API World -- PRO Stage 1
Tuesday, October 26, 2021
One of the key functions of APIs are for enabling integration with other applications. During integration, there are many commonly occurring integration errors and issues related to data, connectivity etc. Today, the approach to resolve the issues is predominantly manual with a few parts automated. The session will present a forward-looking approach on building Self-healing APIs. Self-healing APIs is a concept where fault tolerance is built in to resolve common issues on data and connectivity. The APIs could also monitor themselves and report the need for additional infrastructure. AI and Machine Learning play a role in enabling self healing by improving the quality of the fixes and resolutions.
When defining APIs the most common considerations are from what our payload looks like, and then from a implementer perspective. However, good APIs whether they’re internal or public are far more than just a payload description and need a consumer’s perspective. In this session we look at what makes up a good API; from OWASP Top 10 implications to ISO and data definitions, to how to make it easy for your consumers, why these points are important and the implications. We’ll explore techniques to overcome of the challenges seen when producing good APIs. Whilst we all think we know how to define APIs, you’ll be surprised at the things that get overlooked or opportunities to be better.
Access to APIs is usually controlled through authentication and authorization. Authentication establishes the identity of the API client and authorization verifies if an identity can invoke an API and perform the requested actions on the desired resources. API keys, session cookies, signed tokens and client certificates are some of the mechanisms used for authentication and authorization. In this talk, we explore how the posture of the API client can be also used to determine if the API can be accessed. The geo-location of the client and the trust level of its host machine are examples of postures. Some API implementations have used the client posture as a decision point but they have been either unreliable (e.g. using the source IP address to infer the geo-location) or ad hoc solutions for specific postures that cannot be generalized to other cases.This talk examines how a posture can be part of a generic API invocation flow. We define a framework that can support any type of posture or a combination of types. The framework uses signed claims that can be challenged by the API owner. We focus on hardware-backed claims, which are much harder to spoof than software claims. We also look at how posture verification can be integrated into existing authorization frameworks like oAuth. The talk uses 3 examples of postures: geo-location, host trust level and clients running in a Trusted Execution Environment (TEE).
Every thriving API program leverages the elements from business and technology equally. Alignment of business and technology strategy, the synergy between business and technical teams, and adaptability to the changes coming from either business or technology are fundamental characteristics of such an environment. Asanka will look at four areas, federation and business models, moving to the cloud, polyglot and heterogeneous approach, and modernizing development during this talk. He will also share real-world examples based on his involvement in numerous success stories.
API security is hard. API breaches now account for the majority of application/data breaches. Most web, mobile apps lack basic API-centric firewalls and gateways to protect app/data. This session will cover what developers need to know about the top API vulnerabilities and how to build an automated & continuous API security strategy
Building Idiomatic API Client Libraries across multiple languages is hard. Maintaining them is doubly hard. Learn how we programmatically generate API client libraries from OpenAPI Specification files to optimize our time & value for API users.
Wednesday, October 27, 2021
Over the past decade, we have witnessed a growing attempt to put security in the SDLC and to promote the "virtuous cycle." It is also true with API development. However, risk assessment campaigns still come too late in the dev cycle, and IT Security teams struggle to identify the risk earlier in cooperation with Dev teams. The OpenAPI Specification provides a set of rules and best practices to keep the interoperability in the ecosystem, and OWASP's API Security Top 10 gives an overview of the risks at play. In this talk, we'll present several use-cases of public APIs and their level of compliance with OAS standards, and we will suggest ways to remediate faster through a simple workflow between GRC, Security Operations, and Development Teams.
PRO TALK (API): Who in Your Organization Is Responsible for Protecting APIs in a Modern Application Architecture?
Modern applications and systems today are built by multiple teams, in multiple environments, and with more dependencies than ever. In this increasingly complex landscape, who is responsible for making sure that every API is protected, and which team should be accountable for ensuring the entire system is protected? In this session we will explore different patterns and best practices seen across thousands of customer applications and determine how developers can best work with devops and security teams to better protect APIs and larger applications in an increasingly complex and unsafe landscape.
Modern digital ecosystems generate revenue by connecting users and data. This is where APIs play an integral role; APIs are instrumental in achieving revenue goals and the overall success of a business. They are everywhere nowadays, allowing developers to unlock new opportunities for innovation. This presentation outlines the importance of the API-first strategy that enables agile business, adds a lot of flexibility, and is a prerequisite for getting great at digital. The audience will learn about the consumer-centric approach, the consumption with an outside-in perspective, and the value of the feedback loop when designing APIs. It is meant for technical people involved in creating interfaces that empower 3rd-party developers and API evangelists.
