The API Lifecycle

Tuesday, October 25, 2022

- PDT
PRO Workshop (API): Contract Driven Development - Deploying Your Microservices Independently without Integration Testing
Hari Krishnan
Hari Krishnan
Polarizer Technologies, Polyglot Full Stack Developer

Our largest hurdle in deploying a MicroService was the Integration Testing stage. Just one incompatible API was enough to break the integration environment and block the path to production for all services.

While adopting OpenAPI helped address some of the communication gaps in API specs between teams, the deviations during implementation continued to persist. We needed an approach that changed the way teams collaborated on API Specs and also remove the need for integration testing.

To fill this need we came up with Contract Driven Development which consists of
1. Contract as Test - Contract (Example: OpenAPI) translated to Test Scenarios against the API implementation. Ensures that Provider (API implementation) adheres to Contract.
2. Smart Service Virtualisation - Verify Stub Data against OpenAPI Spec. Ensures the Consumer (API Client) is compatible with Provider's Contract.
3. Backward Compatibility Testing - OpenAPI vs OpenAPI (no code) to check if versions are backward compatible. Helps teams analyse if a change will break integration. 

- PDT
PRO Workshop (API): Going Real Time with Live Queries and Subscription
Rishiraj Anand
Rishiraj Anand
Red hat, Senior Software Engineer

Graphql live queries and subscriptions have a strong case while thinking about creating real time web apps. While both approaches converge to trying to keep the client state in sync with the server, they differ in ways in which they are implemented and give rise to new patterns altogether. By understanding how they behave under the hood, we can decide the best approach based on our use case.

The session will focus on solving problems while designing architecture of real time applications. We’ll talk about some common architectures developers follow while designing resilient RTA apps. When starting to bring Real time use cases discussion of any app, there are certain challenges developers face while using the javascript ecosystem. Graphql, while already boosting application performance and development time can solve challenges pertaining to RTA apps out of box. Why listening to data changes in live queries could make more sense for graphql clients than listening for events in graphql subscriptions. We'll compare pros and cons of these approaches and talk about solutions where we might need a combination of both. 

- PDT
PRO Workshop (API): Autogenerate your database schema and OData endpoints using English with Pine.js
Harald Fischer
Harald Fischer
balena.io, Product builder

In this talk, we would like to enable API developers with a sophisticated rules-driven API engine that enables you to define rules in a structured subset of English.

The talk gives an introduction to the open source project Pine.js which is the core backend API in balena. The balena cloud stack serves millions of OData requests to more than half a million globally distributed IoT devices and thousands of IoT device fleet managers every day.

Pine.js lets developers define and model your business relations in structured and human readable text format. Using Semantics of Business Vocabulary and Business Rules (SBVR) you can easily define entities, entity quantities, rules and relationships and Pine.js will automatically generate the underlying data definition language (DDL) and data query language (DQL) queries and executed them on a SQL database. Finally, Pine.js provides automatically all the OData API endpoints.

Pine.js uses an intermediate abstract SQL format and implements concepts to
automatically resolve m:n relationships to two 1:n relationships with helper tables
parse OData requests and translate them into an abstract SQL intermediate format
translate defined business rules and validations into abstract SQL format
resolve permissions into abstract SQL
All abstract SQL statements are combined into one query to the database and executed in one transaction. 

- PDT
PRO Workshop (API): The BFFs and BAEs of API Development
Junaid Warwani
Junaid Warwani
Jetty, Director of Engineering

Building APIs that support multiple user experiences in a complex domain often means using microservices — but while microservices are great for developing, they can be more challenging for your API users and for cross-platform integrations. This is how we use BFFs (Backend-For-Frontend) and BAEs (Backend-Async-Events) at Jetty to alleviate this problem 

- PDT
PRO Workshop (API): API Fuzz Testing Fundamentals
Alex Brewer
Alex Brewer
ForAllSecure, Technical Solutions Engineer

The goal of this 50 technical workshop is to explain what fuzz testing Is, then use a fuzz testing on a simple API server, understand and explain the benefits of API testing, and review fuzzing results to evaluate the API fuzzing targets for security and performance. 

- PDT
PRO Workshop (API): Keep It 200 - Move beyond Static Docs with Self Service API Onboarding
Sagar Batchu
Sagar Batchu
Speakeasy, CEO & Co-founder

In order to ship quality APIs to your customers, it is critical to have a customer-centric view of API usage. Learn how to leverage your APIs’ real world traffic to evolve your APIs with ease. 

- PDT
PRO Workshop (API): Automagic API Security Testing: Pre-prod Agent-Generated Tests FTW
Steve Chappell
Steve Chappell
Synopsys, SW Manager & API Security Evangelist

Most API Security tools/platforms are built for the Security teams that are told “here’s an API service already running – go secure it”. Thus, they take an outside-in approach of building a fence around a service and/or poking the service with a stick to see what outward reactions they can get. But even an ML-powered fence can’t stop everything. Shouldn’t we be improving the security inherent in our RESTful or GraphQL API service/microservices? Let's actually find and fix the flaws before the API is deployed. And before the developers reading this run screaming thinking this is another “shift [the extra work] left” talk, what we will advocate is a simply and scalably deployed agent that will do this work for us. It will automagically discover and ingest the API documentation (if it exists), create and run tests based on these docs, turn any other functional tests we already have into security tests, and output replayable exploits when they are found. “Agent-less” solutions don't have the visibility and controllability needed to realize the automagic of building a more secure API from the inside out. 

Wednesday, October 26, 2022

- PDT
OPEN TALK (API): Future of Development: Developer Mindset Is Required Not Skillset
Muthu Raju
Muthu Raju
Linx LLC apiplatform.io, Founder, CEO

Abilities and skills are two different things. Most organizations today hire people based on skills, not abilities. The future of development will be only for people with developer thinking - skillsets (programming languages) will be obsolete with no-code platforms and aggregators in the marketplace.

Linx LLC is a US-based company founded in 2020. Our vision is to "Build a platform that enables technology-savvy organizations to reimagine speed, scale, and agility to improve productivity and cultivate innovation." Our mission is to "Eliminate waste in the end-to-end development process and provide everyone with a much accessible, faster, cheaper technology platform to bring their ideas to product more quickly." Our first flagship product, apiplatform.io, is a cloud-agnostic, no-code platform that focuses on enabling organizations to build and integrate APIs at a revolutionary speed. In addition, the platform provides a fully automated and highly configurable self-service capability.
We are an early-stage but rapidly growing start-up. In our two years of operation, we conservatively had a run rate of approximately $1M per year with a trajectory to exceed that. We have expanded from two to 30 employees, from two to five international locations, covering four continents. Our customers are excited about the platform and steadily build confidence, trusting us to build their products. We have customers from a wide range of sectors, including FinTech, e-Commerce, and Edtech, with approximately 20,000 APIs being developed and about 100 developers using the platform. 

