Wednesday, October 27, 2021
APIs are everywhere, leading the digital transformation age. With 90% of all web traffic being via API calls, the attack surface and threat model has changed exponentially.
Agile development and rapid release cycles with iterative changes leaves APIs vulnerable to attack, however security testing of APIs has not kept up with this pace.
Security testing automation is key, integrated as part of your pipelines to put developers into the security testing driving seat, to rely less on manual testing and produce secure APIs by design.
Traditional security scanners are a blocker to this automation. They are hard to use, impossible to integrate, not developer friendly and produce too many false positives. This results in crippling human bottlenecks that stifle CI/CD, whether it's the need for security to constantly tweak scanners or the drain of manually validating vulnerabilities.
Either way, technical and security debt is compounded, resulting in insecure product hitting production. Change is needed, and fast.
In this session Oliver will discover:
1. Key features that your dev-first security tools needs to enable developers to take ownership of security
2. How you can detect, prioritise and remediate security issues early, automated in the pipeline, for your REST, SOAP and GraphQL APIs
3. Insights into reducing the noise of false alerts to remove your manual bottlenecks to shift left
4. Steps you can take to achieve security testing automation as part of your CI/CD, to test your applications and APIs
Organizational efforts to adopt microservices will more easily fail because of how our understanding of what a microservice is has shifted from its original meaning. In this presentation, we will look at the current communication paradigm of microservices and how this leads us down the road to massive amounts of unnecessary operational complexity compared to proper microservices or even a monolith. We will further discuss ways to avoid these common pitfalls to improve the likelihood of success.
A few years ago DataStax launched a new offering of Cassandra-as-a-service in the cloud named ASTRA (astra.datastax.com). You might think that starting databases from web pages would have nothing to do with APIs, well you are wrong.
During this session we will go over the different APIs that have been designed, how and why. Most choices made will be detailed covering wide categories such as technology, languages, interface, versioning, maintenance or billing. The tooling needed to make your product a success (SDK, CLI, Terraform...) will be also presented. No surprises, the platform leverages on cloud providers services and API. Come and learn why a DBaaS is just an API calling other APIs.
Do you want to take your next generation application to the next level? Have you ever wondered how you can use analytics, Artificial Intelligence and automation to build a better customer experience? Come join us at this session to see how.
In today's world of APIs, microservices, and cloud-native applications there's a common denominator, open-source software. Enterprises all over the world are not only moving to containerized or cloud-native applications, they are adopting the latest open-source innovations. From DevOps tools and containerized orchestration to the deployment of AI applications in production environments.
In this session, Perforce Chief Evangelist Javier Perez will examine the state of APIs, cloud-native applications, and open-source software in the context of today's application development and how enterprises can define strategies putting all the new trends together.
In this talk, attendees will learn:
• What open source technologies are driving application development and API strategies
• What does it mean to develop a cloud-native application
• What API integration strategies are being used with cloud-native and AI applications
• AI, ML, and DL in the context of API strategies
• Trends and future of software development
OPEN TALK (API): How a Combined Shift-Left and Shield-Right Approach Enables Continuous API Security
Are you struggling to keep up with the increasing volume and scale of API development ? Are you finding that traditional security solutions simply cannot address all API security challenges ? You’re not alone! APIs have given us unprecedented integration capabilities, but are also greatly increasing our attack surface. Trying to cope with issues by deploying tools after APIs are done and delivered is simply not going to work. Instead we need to take a proactive approach to API security.
Isabelle explores how a continuous approach to API security can be achieved, combining design-time security measures driven by development with continuous API threat analysis, API-specific vulnerability detection and runtime policy enforcement. She proposes an approach known as security as code to establish a common language across Dev, Sec and Ops teams and demonstrates an automated workflow, from design through deployment that ensures API issues are caught and addressed as early as possible in the API lifecycle.
Large public GraphQL endpoints have all advertised a notion of GraphQL cost for years, and various GraphQL servers and open source projects have implemented GraphQL cost calculations. In 2021, an effort has begun to standardize how systems communicate GraphQL cost to each other, which has promise to dramatically ease securing these systems and thus opening up many more big public GraphQL endpoints. Join us to learn about this effort, and how it can benefit you and your GraphQL strategy.