API Specifications are extremely useful for security teams to monitor API security/compliance conformance and make suggestions to keep your APIs secure. Many organizations however, are generating specs that security teams are unaware of and often are found by would-be attackers. In this session I will show some of the frameworks and tools utilized by attackers to find your API endpoints and enumerate endpoints that are missing standard security measures and are open for attack.
Coding is like gardening; it requires good plan, good supplies, but most importantly continuous nurture and maintenance. In this talk, we will concentrate on refactorings and program transformations that help nurture good code by removing code smells and vulnerabilities. Refactoring code is a second nature primarily for modern language developers. But, why limit refactoring only to make code maintainable and understandable? What if there were refactorings that go beyond behavior preservation and make code more secure, morereliable, and run faster? That would require tools that rewrite code with surgical precision, such that the undesirable behavior of the code is fixed, while the good path behavior of the code remains intact. Being integrated with source code and development process, refactorings and program transformations not only help maintain good code, but also teach developers about how to write and appreciate good code.
The use of GraphQL tends to expand quickly as its capabilities manifest into compelling digital experiences--and users across the organization envision how to tap into its potential. It’s important, therefore, to think proactively about reducing the attack surface area to protect both the performance of your graph and the data behind it. This session will provide prescriptive recommendations for reducing the GraphQL API attack surface area, including best practices and lessons learned based on the experiences of developers integrating GraphQL at companies of all industries and sizes.
I am a big believer in the philosophy of working backwards from the customer. Although there has been a lot of focus and impetus on working with Specifications first and Code last; my aim in this talk is to take this one step further.
I believe that one should start with the developer and their integration experience first and then work backwards from there to define the specification and finally resulting in code.
There are significant advantages to this approach and I plan to use the talk to share about how do I do so in practice and how teams can build the muscle although it initially feels not natural to do so.
Mergers and acquisitions are one of the most important ways to grow a business, and deliver a customer benefit faster. When the acquisition strategy calls for a capability integration into a customer facing product, leveraging APIs is the key to success. But have you found yourself wondering how to reconcile customer identities from both sides? In this talk I will explore practices Intuit has been applying to resolve typical integration issues companies face while looking to fulfill the M&A deal promise.
Adoption of API centric cloud platforms in general and microservices, in particular, introduces great engineering benefits for organizations in terms of runtime scalability, agility, autonomy and reuse but growing API landscapes can also become increasingly difficult to manage and evolve as the number of services and teams creating them increases.API Federation, as a strategic architectural pattern, can be a key element on the API strategy of a company to deal with the complexity that the adoption of APIs at scale introduces and provide an essential tool to manage the long term evolution of a healthy and consistent API landscape without sacrificing the benefits of agility and autonomy that a service-oriented approach introduce.In this talk we will review API Federation from the conceptual, technical, operational and API productization points of view, clarifying some of the misconceptions about the relationship of API federation with specific technologies like GraphQL or data management concepts like canonical schemas, and using our experience introducing API Federation inside Salesforce and partnering with our customers releasing API Federation as a commercial product in MuleSoft.
In this session we will see how to assign a phone number to a chatbot created using Dialogflow, Google Cloud Platform, Node.Js and the Vonage API integrations. The architecture shown will allow the user to call your agent by phone with a user experience similar or equal to that possible via the web.You can use Dialogflow and Google Cloud Platform for many reasons, we can create interactions to be used within your own communities, may it be a conversational application for families, companies, sports; to help workflows for both customers and businesses. Sometimes it can be a bad thing to talk to an automated conversation, if it is not well-designed.These pieces of technology can also help you escalate the conversation to a real human, as it can help you detect when human intervention is needed by using the ability of sentiment analysis, leveraging both sides of AI and Machine Learning in one computer-human interaction platform!
The good news is you've built an amazing API for your customers and partners, but the bad news is that's the easy part. The hard part is getting them to actually use the API, ensure they are successful, and create advocates to tell others about how incredible your platform is. So how do you go about building a vibrant ecosystem of developers around your API? Where do you invest? Do you hire a Developer Relations team? A Developer Marketing team? Technical Writers? Sponsor a million events? And how do you manage budget and expectations to ensure long term success??? In this session we'll take a look at some of the most successful communities, how they've become successful, and how you too can build a vibrant developer ecosystem without breaking the bank.
