveraging the right approach is key to success. This session takes up where the development process leaves off, tracking the standardization of containers and container orchestration for automated deployment, including current and future platform trends WSO2 and others are following.
The beauty of IoT solutions is that they can be managed from a central location and deployed all around the world. Although the challenge in this situation is that if the devices are disconnected from the network, the only way is to send someone to the location and try to diagnose the problem and fix it which can be tedious, expensive and slow.
This is not an ideal solution as the whole point of this type of deployment is that it can be deployed to remote places. Moreover you don't always have people everywhere the devices are deployed.
In these conditions, working with your cellular network provider(s) to diagnose connectivity issues can be a struggle as their network infrastructure is often a black box. There needs to be a way with which you can remotely diagnose a network issue or take preemptive actions so avoid failures.
In this talk, I will take you through ways of using meta-data from the cloud-native core network of EMnify to troubleshoot network issues using the EMnify API.
Attendees with walk away with the following knowledge:
How to get more out of your SIM card and connection used in your IoT device?
What could be the possible reasons for your IoT device to go offline?
What kind of meta-data can you get from the core of a Cellular Network infrastructure?
How to troubleshoot your offline devices?
How to use this network meta-data to form comprehensive dashboards to keep an eye on all your devices?
How else can network meta-data help you with daily operations in managing your IoT solution.
The target attendee would be developers, product managers, operations people, CTO etc. who work in the IoT industry and use cellular communication for their IoT devices.
This session talks about building highly available and scalable APIs. Things to consider when building highly available and scalable APIs such as throughput, throttling, API versioning, Active-Active setup, Idempotent request handling, different scaling options etc.
A modern technology strategy begins with the creation of a base architecture that enables any project and ensures FLEXIBILITY for the organization. A modern integration architecture is precisely this ENABLING INFRASTRUCTURE.
Using the appropriate stack for this challenge is essential for technology teams to be able to meet the growing demands from the business. Professionals who work with systems integration will no longer have obstacles that hinder projects, finding in this new model a true lever for the creation of new products and services.
In this session, we will explain in practice how to implement a modern integration architecture that enables the unlocking of projects, the connection between ecosystems and the acceleration of teams. We will show how the use of sophisticated technology can be abstracted away by a low code platform, bringing quality and control to data flows, as well as standardizing access to multiple endpoints spread across hybrid environments. It's an opportunity to learn how to create this enabling base layer for the agile delivery of new products and services.
Developer experience (DX) is similar to how you see and understand user experience (UX) but the difference is DX focus is strictly on developers who consume certain API services, SDKs, or other services owned by a company or an organization.This talk will explore why developer experience matters in every company providing a technical service, what makes a great developer experience team, and the relationship between building a great developer experience flow in a company with the public.The attendees will learn how Developer Experience increases product usage and how users can become advocates themselves for a product that has a great user-centric experience.Lastly, attendees would learn the role and what someone who is into creating a smooth and easy Developer Experience (DX) at a company does and the skills required to attract a similar role to you. Key Takeaways:- Attendees will understand how documenting an API properly over GitHub could improve the developer’s experience.- Attendees will understand best practices in designing API for a great developer experience. - Attendees will understand how commit messages should be committed and pushed. - Attendees will understand how developers would want to use a certain service and can have a bad experience because of bad documentation and product flow.- Attendees will understand how a successful platform makes a developer automatically successful - Attendees will understand how to measure user’s productivity while using their tools.
Functional and performance tests of API infrastructures offer little value if they cannot produce detailed error reporting and highly usable feedback loops plus detailed reporting, especially in agile and CI/CD pipelines. Too many developers rely on tests that give them (and security teams) a “false sense of security,” resulting in low developer confidence when releases are rushed to market.
Many developers fear that more robust testing becomes a bottleneck that delays releases. Additionally, multiple teams throughout an organization may be using different toolchains with different development languages, testing tools, and QA processes. There’s no way for managers to gain centralized visibility into all of the local and pipeline testing happening (or not happening) across the entire organization. Siloed processes also raise the risk of human error as a build, for instance, passes a test designed for the goals of one team, but may not support the goals of other teams.
In this API World 2021 session, Sangit Patel, Solutions Engineer at Sauce Labs, will explain how to drive developer confidence at any speed with improved API design and more productive and usable API testing and monitoring.
Top five points covered will include:
1. Make it fast and easy to write or generate API contract tests and E2E functional tests from spec files or recorded API traffic.
2. Make it fast and easy to reuse the functional tests as end-to-end tests, which may then be reused as E2E functional load/performance tests.
3. Reuse the holistic E2E functional performance tests as API monitors that can run continuously with or without a CI/CD in any environment, providing accurate and highly usable feedback throughout rapid iteration and changes to code and databases.