OPEN TALK (API): Conversation Intelligence: Enabling Conversation Driven AI Is as Easy as Hitting a Few Endpoints
Conversation Intelligence (CI) enables developers to take their applications beyond basic speech recognition, and build more intelligent speech and conversation-driven functionalities and product experiences. Applications, enabled by CI, are not only able to understand the spoken words, but are capable of comprehending the context of entire conversations.
CI is a rapidly growing sector of AI, and has given rise to a new generation of AI-driven products such as Gong, Outreach, RingDNA, and more. Applications, driven by CI, are able to monitor, extract, and analyze contextual insights and conversation intelligence in real-time to automate workflows, increase revenue, elevate productivity, and provide more pleasant and innovative customer experiences.
Building and extending applications with CI-enabled functionalities and experiences no longer require developers to have any working knowledge of building or training their own machine learning models, due to conversation intelligence API providers like AWS, Google, Symbl.ai and a wide array of various providers. Hitting a few end points is all it takes to enable CI-driven experiences.
In this session, we will cover the key categories of conversation intelligence products and APIs that enable developers to easily build and deploy intelligent speech-to-text functionality, extracting contextual insights, generating domain-specific insights and intelligence, and accessing advanced conversation analytics. We will discuss the difference between domain-specific and domain-agnostic CI. We will also take a look at some real life examples of how CI is being leveraged in everyday applications used by sales tools, webinar platforms, accessibility, compliance, and more.
Thursday, October 28, 2021
OPEN TALK (AI): Making the World Smaller with NLP: Using AI to Link Data and Make it Easier for Machines (and Humans) to Understand
Linked Data and the Semantic Web have come a long way in helping to achieve a world that is more understandable to computers, but unstructured data can still be especially challenging when trying to extract concepts and metadata into standardized concepts. In this presentation, you will learn about the background of Linked Data (JSON-LD in particular) and how natural language processing can be used to help take advantage of this increasingly important effort. From more easily enhancing the SEO of a website, to making your application more interoperable, natural language processing can make your projects better understood by humans and machines alike.
The beauty of IoT solutions is that they can be managed from a central location and deployed all around the world. Although the challenge in this situation is that if the devices are disconnected from the network, the only way is to send someone to the location and try to diagnose the problem and fix it which can be tedious, expensive and slow.
This is not an ideal solution as the whole point of this type of deployment is that it can be deployed to remote places. Moreover you don't always have people everywhere the devices are deployed.
In these conditions, working with your cellular network provider(s) to diagnose connectivity issues can be a struggle as their network infrastructure is often a black box. There needs to be a way with which you can remotely diagnose a network issue or take preemptive actions so avoid failures.
In this talk, I will take you through ways of using meta-data from the cloud-native core network of EMnify to troubleshoot network issues using the EMnify API.
Attendees with walk away with the following knowledge:
How to get more out of your SIM card and connection used in your IoT device?
What could be the possible reasons for your IoT device to go offline?
What kind of meta-data can you get from the core of a Cellular Network infrastructure?
How to troubleshoot your offline devices?
How to use this network meta-data to form comprehensive dashboards to keep an eye on all your devices?
How else can network meta-data help you with daily operations in managing your IoT solution.
The target attendee would be developers, product managers, operations people, CTO etc. who work in the IoT industry and use cellular communication for their IoT devices.
A modern technology strategy begins with the creation of a base architecture that enables any project and ensures FLEXIBILITY for the organization. A modern integration architecture is precisely this ENABLING INFRASTRUCTURE.
Using the appropriate stack for this challenge is essential for technology teams to be able to meet the growing demands from the business. Professionals who work with systems integration will no longer have obstacles that hinder projects, finding in this new model a true lever for the creation of new products and services.
In this session, we will explain in practice how to implement a modern integration architecture that enables the unlocking of projects, the connection between ecosystems and the acceleration of teams. We will show how the use of sophisticated technology can be abstracted away by a low code platform, bringing quality and control to data flows, as well as standardizing access to multiple endpoints spread across hybrid environments. It's an opportunity to learn how to create this enabling base layer for the agile delivery of new products and services.
Functional and performance tests of API infrastructures offer little value if they cannot produce detailed error reporting and highly usable feedback loops plus detailed reporting, especially in agile and CI/CD pipelines. Too many developers rely on tests that give them (and security teams) a “false sense of security,” resulting in low developer confidence when releases are rushed to market.