Thursday, October 28, 2021
In this talk, we will be diving into what really is GRAPHQL, how it's different from REST, and then cover concepts such as schema, queries, resolvers, etc. Furthermore, we will proceed to use GitHub public graphql API to explore how we can retrieve information such as (name, email, avatar, repositories, starred repositories, followers count, and a lot more). We'll be using Postman to explore this and also for folks who aren't vast with the tool it will be a privilege to walk them through. To wrap things up we'll then proceed to publish the collection we will be building courtesy postman which will be used for future learnings
Developer experience (DX) is similar to how you see and understand user experience (UX) but the difference is DX focus is strictly on developers who consume certain API services, SDKs, or other services owned by a company or an organization.This talk will explore why developer experience matters in every company providing a technical service, what makes a great developer experience team, and the relationship between building a great developer experience flow in a company with the public.The attendees will learn how Developer Experience increases product usage and how users can become advocates themselves for a product that has a great user-centric experience.Lastly, attendees would learn the role and what someone who is into creating a smooth and easy Developer Experience (DX) at a company does and the skills required to attract a similar role to you. Key Takeaways:- Attendees will understand how documenting an API properly over GitHub could improve the developer’s experience.- Attendees will understand best practices in designing API for a great developer experience. - Attendees will understand how commit messages should be committed and pushed. - Attendees will understand how developers would want to use a certain service and can have a bad experience because of bad documentation and product flow.- Attendees will understand how a successful platform makes a developer automatically successful - Attendees will understand how to measure user’s productivity while using their tools.
APIs are the fundamental tenets of the Internet. They enable integrations between different services, and they power the servers that bring our applications to life. API integrations lay at the core of our API-driven world, and delivering successful API integrations is fundamental to sustain it. However, more often than not, API integrations tend to fail due to ineffective development workflows. In this presentation, I want to present various API development workflows that have helped me and my clients deliver successful API integrations. I’ll show how documentation-driven development, using mock servers, robust API testing frameworks, and API visibility tools can help to significantly reduce the chances of API integration failure and to keep errors under control.
With APIs taking center stage in organizations of all sizes, testing them is becoming more imperative. The central role they play also means API testing offers great advantages in bolstering software quality. APIs - being contractual and fixed in nature, also afford an opportunity to create stable and easy to maintain tests. For all these reasons - API testing should be top of mind for every modern software team. But how do you instill the best practices in API testing to ensure seamless interaction between the applications dependent on them? To run API tests successfully, it is recommended to adhere to the same best practices that you would uphold for any software development. This talk will explore the best practices for API testing to enable users to create and manage comprehensive API tests from development through deployment
In this talk, we will understand how you can take your API (based on Open API Standard Spec) and generate really good looking and useful documentation including code samples. We will also look at open source tools to generate SDK for various programming languages. This process can not only save you days of manual work but it can also be automated so when your API changes, everything can be updated quickly, thus providing high quality Developer Experience.
When you try to improve the experience for using your API you might consider a command line interface. CLIs allow developers to explore the API, automate API usage, and most importantly never leave the keyboard. If you have an OpenAPI spec you can even generate a CLI automatically. But replicating the API for the command line is the baseline, CLIs have so much more potential. In this talk we'll discuss how Twilio built a CLI for our API and the opportunities it gave us to improve the developer experience of working with the API. With the Twilio CLI we enhanced API endpoints with extra features, helped to demystify webhooks, and let the community create their own plugins to supercharge their experience. When done right, an API and a CLI are worth more than the sum of their parts.
Many technical talks like to tell you the best practices to help you learn a topic. However, instead we'll approach this topic using some humor, sarcasm, and real world examples to demonstrate the worst way to do things. You'll learn why these practices are a problem especially for consumers of payment APIs so you can spot anti-patterns whether you are building your own API or choosing a partner that has an API you need to consume.
“Blockchain for API Developers” We are not headed toward the era of Blockchain. We are in it. See in depth demos on Installing and using the Algorand API SDKs. Are you an API developer and want to learn how to build Blockchain solutions using APIs? If so, this session is for you! New to blockchain? We got you covered on that as well. We will discuss Blockchain basics and use cases for blockchain as well as getting started with Blockchain Developer tools. Blockchain’s usage has now become ubiquitous across all sectors of the economy including: Medical, Charities, Automotive, Telecom, the Food Industry, Voting, Gaming and more. Blockchain’s primary use case is to maintain the integrity of replicated data. Blockchain is considered one of the Web 3.0 technologies and we will cover how to build blockchain solutions. Algorand is a modern blockchain which creates blocks in under five seconds, with instant transaction finality. It scales to billions of users and is profiled at 1000 transactions per second. You will learn how to use the Java SDK to build Algorand blockchain solutions. Algorand Standard Asset(ASA), Atomic Transfers and Smart Contracts will be covered. In this session you will learn: How to build blockchain solutions using APIs. How-to access tools for Getting Started on Algorand development. How to access developer portal resources including, SDKs, REST APIs, Command Line Tools, Tutorials, Solutions, Getting Started, Articles and... Benefits of Algorand’s Reward and Ambassador programs. Join Russ Fustino, Algorand Developer Advocate, for this informative session on Algorand Blockchain.