API World -- PRO Stage 2
Tuesday, October 26, 2021
APIs are much more than technology. It becomes increasingly apparent that by only focusing on their technology aspects, you're missing out on the biggest opportunities that APIs create for your organization and your business. In our work with large organizations we have realized that one essential aspect of realizing the value proposition of APIs is to API-enable all of the organization. This is particularly important for product managers, who need to start thinking about every single product of an organization as a digital building block. We present our way of how we make sure that "Thinking the API Way" becomes the default for everybody in the line of business. Because in the end, the value of APIs critically depends on how much of an organization's business and value chains are exposed using APIs. Only then it becomes possible to benefit from the loose coupling and the increased velocity that APIs can deliver.
You’ve got thousands of automated tests running, multiple test and coverage reports and logs – but you can’t see the forest from the trees. The problem is you don’t know: Is it safe to release? With refined, specific metrics, you can define reports (or dashboard) that tell you the real quality of the product. You can then decide what to do about it. This is a case-study of building a quality dashboard with metrics and reports that matter for an application with hundreds of APIs, and multiple front-ends. Some features were better covered than others, but what that coverage meant was vague. The dashboard was built, collecting information from multiple sources – test reports and coverage reports from Jenkins, custom logs that were farmed for information, SonarQube and more. We then added some “brains” to show the analyzed metrics, in terms of covered and uncovered test cases, test quality and more. We then presented a confidence level calculated from the metrics. The effort was done by developers, quality advisors, dev-ops people and others. This session is about this project.The dashboard helps managers see what features are ready, where the gaps are, and gave back feedback to the developers how well their tests are working for them. With this session you may be inspired to build a quality reports that tell you how well your team is doing.
If we had to define the most significant benefit Kubernetes provides, that would not be the ability to run containers, fault-tolerance, or immutability. The main benefit is its API. It is well defined, versatile, and extensible. It might be the main culprit behind the "explosion" of the ecosystem created around Kubernetes.Can we take Kubernetes API to the next level? Can we use it to manage not only the workloads running inside Kubernetes clusters but for everything else? Wouldn't it be beneficial if we had a **single API** and a **universal control plane** responsible for managing applications, infrastructure, services, and everything else, no matter whether we are in the public cloud and on-prem?In this hands-on session, we'll explore the principles behind the **universal control plane** implemented through the open-source project **Crossplane**.
Digital transformation and application modernization are exponentially driving up the use of APIs. We’re using more APIs than ever, and they’re more functional than ever. They’re also more attractive to hackers than ever, but lots of organizations are hanging onto old ways of thinking about API security.
Join our lively discussion on the top five common industry myths surrounding API security. You’ll learn the pitfalls of some misguided API security approaches, cut through the hype around a few security trends, and get recommendations on how to improve your organization’s API security strategy.
The impact trends such as zero trust, cloud migration, containerization, and shift-left are having on API security
The role of traditional security controls in API security – what they deliver and where they fall short
The value of a full lifecycle approach in grappling with API security
How to deploy dedicated API security that fits today’s automated, agile, and cloud-first environments
We recently built an in-house ledger in KOHO to reduce our dependence on a third-party payment processor. This change resulted in the addition of a few high traffic endpoints to our system which touch payment operations, the core functionality of our product. As a result, we expect these endpoints to be always available, fast, secure and reliable. To make sure everything is battle-tested and ready for tens of millions of requests from thousands of customers every day, we have rigorously stress-tested these endpoints.This talk will focus on describing how to successfully run a stress test on your API. We will start with a brief overview of stress testing, some well-known available tools and different types of performance testing techniques. Then, we will explore how to find the root cause of your performance problem. Stress tests are helpful when the test traffic is as identical as possible to the load in the production environment. So, we will also talk about how to gather usage data from your API. We will continue the talk by sharing our decision process of choosing a stress testing tool for our Go API and how to interpret the reporting of these tools. We will finish the workshop by giving you a set of practical steps to utilize stress testing for performance improvement of your projects.