- PDT
PRO TALK (API): GraphQL: Great Flexibility, New Attack Vectors
Erez Yalon
Erez Yalon
Checkmarx, VP of Security Research
Paulo Silva
Paulo Silva
Checkmarx, Ethical Hacker / Senior Security Researcher

In recent years, GraphQL adoption has increased significantly. Developed by Facebook and introduced in 2012, GraphQL came with a proposal different than REST: native flexibility to those building and calling APIs.
As we know, with great flexibility come... new attack vectors!

In this session, we'll cover GraphQL-specific security risks and attack vectors. Beyond the commonly discussed topic of enabled introspection in production, we'll present and discuss how field suggestions can be abused, how common GraphQL Cross-Site
Request Forgery (CSRF) issues look like, and how attackers are using batching attacks, alias and directory overloading, and query depth issues for their advantage.

We want to shed some light on GraphQL-specific issues that
may hurt not only the system but also the business, leading to massive data leakages or Denial-of-Service (DoS). 

- PDT
OPEN TALK (API): Effective API Security: API Discovery, Runtime Protection, Security Analytics, Active Testing
Dan Gordon
Dan Gordon
Traceable, Technical Evangelist

APIs are the glue that connects all of our software systems. But our knowledge and ability to track and secure APIs has not kept up with our rapid adoption of them. This API sprawl introduces significant operational and security risks, yet securing your APIs is different than everything we've been doing to secure our applications to date. WAFs don't help. API gateways aren't enough. DAST testing isn't enough. So what do we need to do differently?


In this session we will discuss why and how the approach to securing APIs needs to be different. We'll look at what you should consider through the software development lifecycle. And we'll share some real-world examples of organizations that have built and maintained robust API security strategies, with impressive outcomes related to reduced risk, lowered costs, and more secure API development practices.

- PDT
OPEN TALK (API): Increase Developer Happiness with OpenAPI-driven Quality Engineering
Tom Peelen
Tom Peelen
Sauce Labs, Senior Solution Engineer

Most developers did not grow up dreaming of becoming professional debuggers. Nor did they dream of becoming professional gamblers who sometimes bet the house on when to mark an application ready for production. At the end of the day, most developers really want one big thing: digital confidence.

OpenAPI-driven development has emerged as the most popular way to help boost developer confidence. Instead of distributed teams trying to inefficiently collaborate on distributed systems using API documentation that may have to change often, teams can work with confidence on a single version of API truth by turning all documentation into standardized OpenAPI (OAS) specification files. Engineers can then use the OAS files to write API contract, functional, integration and load/performance tests.

But what happens to digital confidence when engineers are asked to add tens or hundreds of microservices? The OpenAPI-driven approach can still work–but it needs to scale at unprecedented levels.

New solutions such as Python micro-frameworks, Flask and FastAPI, have quickly emerged to give developers an easy and highly scalable way to auto-generate OpenAPI spec files from countless API documentation. But these new solutions tell only half the story of scaling digital confidence for microservices, CI/CD pipelines, TDD/BDD and other use cases.

Tom Peelen, Senior Solution Engineer at Sauce Labs, discusses how developers at gaming companies, large banks and financial services companies, retailers, healthcare, telecom and other organizations are handling being held accountable for releases in production. Tom shows how developers using frameworks like FastAPI to auto-generate OAS spec files are also able to almost simultaneously auto-generate API contract tests of both the consumer and provider (via mock servers) during API development. Attendees will also hear Tom describe how Performance, Reliability and API Monitoring teams are leveraging insights from OpenAPI-driven API tests (contract, functional, integration and load/performance) to optimize digital confidence in production environments. 

- PDT
PRO TALK (API): Securing Large API Ecosystems
Jonas Iggbom
Jonas Iggbom
Curity, Director of Sales Engineering

Security is never a simple task, the same applies to APIs. Properly securing APIs gets even more challenging when the API ecosystem grows substantially. It’s naturally easier for a company to protect a few endpoints than hundreds. As the API ecosystem grows, merely starting to use OAuth may not be enough. Proper handling of OAuth tokens and utilizing different features that OAuth offers is required. 

- PDT
PRO TALK (API): API Monitoring For better Management
Aravind Babu Ramadugu
Aravind Babu Ramadugu
Accenture, Mulesoft Mentor and Architect

API Monitoring is a very critical part of the entire API Ecosystem.
In this session, I will be covering How APIs can be monitored and how we can plan for predicting the issues through Monitoring and heal the APIs automatically. 

- PDT
OPEN TALK (API): API Security 101: Top API Vulnerabilities and How to Address Them
Isabelle Mauny
Isabelle Mauny
42Crunch, CTO

Recently, APIs have become the main attack vector for applications. APIs are so interesting to attackers because they expose valuable data and business logic to clients. Traditional security approaches fail to address these issues. In this workshop, we reveal the most common vulnerabilities found in APIs, talk about recent API breaches, uncover how to detect and subsequently remediate them, and how to put in place secure foundations that start at the design phase.By participating to this workshop, participants will:

  • Know all about the OWASP API Top10 classification and the unique nature of API vulnerabilities
  • Understand the coding or design mistakes which lead to those vulnerabilities
  • Appreciate the value of automating API Testing and "thinking like a hacker”
  • Learn practical approaches for API vulnerability remediation
- PDT
PRO TALK (API): The Evolving Developer Lifecycle: Best practices for API Builders and Consumers
Iddo Gino
Iddo Gino
RapidAPI, Founder and CEO

The API industry is undergoing tremendous changes - driven by a generational shift in the technologies powering APIs and a transformation in enterprise buying patterns. While APIs have been around for a while, the way they look, work, operate and are consumed is changing rapidly. This change challenges current design patterns and developer tools and necessitates creating a more contextual approach to API development.

In his talk, Iddo examines the evolution of the API development lifecycle and the current best practices engineered to support API builders and consumers. The speaker will examine the key technologies required to build, consume, and collaborate on APIs across the entire software development lifecycle. 

- PDT
OPEN TALK (API): How Businesses are Navigating the Perilous API Waters to Maximize Profit
Ann Marie Bond
Ann Marie Bond
Software AG, Director, Product Marketing

APIs occupy a unique spot in the technology world. They're a primary method for delivering on business initiatives – from modernization to customer experience.

However, challenges such as cloud security, API proliferation and lack of community engagement can slow progress and reduce the value of your APIs.

This interactive session will showcase real-world examples from your peers at companies building out unique and targeted solutions using APIs and microservices architectures. You’ll also discover the challenges and best practices they’ve encountered designing and building APIs, adopting cloud-native architectures and ensuring the proper level of security and governance.

**One lucky audience member will WIN A YETI COOLER ($350 value) at the end of this presentation! (To be shipped to them after API World.)

- PDT
PRO TALK (API): API Security in the Age of Continuous Attacks
Rob Dickinson
Rob Dickinson
Resurface, Co-founder, CTO

There are lots of API security myths that keep teams in stasis, using traditional tools to combat new problems, specifically assumptions about attackers and attack traffic. After standing up a public-facing honeypot to gather test data, we learned a few things, and what to do about the new API reality. 