4. Simplify refactoring to automate test maintenance and maintain the reliability of API monitors that provide far more coverage and more usable diagnostics (via detailed reporting and dashboards) than synthetic infrastructure monitors or traditional API monitors.
5. Execute and manage API testing from a cloud platform that offers the scalability, flexibility, and interoperability to support centralized API testing and monitoring across all of the toolchains that distributed teams (or individuals) may prefer using - and plan and execute tests that satisfy all goals across all teams.
Time to market and ability to change rapidly while retaining high quality is a key business driver today. Let's talk about how API developers can automate creation of tests for their APIs, with no code required, and how they can leverage AI to improve code coverage and quality faster than ever before.
Standing up an API on the internet is straightforward – many tools and services exist to bring up a functional endpoint. The picture gets more complicated, however, as scope inevitably begins to creep. Sooner or later, every service provider has to consider requirements such as routing requests to multiple backend services, rate-limiting to protect the service from badly-behaved API clients, and consolidating cross-cutting functions such as authentication. Not only that, but, as clients adopt its API, and usage increases, the service provider must avoid becoming a victim of its own success, and collapsing under the load. In building a cloud platform to host and administer services such as Citrix Workspace and Citrix Virtual Apps & Desktops, the Citrix Developer Ecosystem team implemented an API Gateway, providing third-party developers with a secure, uniform interface to a range of backend services. In this session, Director of Developer Evangelism Pat Patterson will share the lessons that the Developer Ecosystem team learned as it built the API Gateway. Pat will explain how the team selected tools for the gateway, created an authentication service to provide a consistent experience to API consumers, and worked with product teams inside Citrix to onboard their services.
Apache Cassandra™ is an incredibly powerful, scalable and distributed open source database. Companies with extremely high traffic use it to provide their users with consistent uptime, blazing speed, and a solid framework. However, many developers find Cassandra to be challenging because the configuration can be complex and learning a new query language (CQL) is something they just don't have time to do.
Stargate is an open source project which sits on top of Cassandra and provides HTTP interfaces to your data - it provides a REST API, a GraphQL API, and a Document API (schema less, similar to MongoDB). You can install it on top of your own Cassandra instance and participate in the community.
Don't just take my word for it, you can get a free Cassandra instance in the cloud from DataStax. The Astra databases do all the configuration for you up front - they're serverless so they scale as your database needs, and you only pay for the traffic you actually use.
With Astra DB, you can set up proof of concepts and create applications to explore whether Cassandra/Stargate is a system that will work for you. In this session Kirsten will demonstrate a TikTok clone which uses React and Netlify to provide a completely serverless application in the cloud.
In a world with countless software and systems that need to be connected, the management of integrations becomes necessary and, at the same time, a great challenge for companies. Therefore, it is necessary to measure how good integration management can improve and optimize productivity, accelerate your digital transformation and enable the creation of new digital solutions for the company.
In this lecture, you will see some examples of integration problems, effective ways to solve these integration issues, some frequently asked business questions. Finally we will discuss a practical framework demonstrating the value of such a solution to the bottom line of the business sharing some use-cases with an integration platform.
APIs are the fundamental tenets of the Internet. They enable integrations between different services, and they power the servers that bring our applications to life. API integrations lay at the core of our API-driven world, and delivering successful API integrations is fundamental to sustain it. However, more often than not, API integrations tend to fail due to ineffective development workflows. In this presentation, I want to present various API development workflows that have helped me and my clients deliver successful API integrations. I’ll show how documentation-driven development, using mock servers, robust API testing frameworks, and API visibility tools can help to significantly reduce the chances of API integration failure and to keep errors under control.
With APIs taking center stage in organizations of all sizes, testing them is becoming more imperative. The central role they play also means API testing offers great advantages in bolstering software quality. APIs - being contractual and fixed in nature, also afford an opportunity to create stable and easy to maintain tests. For all these reasons - API testing should be top of mind for every modern software team. But how do you instill the best practices in API testing to ensure seamless interaction between the applications dependent on them? To run API tests successfully, it is recommended to adhere to the same best practices that you would uphold for any software development. This talk will explore the best practices for API testing to enable users to create and manage comprehensive API tests from development through deployment
In this talk, Travis Spencer, CEO at Curity, will explain what a hypermedia API is and how it can be applied to the problem of login. He will explain how hypermedia is an architectural pattern that lends itself to exposing the state machine that a user transitions through when authenticating. Travis will also show how such an API allows seamless, browser-less integration of authentication into mobile and single-page applications. The demonstration that he performs will show these concepts in a real-world scenario. He will discuss the security challenges involved in creating such an API, and leave the audience with resources, websites, and open-source examples where they can go to learn more.