Document digitization is needed now more than ever to help us modernize from paper and manual workflows. In this session, you’ll learn how to develop a uniform PDF workflow for your end-users leveraging Adobe’s cloud-based APIs. We’ll cover how you can programmatically generate PDFs from data using PDF Services API or our new Document Generation API. Then we will demonstrate how to render the output on a webpage using PDF Embed API.
Wednesday, October 27, 2021
Gartner predicts that by 2025, more than 80% of organisations identify themselves to have implemented advanced or expert level API strategies. Surely, APIs are not just technical services or programs anymore. APIs that are conceptualised and managed end to end as a product can do wonders for the business. In this talk, Sreeram Narayan will take cues from running a successful API platform program for managing over 450+ Open APIs for an enterprise fintech solution and also take a look at the key strategies that can be counted as best practices in defining, developing and scaling the next generation API experience that can unlock digital revenue opportunities for business. You will learn about how to productize the API development program across multi dimensional and cross functional teams, prioritisation lessons for API roadmap, taking right decisions on open source and API tools, API monetisation techniques and using rich APIs as the sales enabler for your community.
APIs help drive efficiency and faster innovation so that organizations can support their business. Attackers also know this reality and zone in on APIs as a primary attack vector. The end result is a potential nightmare for organizations with API-driven business applications as they face the risks of data breach, privacy incident, and more.
In this session, we review first hand API threat research gleaned from a large financial institution. Its SaaS platform provides API services to thousands of partner banks and financial advisors, and security researchers found many alarming API vulnerabilities. Researchers were able to demonstrate exploits of these vulnerabilities, showing that anyone could:
- Read any financial records of any customer, despite lacking the proper authorization
- Delete any customer’s user accounts across the financial platform
- Tamper with authentication parameters and take over any account
- Launch an application-level denial of service attack that would render entire applications unavailable
Unfortunately, this financial institution isn’t unique. Attend this session to gain insights into API security best practices to prevent this nightmare from being yours.
Many eSignature technologies have seen rapid, steady growth for the same reason: digitizing approval workflows creates so much value for the parties involved. But what if there was a way to build even more trust and value with customers into this process? By leveraging the blockchain, it’s possible to facilitate digital agreements with significantly deeper levels of security and transparency. In this session, we’ll explore the topic of writing digital agreements to the blockchain and demo a working proof of concept that writes to the Polygon PoS (Proof of Stake) chain using open source tooling. We’ll have some time for questions at the end.
Polling-based APIs or the RESTful APIs were the main building blocks of traditional integration stories. But with the need to respond to events in real-time, integration architecture has shifted from being polling-based to event-driven. With the emergence of reactive event-driven architecture, the asynchronous APIs were able to hold their distinct position in modern-day integrations.
Even though the event-driven APIs provide their own advantages such as high resiliency, high responsiveness, and more, management of asynchronous APIs continues to be a challenge to the organizations.
The Async API specification plays a major role in the event-driven world by providing a specification to describe and document the asynchronous APIs. This session will explore the entire flow from creating an asynchronous API to exposing it as a managed API by adhering to the Async API specification.
We deal with HTTP based APIs for many of our common interactions between services and system components. Not all services we want to communicate with use HTTP, and when confronted with a service that doesn’t use it, getting started can be intimidating. In this talk, we’ll use RabbitMQ Streams as our example service and cover all of the design and implementation considerations needed to work with a non-HTTP API.
Jonas Iggbom, Director of Sales Engineering at Curity will provide an overview of what a Hypermedia API is and how it can be used for browser-less authentication on iOS and Android. This coupled with the WebAuthn standard for passwordless authentication provides a great user experience especially on mobile devices where the browser context does not have to be invoked and for example FaceID can be used to authenticate the user. Jonas will demo an approach where both technologies work in synergy to provide the most seamless user authentication possible on mobile devices today.
Edge computing enables you to run your application code as close to the customer as possible, reducing latency and improving the user experience. As your compute moves closer to the edge, what data options deliver the same performance, regardless of where your users are located?
In this session, you learn how to integrate Fauna with edge computing providers to provide a responsive, strongly consistent API. You learn how to build, test, and deploy a basic REST API that includes both authenticated and anonymous routes. Finally, you learn how Fauna delivers low-latency performance to the edge while still integrating seamlessly with your existing, centralized computing resources.