- PDT
PRO TALK (API): API Visibility: Securing Your Blind Spot without Losing Speed
Lebin Cheng
Lebin Cheng
Netskope and CloudVector, Cofounder

The growing prevalence of APIs, presents security teams with an all-too-familiar problem - deployment can outpace security processes and protections, creating a vulnerability they are left to address. With APIs emerging as the next big attack vector, this has become a critical shift left priority. Understanding the tradeoffs between securing APIs versus the cost of not taking action is the first step in gaining buy in across the organization From there, you can build a phased plan to introduce visibility into your APIs, determine which APIs expose sensitive data and finally to build processes around how APIs are managed. This session will offer tips and tricks for securing APIs without slowing down the speed of development. 

- PDT
OPEN TALK (API): Identity Is Key to Secure APIs and Microservices
Jonas Iggbom
Jonas Iggbom
Curity, Director of Sales Engineering

“Never Trust, Always Verify” is the short phrase minted by NIST in defining Zero Trust. With that in mind, understanding the user identity is an absolute requirement and should be applied when securing all APIs, for internal use cases, in the same way as external ones. Leveraging OAuth and OpenID Connect (OIDC) in a token-based architecture aligns perfectly with achieving Zero Trust, regardless of the level of security needed.

In this talk participants will learn:
- How to leverage mTLS and certificate-bound tokens to level up API security
- Architectural patterns that prevent Personal Identifiable Information (PII) in public applications
- How Scopes and Claims are used to authorize API access 

- PDT
PRO TALK (API): Solving the Never Ending Requirements of Authorization
Alex Olivier
Alex Olivier
Cerbos, Product Lead

Implementing access controls in your application can be a never ending task as business requirements change. What begins as a simple check to see if the user’s email is from your own domain name turns into a complex web of if/else statements to determine who can do what. Coming up with a scalable, manageable and maintainable authorization process is key to meet evolving requirements as your business scales.

This talk will cover the different areas of consideration when implementing permissions, common stages in the evolution of a company where authorization needs to fundamentally change and an example of how to take a gitops based approach to scaling policy. 

- PDT
PRO TALK (API): Anomaly Detection Is No Longer a Security Strategy
Matt Anderson
Matt Anderson
Resurface Labs, Chief Revenue Officer

Much of security is focused on finding the outliers, the anomalies to provide a reliable signal for security teams. Once identified, these anomalies are considered instructive and actionable. But, with the proliferation of APIs and the volume of attack traffic every second, relying on outliers leads to exceptionally noisy and unproductive searches. Your anomalies are actually valid traffic vs. majority of attacker traffic. We'll cover how to identify API risk and threats where threat traffic outweighs valid user traffic. 

- PDT
OPEN TALK (API): Bring your .NET APIs to AWS
Isaac Levin
Isaac Levin
Amazon Web Services, .NET Developer Advocate

APIs are the backbone of many services we all know and love, and when it comes to hosting those APIs, AWS is a great option. When building APIs with .NET on AWS, there are a plentiful amount of options, ranging from the tried-and-true Web API running on Elastic Beanstalk to running highly scalable event driven functions with AWS Lambda. Let us spend some time during this session talking about building APIs on .NET and running them in AWS.

- PDT
WORKSHOP (API): Designing Secure API and Microservices-Based Applicationsapis
Farshad Abasi
Farshad Abasi
Forward Security, Founder and CEO

Many applications are being modernized by leveraging APIs and being decomposed into smaller units typically living in containers. These involve many new tools and technologies that are not always well understood, leading to a poor application security posture. Many application architects and developers who take advantage of these architectures lack the knowledge to apply the required security controls. The ideas, principles and concepts such as API gateways, end-to-end trust, authentication and authorization discussed in this presentation have existed for some time. But this presentation brings it all together to provide a blueprint for modern API and microservices-based application security. 

- PDT
OPEN TALK (API): Empowering API Growth with Open API Specifications
Matthew Miller
Matthew Miller
Bloomberg, Web API Gateway Team

An API gateway is the storefront and doorway into your organization’s API offerings. In that sense, it needs to provide an effective way to showcase new APIs and help speed up time to market. But how do you ensure your API providers can continue to grow, while enabling clients to seamlessly adapt to your APIs?

Our talk focuses on Bloomberg’s journey of growing our API gateway to house hundreds of API projects that unlock financial data for clients across the global capital markets — both from an infrastructure and product perspective. OpenAPI specifications are at the heart of our strategies for onboarding teams with self-service tooling, our review process that ensures quality and consistency across all of our API products, and the interactive documentation we’ve built to increase client engagement. 

- PDT
OPEN TALK (API): Using Inspiration to Drive a Great API Experience in AI/ML Products
Steven Baxter
Steven Baxter
Symbl.ai, Sr. Product Manager

What separates a good API experience from a great one? Providing simplified, quick, secure and reliable access to data and functionality is, at best, the minimum expectations for a modern API product. The key moment that defines when a good API experience transcends into a great experience is that sudden moment of clarity and inspiration when a developer doesn't just see how an API solves the problem in front of them, but instead they now see how that API connects them into the realm of what's possible. It is from these irreplicable values that enable them to easily build apps and experiences they cannot otherwise build. With advances in the areas of artificial intelligence and machine learning, developers now have the ability to use AI products to explore further into the areas of what's possible than ever before and APIs are the gateway to take them there.
So how does the API experience inspire users, and why is this so important for AI Products? Join me in my session to take a deeper look into the various critical aspects of designing and building an API-first conversation AI platform that processes and comprehends unstructured natural human conversation data, and why accounting for inspiration across the API lifecycle is essential for enabling developers to unlock the true potential of these systems. 

- PDT
PRO TALK (API): Zero Trust Strategies to Protect the APIs That Drive Your CICDPipelines
Andrew Jones
Andrew Jones
Corsha, Director of Solutions Engineering

Many organizations are jumping to DevSecOps from DevOps by adding security scanning and validation in their CI/CD pipelines. This shift-left approach is fantastic because it builds security into applications early on.  Now the question is -  How do we protect API-driven communication in our CI/CD pipelines themselves?  These automated pipelines are a rich treasure trove for hackers of proprietary code and configuration, release artifacts,  deployment environments, and of course the critical keys and secrets to control it all.  And all of the automation driving these pipelines is via APIs and communication between different chained third-party services. In this talk, we’ll go over strategies for best practices around CI/CD security and show you how to pin access and control to only trusted stages of your pipeline. 

- PDT
[#VIRTUAL] PRO TALK (API): Navigating the Murky Waters of API-First
Joyce Lin
Joyce Lin
Postman, Head of developer relations

Everyone is jumping on the API-first bandwagon. For most organizations, an API-first approach is the key to scaling software development. But the journey to API-first is not always smooth sailing.