Many developers fear that more robust testing becomes a bottleneck that delays releases. Additionally, multiple teams throughout an organization may be using different toolchains with different development languages, testing tools, and QA processes. There’s no way for managers to gain centralized visibility into all of the local and pipeline testing happening (or not happening) across the entire organization. Siloed processes also raise the risk of human error as a build, for instance, passes a test designed for the goals of one team, but may not support the goals of other teams.
In this API World 2021 session, Sangit Patel, Solutions Engineer at Sauce Labs, will explain how to drive developer confidence at any speed with improved API design and more productive and usable API testing and monitoring.
Top five points covered will include:
1. Make it fast and easy to write or generate API contract tests and E2E functional tests from spec files or recorded API traffic.
2. Make it fast and easy to reuse the functional tests as end-to-end tests, which may then be reused as E2E functional load/performance tests.
3. Reuse the holistic E2E functional performance tests as API monitors that can run continuously with or without a CI/CD in any environment, providing accurate and highly usable feedback throughout rapid iteration and changes to code and databases.
4. Simplify refactoring to automate test maintenance and maintain the reliability of API monitors that provide far more coverage and more usable diagnostics (via detailed reporting and dashboards) than synthetic infrastructure monitors or traditional API monitors.
5. Execute and manage API testing from a cloud platform that offers the scalability, flexibility, and interoperability to support centralized API testing and monitoring across all of the toolchains that distributed teams (or individuals) may prefer using - and plan and execute tests that satisfy all goals across all teams.
Apache Cassandra™ is an incredibly powerful, scalable and distributed open source database. Companies with extremely high traffic use it to provide their users with consistent uptime, blazing speed, and a solid framework. However, many developers find Cassandra to be challenging because the configuration can be complex and learning a new query language (CQL) is something they just don't have time to do.
Stargate is an open source project which sits on top of Cassandra and provides HTTP interfaces to your data - it provides a REST API, a GraphQL API, and a Document API (schema less, similar to MongoDB). You can install it on top of your own Cassandra instance and participate in the community.
Don't just take my word for it, you can get a free Cassandra instance in the cloud from DataStax. The Astra databases do all the configuration for you up front - they're serverless so they scale as your database needs, and you only pay for the traffic you actually use.
With Astra DB, you can set up proof of concepts and create applications to explore whether Cassandra/Stargate is a system that will work for you. In this session Kirsten will demonstrate a TikTok clone which uses React and Netlify to provide a completely serverless application in the cloud.
API gateway technology has evolved a lot in the past decade, capturing use cases in what the industry calls "full lifecycle API management." API gateways allowed developers to expose and consume the APIs, secure them, and govern API traffic. However, today, they provide a series of functionalities to support the complete development cycle, including creating, testing, documentation, monitoring, event monetization, monitoring, and overall exposure of our APIs. Another pattern emerged from the industry around 2017: Service Mesh! Service Mesh is an infrastructure layer for microservices communication. It abstracts the underlying network details and provides discovery, routing, and a variety of other functionality. Many attempted to describe the differences between gateways and service meshes. This talk will also discuss the similarities and differences between the communication layer provided by gateways and service mesh. I want to illustrate the differences between API gateways and service mesh — and most importantly when to use one or the another pragmatically and objectively.
According to Gartner, APIs account for the majority of Public/web/mobile application attack surface. Most exploited vulnerabilities no longer come from web server misconfiguration or SQL injections or browser hacks, instead the majority of widely exploited vulnerabilities now come from application logic, access controls, and other non-conventional flaws. This session will go over the top vulnerabilities in APIs and build an automated & continuous API security testing strategy. The Shift-Left strategy will deliver secure and faster releases while significantly reducing manual and penetration testing security costs.
It’s not enough to just have a open API platform that enables other technology companies to integrate. How do you make it attractive enough for them to stay engaged and keep doing cool stuff, to build the things that haven't even been thought of yet. We want to go even deeper on this idea of making it easy - how we can build the hard things so developers don’t have to.
We, as developers and engineers, love to build new things - it is in our DNA. But as CTOs, engineering leads and product managers, we need to take one step back and look over our strategy. The challenge we often face is that the business side expects us to deliver the best product with the least time without compromising the quality. How can this be done with limited resources and short timeframes?
Whenever planning a new application or improving an existing one, we should constantly evaluate if the next feature is developed in-house or pick an off-the-shelf solution. I believe that one should only build the things that are the core function of their business and add direct value to IP and customers.
Let's dig into the benefits and challenges of using third party APIs to speed up the product development process.