Thursday, October 28, 2021
Today, data is being generated from devices and containers living at the edge of networks, clouds and data centers. We need to run business logic, analytics and deep learning at the edge before we start our real-time streaming flows. Fortunately using the all Apache FLiP stack we can do this with ease! Streaming AI Powered Analytics From the Edge to the Data Center is now a simple use case. With MiNiFi we can ingest the data, do data checks, cleansing, run machine learning and deep learning models and route our data in real-time to Apache NiFi and/or Apache Pulsar for further transformations and processing. Apache Flink will provide our advanced streaming capabilities fed real-time via Apache Pulsar topics. Apache MXNet models will run both at the edge and in our data centers via Apache NiFi and MiNiFi.
After years of fintech companies site-scraping bank websites, we’re finally seeing APis. Plaid now lets you go to Chase bank directly, log in, and get secure, reliable, API access. And as those much needed APIs came, the industry now has several “decacorns” and a longer list of unicorns.Fintech APIs came later than others, but experienced a growth spurt shocking even to the tech industry. And while we’ve seen well-designed APIs that adopted good standards already present, differences and inconsistencies between Fintech APIs show that these APIs aren’t at the quality they could be. Fintech API businesses are debating internally what standards and designs work best - formats, user representations, etc - all the while, ensuring security and privacy in APIs where stakes are higher. We’ll highlight differences among successful APIs in the space to identify the open questions that lead to more solid standards for the Fintech space.
Event-driven architectures are not new - but the way they are used, documented, and specified has matured significantly in the past few years. The drivers behind the EDA Revolution are varied: the explosion of microservices, the advent of 'real-time' interaction models, and the creation of tooling and specifications to design, document, govern, implement, test, and monitor event-driven systems. What can we learn from our journey with RESTful APIs about the future of event-driven architecture in our organizations? What role do asynchronous services play in delivering value in our organizations?
Standing up an API on the internet is straightforward – many tools and services exist to bring up a functional endpoint. The picture gets more complicated, however, as scope inevitably begins to creep. Sooner or later, every service provider has to consider requirements such as routing requests to multiple backend services, rate-limiting to protect the service from badly-behaved API clients, and consolidating cross-cutting functions such as authentication. Not only that, but, as clients adopt its API, and usage increases, the service provider must avoid becoming a victim of its own success, and collapsing under the load. In building a cloud platform to host and administer services such as Citrix Workspace and Citrix Virtual Apps & Desktops, the Citrix Developer Ecosystem team implemented an API Gateway, providing third-party developers with a secure, uniform interface to a range of backend services. In this session, Director of Developer Evangelism Pat Patterson will share the lessons that the Developer Ecosystem team learned as it built the API Gateway. Pat will explain how the team selected tools for the gateway, created an authentication service to provide a consistent experience to API consumers, and worked with product teams inside Citrix to onboard their services.
tl;dr - Simplify API development by generating your OpenAPI specs that automatically follow your API Design Guide. Produce 100x more consistent and conforming APIs with 1/10th the work ... for every development team. Ok, ok. So your company has decided to standardize on OpenAPI with a contract-first approach. Awesome. But job done? Hardly. Does your company already have an API Design Guide to ensure your developers produce uniform APIs that your customers will love? If so, that's a great next step. OpenAPI can be used to implement pretty much any HTTP-based API design. But this leaves the unpleasant task of translating from the API Design Guide to a conforming OpenAPI spec to your developers. Newer alternatives to REST APIs such as GraphQL and GRPC benefit significantly from removing a lot of this design and development friction from developers. They hide the infra plumbing and expose tooling at an abstraction level that developers care about. In this talk, we'll describe how we've bridged this gap for REST APIs at Confluent. Rather than asking overworked developers to read and internalize the myriad details from our (quite lengthy) API Design Guide, we created an internal DSL and CLI tool to generate OpenAPI specs that follow our API Design Guide. Even better than API linting, OpenAPI generation results in the most consistent API designs. In turn, this simplifies API adoption and expansion for our customers, while reducing the workload for our overburdened engineers. Win-win!