In 2022, I interviewed five well-known organizations for a sneak peek at how they implemented an API-first workflow among their teams. We’ll uncover why they began their transition, their biggest hurdles, and what is next on their roadmap. Learn from these shared experiences and recommendations to pave the way in your own API-first journeys. This is a session about managing organizational change. 

- PDT
OPEN TALK (API): Proxies, Gateways, and Meshes: Cloud Connectivity for API Developers
Guanlan Dai
Guanlan Dai
Kong, Director of Engineering

API gateway technology has evolved a lot in the past decade, capturing use cases in what the industry calls "full lifecycle API management." API gateways allowed developers to expose and consume the APIs, secure them, and govern API traffic. However, today, they provide a series of functionalities to support the complete development cycle, including creating, testing, documentation, monitoring, event monetization, monitoring, and overall exposure of our APIs.

Another pattern emerged from the industry around 2017: Service Mesh! Service Mesh is an infrastructure layer for microservices communication. It abstracts the underlying network details and provides discovery, routing, and a variety of other functionality. Many attempted to describe the differences between gateways and service meshes. This talk will also discuss the similarities and differences between the communication layer provided by gateways and service mesh. I want to illustrate the differences between API gateways and service mesh — and most importantly when to use one or the other pragmatically and objectively. 

- PDT
PRO TALK (API): API Security Doesn’t Stop at Inventory
Steve Wilson
Steve Wilson
Contrast Security, Chief Product Officer

The modern web “application” is really a conglomeration of interconnected APIs, microservices, web apps, frameworks, libraries, and serverless functions spread across multiple cloud and on-premise environments. Simply inventorying your APIs is not nearly enough to make them secure. In this talk, I'll review the five major components of an API security program. We’ll talk about detection, security testing, securing libraries, runtime protection, and access management. We will focus on automation and review the pros and cons of traditional scanning and perimeter tools as well as modern instrumentation-based security tools. You’ll leave with practical guidance on next steps for your API security program. 

- PDT
PRO TALK (API): API as Products: Best Practices for Using APIs to Achieve your Digital Business Goals
Alex Walling
Alex Walling
RapidAPI, Field CTO

Organizations that want to create internal momentum and adoption around their APIs, offer APIs externally to third-parties, or create new revenue streams through monetization, you need to think about your APIs as products. This talk examines the key guidelines needed to define your APIs as products, build the framework to operationalize your API program, and design and execute an implementation plan. Specifically, the presenters will cover:

- Best practices for assessing and resourcing the people and tooling to support API products.
- Strategies for establishing objectives for your internal and external API programs and the metrics to evaluate them.
- Guidance on building and implementing internal rollout and external GTM plans. 

- PDT
WORKSHOP (API): Protecting GraphQL with Effective Governance & Security
Shiu-Fun Poon
Shiu-Fun Poon
IBM, Principal Architect, API Security
Morris Matsa
Morris Matsa
IBM, Principal Architect, API Connect & Gateways

GraphQL is a new approach to expose your services to application developers. There are many advantages which come with new challenges to security and governance. In this session you can learn how to protect and enforce governance for your GraphQL server endpoints from these unique GraphQL threats with a low-code approach. You'll see demoes of numerous approaches such as cost analysis, graph filtering, and much more. 

- PDT
PRO TALK (API): API Protection Best Practices
Varun Kohli
Varun Kohli
Cequence Security, Chief Marketing Officer (CMO)

It’s no secret that APIs are the developers tool of choice and an attackers #1 target. The question on every CISOs mind is this: if APIs are the number one target for attackers, and everyone claims to secure APIs, how do we choose the solution that best fits our API protection needs for an entire API lifecycle? To address that question, do you start with a focus on secure API development? Do you try and stay on top of constantly discovering unknown or shadow APIs? Or do you merely bolster existing defenses in an effort to stop future attacks? Using customer examples as the backdrop, this session will walk attendees through best practices for protecting your APIs regardless of where you are in your API protection lifecycle. 

- PDT
OPEN TALK (API): Creating Profitable Revenue Streams with API Monetization and Analytics
Ram Kanumuri
Ram Kanumuri
Kellton, Vice President - Digital Technology Practice

In this talk, we’ll break down two areas of API strategy: API analytics and API monetization.

API analytics are valuable for multiple stakeholders, including product owners, customer success, marketing, and sales. We’ll examine how to get the right data to make informed decisions, outgrow competitors and scale your product.

We’ll also show how teams can use API insights to manage service levels, establish controls, set up security policies, and analyze trends. These analytics not only solve real-world business problems that have a significant impact on organizations, but also help establish a profitable monetization strategy.

A successful API monetization strategy centers around providing true value to paying consumers. API monetization models vary — from pay-as-you-go to monthly/annual billing to “bucket” purchases of API transactions to be consumed over time. We’ll discuss how to create monetizations to deliver high-quality, consistent value to your API users.

**TWO lucky audience members will WIN a PATAGONIA Refugio Daypack ($100 value each) at the end of this presentation! (will be shipped to them after the event) 

- PDT
PRO TALK (API): From Reactive to Proactive, Changing the Culture on API Security
Bryant Schuck
Bryant Schuck
Checkmarx, Senior Product Manager

If software is eating the world then APIs are the teeth. Good application security approaches and best practices start at the API code level. But the bigger question is, “do you know what those practices are?” Security and threat intelligence must play a role within each part of the API lifecycle to stay ahead of the curve.

In this talk, you’ll hear from Bryant Schuck, Senior Product Manager at Checkmarx, where he will dive deep into the following topics:

· How to shift API security as far left as possible to create secure APIs on every pull request
· How to focus your efforts and attention on where the vulnerable API lives
· New ways to prioritize vulnerability remediation based on APIs handling of sensitive data
· Live demo of an API Attack 

- PDT
PRO TALK (API): It’s High Time We Address the [API] Elephant in the Room
Bret Settle
Bret Settle
ThreatX, Co-Founder and Chief Strategy Officer

APIs are ubiquitous. Every modern software application uses – or is – an API. They connect consumers to businesses and businesses to one another while also acting as an enabler that allows brands to deploy cross-service capabilities. APIs also enable development teams to integrate data from external sources and deliver new services and capabilities rapidly, requiring little to no downtime for consumers.

As API use increases, so do security risks. APIs are easy to deploy, but hard to control and despite their prominence, APIs are consistently overlooked in web application security programs. Application developers may—with best intentions—stand up new APIs without going through the expected security review. The rapid proliferation of APIs has far surpassed security’s ability to protect these assets and they have quickly become the attack vector of choice for threat actors who exploit insecure APIs for malicious purposes.

During this session, attendees will hear from ThreatX co-founder, and Chief Strategy Officer, Bret Settle. He will examine the varied types of attack methods used against APIs and outline how organizations can leverage an attacker-centric approach to gain full visibility into their API and web application traffic to identify and protect their vulnerabilities before damage can be done.