The “API First” mantra is great for business innovation, but the end result can often be a wild jungle of APIs that leaves your security team scrambling to ensure adequate API controls are in place to safeguard the business. In this session, we’ll cover a practical strategy to help implement API security across the organization from development through run-time and threat remediation. You’ll see a demonstration of the tools and techniques that, when used with the right methodology, can help your team tame the API jungle.
API gateway technology has evolved a lot in the past decade, capturing use cases in what the industry calls "full lifecycle API management." API gateways allowed developers to expose and consume the APIs, secure them, and govern API traffic. However, today, they provide a series of functionalities to support the complete development cycle, including creating, testing, documentation, monitoring, event monetization, monitoring, and overall exposure of our APIs. Another pattern emerged from the industry around 2017: Service Mesh! Service Mesh is an infrastructure layer for microservices communication. It abstracts the underlying network details and provides discovery, routing, and a variety of other functionality. Many attempted to describe the differences between gateways and service meshes. This talk will also discuss the similarities and differences between the communication layer provided by gateways and service mesh. I want to illustrate the differences between API gateways and service mesh — and most importantly when to use one or the another pragmatically and objectively.
In this talk, we will understand how you can take your API (based on Open API Standard Spec) and generate really good looking and useful documentation including code samples. We will also look at open source tools to generate SDK for various programming languages. This process can not only save you days of manual work but it can also be automated so when your API changes, everything can be updated quickly, thus providing high quality Developer Experience.
OPEN TALK (API): 10 Keys for Turning APIs into a Job Promotion: Translating API Knowledge into Business ValueJoin on Hopin
APIs are everywhere. Some of us build them, a lot of us manage them, and all of consume them. But not everyone knows how to communicate the value of APIs between the technical and business worlds. How do I integrate my APIs? Do I need API Management? How do I use Microservices? It is critical for organizations to understand the API economy as they move to become more profitable and competitive in this age of digital transformation. But very few technical people can effectively translate their API knowledge and vision into business value.The goal of this talk is to provide you with the 10 essential concepts that will equip you to become the API Champion that your organization needs to gain that competitive edge using a solid strategy and proven best practices.
According to Gartner, APIs account for the majority of Public/web/mobile application attack surface. Most exploited vulnerabilities no longer come from web server misconfiguration or SQL injections or browser hacks, instead the majority of widely exploited vulnerabilities now come from application logic, access controls, and other non-conventional flaws. This session will go over the top vulnerabilities in APIs and build an automated & continuous API security testing strategy. The Shift-Left strategy will deliver secure and faster releases while significantly reducing manual and penetration testing security costs.
It’s not enough to just have a open API platform that enables other technology companies to integrate. How do you make it attractive enough for them to stay engaged and keep doing cool stuff, to build the things that haven't even been thought of yet. We want to go even deeper on this idea of making it easy - how we can build the hard things so developers don’t have to.
Foursquare presents the Product Manager's Extra Credit guide to building an A++ Enterprise API. Building an exceptional enterprise API is no easy feat. Earlier this year, Foursquare launched the new Places Enterprise API, built from the foundation of our renowned Developer API. In this session, we'll take you through every step of the process to create a delivery method that can meet enterprise standards and upgrade the developer experience - from understanding your customer's UX criteria and auditing the performance and security of your API infrastructure, to best SLA practices and everything in between.
When you try to improve the experience for using your API you might consider a command line interface. CLIs allow developers to explore the API, automate API usage, and most importantly never leave the keyboard. If you have an OpenAPI spec you can even generate a CLI automatically. But replicating the API for the command line is the baseline, CLIs have so much more potential. In this talk we'll discuss how Twilio built a CLI for our API and the opportunities it gave us to improve the developer experience of working with the API. With the Twilio CLI we enhanced API endpoints with extra features, helped to demystify webhooks, and let the community create their own plugins to supercharge their experience. When done right, an API and a CLI are worth more than the sum of their parts.
We, as developers and engineers, love to build new things - it is in our DNA. But as CTOs, engineering leads and product managers, we need to take one step back and look over our strategy. The challenge we often face is that the business side expects us to deliver the best product with the least time without compromising the quality. How can this be done with limited resources and short timeframes?
Whenever planning a new application or improving an existing one, we should constantly evaluate if the next feature is developed in-house or pick an off-the-shelf solution. I believe that one should only build the things that are the core function of their business and add direct value to IP and customers.
Let's dig into the benefits and challenges of using third party APIs to speed up the product development process.
Many technical talks like to tell you the best practices to help you learn a topic. However, instead we'll approach this topic using some humor, sarcasm, and real world examples to demonstrate the worst way to do things. You'll learn why these practices are a problem especially for consumers of payment APIs so you can spot anti-patterns whether you are building your own API or choosing a partner that has an API you need to consume.