OPEN Stage B
Wednesday, October 27, 2021
More and more companies are faced today with unique challenges of how to authenticate and authorize their APIs. This is so common and now Broken Access Control has taken the number #1 vulnerability on the OWASP top 10.
In this session, we will go over the best practices on how to authenticate and authorize your APIs, from design phase to real time implementation phase. We will handle authentication, authorization, access control and multi-tenancy aspects of API management including real life examples from RESTFUL and GraphQL based APIs.
API development is challenging. Effective API development involves understanding API usage patterns, managing user feedback, ensuring the system can handle heavy API usage, and making difficult tradeoffs to ensure that end-users, API users, and developers supporting the system are all happy. So, how should you do it?
In this talk, I'll cover some guidelines for API development that can help reign in these challenges: writing an effective API spec, understanding what to get out of an API review, and getting feedback from early adopters through a beta testing program.
I'll also make the case that incorporating telemetry and observability tooling into the process can help you achieve more confidence in what you're building as you're building it. By capturing wide events across your entire API surface area, you can do things like correlate usage of one API with another to see if people are doing what you would want them to do and understand who is pushing your systems to its limits without getting paged in the middle of the night about a problem in the wild.
Throughout the talk, I'll reference real-world examples of building APIs at Honeycomb. We've seen tangible benefits to utilizing observability tooling in the development process. After this talk, you should have the information you need to reap similar benefits.
Applications and APIs today are expected to evolve rapidly and continuously, or to face disruption. This has driven the need for the agility enabled by Microservices. Meanwhile, mobile has driven both a dramatic increase in data volumes and levels of interaction, while also driving expectations for always-on applications and faster response times.
This talk will cover key architectural elements of cloud-native Microservices that can process at Giga-scale, where event streams or user interactions can require or even one billion events per second. Distributed computing architectures for delivering this scale while also achieving 99.999% uptime will be explored, including in-memory and data locality, elasticity and resilience. The talk will also cover new challenges for building transactional apps in these architectures, such as: service discovery, retrying, load balancing, tracing causes of failures, transactional semantics.
The acceleration of digital transformation in the past year brought on by the pandemic means more services and transactions are taking place online than ever before. While digitizing processes adds convenience and efficiency to the process, it’s not enough to remain relevant with your users. As more transactions shift online, so should the social interactions around those transactions. It’s not just about adding social features. It’s about embedding a social layer where social is wired into the DNA of your product. This may sound like it requires a time-consuming overhaul of your app or existing product, but it doesn’t have to. Today’s API ecosystem makes it surprisingly fast and easy to implement a rich social experience within your application. In this session, Shailesh Nalawadi will present how companies across several industries have improved KPIs by developing a social engagement layer with chat, voice and video APIs
With APIs serving as the connective tissue across all applications, API Management capability is critical to achieving successful outcomes. The rise of DevOps movement has fostered a culture of self-service supported by distributed infrastructure. What are the characteristics of distributed API Management? How do you drive innovation by accelerating API release velocity. Attend this session to find out answers to these questions.
Application security is shifting into the development pipeline - that’s no longer up for debate.
But, as we shift where we test for vulnerabilities in the SLDC, we also need to rethink how we test. Protecting our most sensitive data requires evolving from testing that focuses on client-side web apps to automated security testing of our backing APIs.
Join StackHawk Chief Security Officer Scott Gerlach as he dives into why API security is a critical component of modernizing any AppSec program, and provides practical suggestions for attendees to start implementing API-first security testing.
If you’re working with OpenAPI, the first question you have to solve is how to get that document written. An implementor can generate a server based on a spec, generate a spec based on a server, or write a spec independent of a server. Ed’s done all three, and will share some of his findings from putting each into production.
Thursday, October 28, 2021
OPEN TALK (API): The Real World, API Security Edition: When Best Practices Stop Being Polite and Start Being Real
API security has emerged as a top priority for protecting vital data and services. Unfortunately, many organizations are just one vulnerable API away from a privacy incident or data breach, and it’s an area where many companies lack expertise.
This “real world” episode shares six essential techniques, drawn straight from the trenches of customer deployments, to help guide your API security best practices.
Join us for a discussion of these key areas:
- API documentation, discovery, and cataloging to improve awareness of your API attack surface
- Runtime protection to prevent sensitive data exposure and protect your APIs from abuse
- API-centric security operations so you're prepared in the event of an API incident or breach
This session will also share ways to make it easier and more automatic to address the many elements of API security.
Come find out what happens…when APIs stop being vulnerable. And start getting secure.
Design First approaches are growing in popularity when it comes to API design. This allows all teams working with API to work together, using a common, human-understandable language to define the specifications of the APIs to be implemented. With all stakeholder views being represented, Design First approach allow to create product driven APIs, with short feedback loops, and help drive parallel development of applications.
In this talk, using an example of building a simple API definition, we will:
- Go through the principles of “Design First Approach”
- Examine the benefits this approach brings
- Look at an example workflow from beginning to end using Design First to build a simple application
In a world with countless software and systems that need to be connected, the management of integrations becomes necessary and, at the same time, a great challenge for companies. Therefore, it is necessary to measure how good integration management can improve and optimize productivity, accelerate your digital transformation and enable the creation of new digital solutions for the company.
In this lecture, you will see some examples of integration problems, effective ways to solve these integration issues, some frequently asked business questions. Finally we will discuss a practical framework demonstrating the value of such a solution to the bottom line of the business sharing some use-cases with an integration platform.
The “API First” mantra is great for business innovation, but the end result can often be a wild jungle of APIs that leaves your security team scrambling to ensure adequate API controls are in place to safeguard the business. In this session, we’ll cover a practical strategy to help implement API security across the organization from development through run-time and threat remediation. You’ll see a demonstration of the tools and techniques that, when used with the right methodology, can help your team tame the API jungle.