Attendees can expect to walk away with the knowledge needed to:
• Identify and correlate activity to block tangible threats
• Respond to attack patterns over time and adjust to adversary motions
• Understand behaviors that, when viewed together might indicate suspicious activity, for example, dashes or special characters used in form fills
• Maintain uptime on applications without impacting user experience 

- PDT
PRO TALK (API): Modern API Design
Rupal Haribhakti
Rupal Haribhakti
Atlassian, Engineering Leader

Design principles for modeling API contract. Best practices for API security. How to address scaling challenges like latency, fault tolerance and throughput. When to use rest, gRPC or GraphqL. 

Thursday, October 27, 2022

- PDT
OPEN TALK (API): Monitor Health of API
Wayne Zhao
Wayne Zhao
Chime Bank, Lead Engineer

Chime is the leading fintech unicorn in United States. We handle billions of transaction each day. Making sure our api is up and running is very critical to our customers. As a mobile only bank, our customer expect they should be able to access and spend their money at any time.
In this session, we will talk about how Chime use synthetic test to monitor the health of our APIs. Chime has REST APIs, Graphql APIs and real time communication API(based on web socket).
We use synthetic test to simulate many critical user workflow and run the test periodically. Synthetic test can monitor REST API and Graphql API out of box. For the real time api, we used AWS lambda to monitor the health and expose REST endpoint using AWS api gateway. Then we use synthetic test to monitor the REST endpoint. The synthetic monitor approves to be very effective in detect problems. The synthetic monitor turns out to be the first to detect many of our system outages. 

- PDT
OPEN TALK (API): APIs: The Target of Multi-Mode Attacks
Bret Settle
Bret Settle
ThreatX, Co-Founder and Chief Strategy Officer

APIs are a two-edged sword: They expose business functionality and allow easy and powerful integration between back-end systems, but they also provide attackers with more attack surface, and through that, grant visibility into the back-end functions of an application.

As API use increases, so do security risks. Securing APIs against sophisticated, multi-mode attacks requires organizations to automatically detect attacker behavior and block in real-time. During this session ThreatX’s co-founder and Chief Strategy Officer, Bret Settle will walk step by step through the attack behavior being seen in multi-mode attacks and how those strategies are targeting APIs more than ever.

- PDT
OPEN TALK (API): PDF Signatures vs Web-Based Signatures: Building Workflows to Enhance your Security and Efficiency
Mahender Bist
Mahender Bist
Foxit, SVP of Foxit eSign

The focus of this talk with be PDF document signatures and how they differ from web-based signatures. This talk will cover:
• What are the different types of eSignatures?
• Advantage of document-based vs web-based eSignatures.
• Digital signature security.
• Validations including LTV.
• Building workflows with document-based signatures.
• Using a PDF SDK to enhance the eSignature process. 

- PDT
PRO TALK (API): Build Resilient Applications Using Orchestration
Cherish Santoshi
Cherish Santoshi
Orkes, Developer Relations Engineer

As we move towards an exciting future of more distributed systems, we are bound to encounter microservices written in different languages and infrastructures.
The resiliency of different applications only makes sense if they come together beautifully to create one invincible application.

In this session, we will talk about how companies like Netflix, Tesla, etc. used orchestration to build robust and scalable applications that inspire innovation. 

- PDT
PRO TALK (API): Realizing Blockchain Scalability with an Open API Standard
E.G. Galano
E.G. Galano
Infura, Co-Founder

For developers interested in the decentralized Web, or Web3, infrastructure-as-a-service (IaaS) platforms can pave the way to a frictionless and scalable developer experience. Opting for an open API standard encourages integration due to ease of implementation while facilitating interoperability.
In this session, E.G. Galano will discuss those best practices when developing the infrastructure for blockchain APIs, how to battletest API infrastructure at scale and how to build a reliable API that appeals to both developers and enterprises. This session will explore open API capabilities that will drive adoption. 

- PDT
OPEN TALK (API): Building a Culture to Take Control of Your Software
Nikhil Unni
Nikhil Unni
Cortex, Co-Founder

Engineering organizations have embraced microservices at scale because they minimize dependencies, allow software to ship faster at a lower risk, and are less expensive to maintain when compared to the monolithic applications of yesterday. However, as more services are added, managing them becomes increasingly complex. Even more problematic; Engineering teams today depend on “tribal knowledge” and multiple spreadsheets to track and optimize hundreds of microservices, leading to surprise outages, security vulnerabilities, and loss of time and money. The largest challenges facing engineering teams today aren’t technical, they are cultural; but there is a better way. In this presentation, Nikhil will discuss proven strategies and best practices to take control of your service infrastructure, drive adoption of best practices, and foster a culture of reliability and ownership. 

- PDT
OPEN TALK (API): How a Combined Shift-Left and Shield-Right Approach Delivers End-To-End API Security
Isabelle Mauny
Isabelle Mauny
42Crunch, CTO

Development and security teams know securing APIs is a critical task, yet companies are still debating the pros and cons of adopting a developer-first approach to protecting their APIs versus a more traditional shield-right security model. In this presentation, Isabelle examines the pros and cons of each approach, and shows through demonstrations how development and security teams can achieve the best of both approaches to achieve continuous API Security. Isabelle will show how developers can embed security as code in their APIs but also how security teams can maintain visibility and control via API micro-firewalls and existing SIEM services. 

- PDT
PRO TALK (API): Mindset Change: Internal to External APIs
Thothathri Srinivasan
Thothathri Srinivasan
Pinterest, Tech Lead

We've all built internal APIs, and at some point we decide to expose this out externally / build external APIs. This is a session designed to talk about the best practices and pitfalls when product managers and engineers design external facing APIs after having built mainly internal APIs.

What should we be more mindful of, why we need to rethink our data model, and how important is technical documentation for folks trying to integrate with your systems?

The success of a public facing API isn't just how many qps's you can handle, and security concerns -- its all about the ease for developers (like yourself!). I'll talk about my learnings, and what can help you design robust systems that developers will love integrating with. The easier it is for developers to integrate with your external API, the more successful your API becomes automatically.

I'll most importantly talk about how I've had to change my mindset after having built only internal product APIs (almost exclusively) previously, and how I've managed to move from APIs that were used for a few hundred updates into ones that can do billions of updates each day. 

- PDT
OPEN TALK (API): Productizing APIs into Revenue Centers
Derric Gilling
Derric Gilling
Moesif, CEO

This session will walk through a product strategy to turn APIs into a center of revenue for your business.
First, we'll discuss common product management techniques to treat your APIs as a product. Then we'll create a step-by-step strategy on how to drive developer adoption and the nuances of selling to developers. Lastly, we'll discuss different ways to monetize API such as prepaid, Pay As You Go, and other usage-based pricing models. 

- PDT
OPEN TALK (API): API Tools for the Stages, Not the Ages
Andrew Stiefel
Andrew Stiefel
NGINX, Product Marketing Manager

There is no one-size-fits-all approach to building API infrastructure, and what you need will change with the scale of your operations. So instead of buying a tool for the ages, learn how to select technologies based on where you are today in your API journey. Explore the stages of API modernization, implications for your API strategy, and considerations to ensure your technology will scale with you as you grow.

- PDT
OPEN TALK (API): Cautionary Tales - Real World Case Studies of API Blind Spots and Security Issues, and How to Avoid Them
Chuck Herrin
Chuck Herrin
WIB, CTO

While experience is the best teacher, tuition is high. In this session WIB’s CTO Chuck Herrin builds on our Filed Report session to take a deep dive into real world examples of API security issues in live environments, and how your team can take the lessons to benefit your organization. 

- PDT
PRO TALK (API): Cloud Databases, ELT, and APIs – A Perfect Storm?
Robert Brauer
Robert Brauer
Interzoid, CEO & Founder

The data landscape is changing rapidly. The explosion of Cloud database platforms on to the scene the past few years has paved the way for a new class of data innovation. The ease at which data can be collected, stored, shared, and manipulated is driving a new breed of Analytics, AI/ML, Data Science, and other data-driven applications that will have a major impact on the economy. These trends have enabled the emergence of ELT as an alternative to ETL, which in turn is enabling a whole new way of thinking about warehousing data and how to make use of that data, creating new opportunities that will help organizations increase the value of the strategic data assets that drive their business. APIs are the ideal mechanism to accelerate and expand these trends even further, leading to the long-sought-after golden age of APIs. This talk will discuss the future of Cloud Databases and ELT, and how the combination will drive a substantial wave of API adoption. 

- PDT
OPEN TALK (API): Applying AI to API Testing across the Lifecycle
Swetha Sridharan
Swetha Sridharan
IBM API Connect, Product Manager

Time to market and ability to change rapidly while retaining high quality is a key business driver today. Come learn how API Developers can apply different testing approaches using AI at various points in the API lifecycle. Be more productive & improve quality faster than ever before! 

- PDT
PRO TALK (API): How Low-Code API Management Is the Cure to API Sprawl
Rakshith Rao
Rakshith Rao
Apiwiz, Co-founder and CEO

Nothing strikes fear into the hearts of developers like the terms no-code and low-code (except maybe AI). DevOps has us wanting to move fast and automate everything, but we don’t want low-code platforms to replace developers' jobs! A survey of 600 engineers had them reflect on what they wish they could spend less time on: 37% spent on manual testing of changes/writing scripts; 35% spent on refactoring old code; and only 33% spent on writing code for new features. In this talk we will discuss how low-code API management can increase developer productivity and raise developer potential by allowing them to focus on creative problem-solving. All through a single, organization-wide view. 

- PDT
PRO TALK (API): Building Dynamic, Static Sites with Open Feature APIs
Kevin Poorman
Kevin Poorman
Harness.io, Director, Developer Advocacy

Recent trends in web development have enabled us to build websites that are entirely static, where all dynamic interaction is done in the browser. How do you deploy these static sites without hard-coding backend server details? Feature flags to the rescue! Join us in this session as we explore how even static sites can become fully dynamic with the addition of OpenFeature apis. In this session we’ll extend a statically hosted JAMstack application with OpenFeature apis solving the crucial question of how we can deploy static sites that aren’t hard-coded to a given back-end. 

- PDT
PRO Workshop (API): Horror Stories From Other People’s APIs
Vincenzo Chianese
Vincenzo Chianese
Microsoft, API Architect

In this talk, I'll share my experiences from the past year working primarily on integrations with other people’s APIs. I'll explore some “pearls” that I found and alternatives that would have made my journey a little bit easier. 

- PDT
PRO TALK (API): tl;dr: Shifting API Standards Left
Ed Olson-Morgan
Ed Olson-Morgan
Marsh McLennan, Core API & Innovation Lead

When Marsh McLennan established a core APIs team in April of 2021, one of the first priorities was to create a set of API standards for the organization. But after blending together industry exemplars, RFCs, internal best practices and the occasional meme or two, the forty-six page document that resulted didn’t lead to the API revolution we’d expected. Focusing on closely integrating the standards with OpenAPI specification led to increased adoption across the internal developer community. Come and learn how the team used the OpenAPI Specification to drive standards compliance, improve collaboration and allow for easy maintenance and iteration of the standards over time. 

- PDT
PRO TALK (API): Why Your API Doesn’t Solve My Problem: A Use Case-Driven API Design
Jan Vlnas
Jan Vlnas
Superface, Developer Advocate

You wrote an API specification, documented your endpoints, and published SDKs. Here’s a question, though: Does your API actually solve your users’ problems?

API providers often fail to address common use cases to solve users’ needs, or their assumptions don’t match the reality. This may end up in frustration and loss of users.

In this talk, we will take a peek into developers’ mindset. I will show how to better understand the developers’ needs by researching the usage patterns, existing libraries and 3rd party experience layers, provide examples of good and bad practices, and suggest actionable steps to improve developer experience for your API. 

- PDT
OPEN TALK (API): Pivoting from Consumer to Enterprise with APIs: Learn, Build, Optimize
Shan Mohammed
Shan Mohammed
Picsart, Head of Developer Support

Picsart built a 150M monthly creators strong consumer business with its app that offers hundreds of individual tools for fast editing. And now the company is exploring new territory with their new API program designed to make their most popular consumer creative tools available to enterprises and platforms via API. Learn how Picsart’s API team built a new revenue stream from existing tech but with a completely new business approach. 

- PDT
PRO TALK (API): GraphQL - Security Implications and Best Practices
Amir Shaked
Amir Shaked
PerimeterX, SVP R&D

GraphQL Is one of the fastest-growing approaches in API specifications. But it comes with security risks that can and should be addressed as you design your AAA - authentication, authorization and auditing. 

- PDT
PRO TALK (API): Enabling Developers to Get More Done
Brian Childress
Brian Childress
Calendly, Application Architect

Are you blocked by manual processes, inefficiencies, and knowledge silos? Are developers happy or frustrated? Join me and we’ll explore some of the ways you can enable developers to do their best work and improve the developer experience through a focus on tools, processes, and collaboration.

With the increased cloud adoption, smaller autonomous development teams, and microservices we need a way to ensure consistency and productivity. In this talk we’ll explore topics like: boilerplate templates, development environments, CI/CD, code reviews, and effective documentation.

If you’re a developer trying to improve your work day-to-day or an engineering leader trying to empower your teams, this talk has something for you. 

- PDT
PRO TALK (API): The 12 facets of the OpenAPI Specification
Neelesh Pateriya
Neelesh Pateriya
Cisco Systems, Principal Engineer

We'll introduce how Cisco Engineering leverages OAS to drive API quality and state-of-the-art developer experience. We'll then describe OpenAPI best practices, tools and processes built internally and opensourced, as well as the benefits for Cisco partners and customers. Join this session to hear from the best practices and lessons learnt when standardizing on OAS for organizations with a massive internal and external facing APIs porfolio. 

- PDT
OPEN TALK (API): A Journey into Building a Powerful Developer Platform
Tim Slagle
Tim Slagle
Zoom, Head of Developer Relations

This session will touch on the evolution of Zoom, including how and why Zoom’s founder and CEO, Eric S. Yuan, decided to build Zoom. The session will include insights on how today, Zoom is more than meetings and how what started as a meetings app has quickly evolved into a comprehensive platform, including our Developer Tools. Touching on the Zoom Developer Platform, it will highlight how the platform enables developers, platform integrators, service providers, and customers to easily build apps and integrations that use Zoom’s video communication solutions or integrate Zoom’s core technology into their products and services. Then, we will discuss how Zoom is building flexible developer solutions, such as Zoom’s Meeting SDKs/APIs and Video SDKs/APIs that extend the value Zoom provides across more and more tasks, and in turn, increase the platform’s differentiation as the future of communications. To close the session, we will discuss the Zoom ISV Partner Program and the GTM approach that was launched to promote ISVs and leverage a full partner ecosystem for developers using the Zoom APIs/SDKs. 

- PDT
PRO TALK (API): Automating API Governance
Muhammad Nauman Ali
Muhammad Nauman Ali
Stoplight, API Enthusiast

Style guides are one of the most effective tools to build consistent APIs that follow best practices. Automated style guides increase the effectiveness of style guides by making it easy for developers/designers to do the right thing. In this session, we'll go through best practices for creating API style guides and making them part of the CI/CD process. 

Tuesday, November 1, 2022

- PDT
[#VIRTUAL] PRO Workshop (API): Contract Driven Development - Deploying your MicroServices independently without integration testing
Hari Krishnan
Hari Krishnan
Polarizer Technologies, Polyglot Full Stack Developer

Our largest hurdle in deploying a MicroService was the Integration Testing stage. Just one incompatible API was enough to break the integration environment and block the path to production for all services.

While adopting OpenAPI helped address some of the communication gaps in API specs between teams, the deviations during implementation continued to persist. We needed an approach that changed the way teams collaborated on API Specs and also remove the need for integration testing.

To fill this need we came up with Contract Driven Development which consists of
1. Contract as Test - Contract (Example: OpenAPI) translated to Test Scenarios against the API implementation. Ensures that Provider (API implementation) adheres to Contract.
2. Smart Service Virtualisation - Verify Stub Data against OpenAPI Spec. Ensures the Consumer (API Client) is compatible with Provider's Contract.
3. Backward Compatibility Testing - OpenAPI vs OpenAPI (no code) to check if versions are backward compatible. Helps teams analyse if a change will break integration. 

- PDT
[#VIRTUAL] PRO Workshop (API): Geo-Distributed GraphQL: Building a Scalable and Resilient API Layer
Denis Magda
Denis Magda
Yugabyte, Head of DevRel

You can provision a cloud native GraphQL API layer and start serving applications within minutes. However, readying this layer for production workloads has its challenges. For starters, what if the number of requests grows 2x, 10x, or 100x? Or, what if the data volume goes from 10GB to 100GB and then 1TB? And what if a cloud availability zone that hosts the API layer experiences outages? Lastly, what if your API layer needs to serve user requests with low latency across distant countries and continents.

Join this hands-on session where we’ll build a geo-distributed GraphQL API layer that tolerates major cloud outages, serves user requests with low latency regardless of whereabouts, and easily complies with data residency requirements when expanding to new territories. 

- PDT
[#VIRTUAL] PRO Workshop (API): Going Real Time with Live Queries and Subscription
Rishiraj Anand
Rishiraj Anand
Red hat, Senior Software Engineer

Graphql live queries and subscriptions have a strong case while thinking about creating real time web apps. While both approaches converge to trying to keep the client state in sync with the server, they differ in ways in which they are implemented and give rise to new patterns altogether. By understanding how they behave under the hood, we can decide the best approach based on our use case.

The session will focus on solving problems while designing architecture of real time applications. We’ll talk about some common architectures developers follow while designing resilient RTA apps. When starting to bring Real time use cases discussion of any app, there are certain challenges developers face while using the javascript ecosystem. Graphql, while already boosting application performance and development time can solve challenges pertaining to RTA apps out of box. Why listening to data changes in live queries could make more sense for graphql clients than listening for events in graphql subscriptions. We'll compare pros and cons of these approaches and talk about solutions where we might need a combination of both. 

- PDT
[#VIRTUAL] PRO Workshop (API): Autogenerate your database schema and OData endpoints using English with Pine.js
Harald Fischer
Harald Fischer
balena.io, Product builder

In this talk, we would like to enable API developers with a sophisticated rules-driven API engine that enables you to define rules in a structured subset of English.

The talk gives an introduction to the open source project Pine.js which is the core backend API in balena. The balena cloud stack serves millions of OData requests to more than half a million globally distributed IoT devices and thousands of IoT device fleet managers every day.

Pine.js lets developers define and model your business relations in structured and human readable text format. Using Semantics of Business Vocabulary and Business Rules (SBVR) you can easily define entities, entity quantities, rules and relationships and Pine.js will automatically generate the underlying data definition language (DDL) and data query language (DQL) queries and executed them on a SQL database. Finally, Pine.js provides automatically all the OData API endpoints.

Pine.js uses an intermediate abstract SQL format and implements concepts to
automatically resolve m:n relationships to two 1:n relationships with helper tables
parse OData requests and translate them into an abstract SQL intermediate format
translate defined business rules and validations into abstract SQL format
resolve permissions into abstract SQL
All abstract SQL statements are combined into one query to the database and executed in one transaction. 

- PDT
[#VIRTUAL] PRO Workshop (API): The BFFs and BAEs of API Development
Junaid Warwani
Junaid Warwani
Jetty, Director of Engineering

Building APIs that support multiple user experiences in a complex domain often means using microservices — but while microservices are great for developing, they can be more challenging for your API users and for cross-platform integrations. This is how we use BFFs (Backend-For-Frontend) and BAEs (Backend-Async-Events) at Jetty to alleviate this problem 

- PDT
[#VIRTUAL] PRO Workshop (API): API Fuzz Testing Fundamentals
Alex Brewer
Alex Brewer
ForAllSecure, Technical Solutions Engineer

The goal of this 50 technical workshop is to explain what fuzz testing Is, then use a fuzz testing on a simple API server, understand and explain the benefits of API testing, and review fuzzing results to evaluate the API fuzzing targets for security and performance. 

- PDT
[#VIRTUAL] PRO Workshop (API): Keep It 200 - Move beyond Static Docs with Self Service API Onboarding
Sagar Batchu
Sagar Batchu
Speakeasy, CEO & Co-founder

In order to ship quality APIs to your customers, it is critical to have a customer-centric view of API usage. Learn how to leverage your APIs’ real world traffic to evolve your APIs with ease. 

- PDT
[#VIRTUAL] PRO Workshop (API): Automagic API Security Testing: Pre-prod agent-generated tests FTW
Steve Chappell
Steve Chappell
Synopsys, SW Manager & API Security Evangelist

Most API Security tools/platforms are built for the Security teams that are told “here’s an API service already running – go secure it”. Thus, they take an outside-in approach of building a fence around a service and/or poking the service with a stick to see what outward reactions they can get. But even an ML-powered fence can’t stop everything. Shouldn’t we be improving the security inherent in our RESTful or GraphQL API service/microservices? Let's actually find and fix the flaws before the API is deployed. And before the developers reading this run screaming thinking this is another “shift [the extra work] left” talk, what we will advocate is a simply and scalably deployed agent that will do this work for us. It will automagically discover and ingest the API documentation (if it exists), create and run tests based on these docs, turn any other functional tests we already have into security tests, and output replayable exploits when they are found. “Agent-less” solutions don't have the visibility and controllability needed to realize the automagic of building a more secure API from the inside out. 

- PDT
[#VIRTUAL] PRO Workshop (API): Automated APIs for Scaling Enterprises: How to Set Standards and Create Smooth API Implementations
Jeremy Glassenberg
Jeremy Glassenberg
Docusign, Product Leader, APIs

API standards and schemas have helped to automate much of API design, implementation and maintenance -- and not a moment too soon. As many tech companies experienced growth spurts in the past year, they ended up with multiple teams working on new products and new APIs. Consequently, they learned that their ways to create well-designed APIs wouldn't work so easily when multiple teams have to create them.

Thanks to new solutions (centralized around a good API gateway), growing companies can establish a scalable system for designing, implementing and launching consistent APIs across many teams. We’ll share best practices and solutions from experiences with enterprises in this phase to understand how to be effective working across Product, Infrastructure and Engineering teams to do so. 

- PDT
[#VIRTUAL] PRO Workshop (API): Observability across Asynchronous Managed Services and APIs
Erez Berkner
Erez Berkner
Lumigo, CEO & Co-Founder

In highly distributed cloud native environments, application requests traverse many third-party APIs and managed services. Applying distributed tracing on your own code through instrumentation is relatively simple, but requires a lot of work. The challenge however, really lays with the API and managed service, and how to trace a full request across services like queues, streams, and databases.
In this session we will discuss:
- The technical challenges gaining observability with managed services.
- Methods to build the full trail of transactions across managed services.
- Ideas on how to obtain observability in a highly async distributed world.
- We’ll technically drill down to some managed services examples. 

Wednesday, November 2, 2022

- PDT
[#VIRTUAL] OPEN TALK (API): Future of Development: Developer Mindset Is Required Not Skillset
Muthu Raju
Muthu Raju
Linx LLC apiplatform.io, Founder, CEO

Abilities and skills are two different things. Most organizations today hire people based on skills, not abilities. The future of development will be only for people with developer thinking - skillsets (programming languages) will be obsolete with no-code platforms and aggregators in the marketplace.

Linx LLC is a US-based company founded in 2020. Our vision is to "Build a platform that enables technology-savvy organizations to reimagine speed, scale, and agility to improve productivity and cultivate innovation." Our mission is to "Eliminate waste in the end-to-end development process and provide everyone with a much accessible, faster, cheaper technology platform to bring their ideas to product more quickly." Our first flagship product, apiplatform.io, is a cloud-agnostic, no-code platform that focuses on enabling organizations to build and integrate APIs at a revolutionary speed. In addition, the platform provides a fully automated and highly configurable self-service capability.
We are an early-stage but rapidly growing start-up. In our two years of operation, we conservatively had a run rate of approximately $1M per year with a trajectory to exceed that. We have expanded from two to 30 employees, from two to five international locations, covering four continents. Our customers are excited about the platform and steadily build confidence, trusting us to build their products. We have customers from a wide range of sectors, including FinTech, e-Commerce, and Edtech, with approximately 20,000 APIs being developed and about 100 developers using the platform. 

- PDT
[#VIRTUAL] PRO TALK (API): Building APIs for Modern Developers
Meherdeep Thakur
Meherdeep Thakur
Agora, Flutter | Android | Developer Evangelist

APIs have changed the way developers build their applications and now it's time that developers change their APIs so that they are fit for every kind of developer be it a novice developer or a person starting with their development journey.
In my talk I would like to go over how to design your APIs so that they are more intuitive and aligned with the end developer needs. I would also like to cover some best practices when it comes to architecting and documenting the APIs to offer the best developer experience. 

- PDT
[#VIRTUAL] PRO TALK (API): GraphQL: Great Flexibility, New Attack Vectors
Erez Yalon
Erez Yalon
Checkmarx, VP of Security Research
Paulo Silva
Paulo Silva
Checkmarx, Ethical Hacker / Senior Security Researcher

In recent years, GraphQL adoption has increased significantly. Developed by Facebook and introduced in 2012, GraphQL came with a proposal different than REST: native flexibility to those building and calling APIs.
As we know, with great flexibility come... new attack vectors!

In this session, we'll cover GraphQL-specific security risks and attack vectors. Beyond the commonly discussed topic of enabled introspection in production, we'll present and discuss how field suggestions can be abused, how common GraphQL Cross-Site
Request Forgery (CSRF) issues look like, and how attackers are using batching attacks, alias and directory overloading, and query depth issues for their advantage.

We want to shed some light on GraphQL-specific issues that
may hurt not only the system but also the business, leading to massive data leakages or Denial-of-Service (DoS). 

- PDT
[#VIRTUAL] OPEN TALK (API): Effective API Security: API Discovery, Runtime Protection, Security Analytics, Active Testing
Dan Gordon
Dan Gordon
Traceable, Technical Evangelist

APIs are the glue that connects all of our software systems. But our knowledge and ability to track and secure APIs has not kept up with our rapid adoption of them. This API sprawl introduces significant operational and security risks, yet securing your APIs is different than everything we've been doing to secure our applications to date. WAFs don't help. API gateways aren't enough. DAST testing isn't enough. So what do we need to do differently?


In this session we will discuss why and how the approach to securing APIs needs to be different. We'll look at what you should consider through the software development lifecycle. And we'll share some real-world examples of organizations that have built and maintained robust API security strategies, with impressive outcomes related to reduced risk, lowered costs, and more secure API development practices.

- PDT
[#VIRTUAL] PRO TALK (API): Securing Large API Ecosystems
Jonas Iggbom
Jonas Iggbom
Curity, Director of Sales Engineering

Security is never a simple task, the same applies to APIs. Properly securing APIs gets even more challenging when the API ecosystem grows substantially. It’s naturally easier for a company to protect a few endpoints than hundreds. As the API ecosystem grows, merely starting to use OAuth may not be enough. Proper handling of OAuth tokens and utilizing different features that OAuth offers is required. 

- PDT
[#VIRTUAL] OPEN TALK (API): Increase Developer Happiness with OpenAPI-driven Quality Engineering
Tom Peelen
Tom Peelen
Sauce Labs, Senior Solution Engineer

Most developers did not grow up dreaming of becoming professional debuggers. Nor did they dream of becoming professional gamblers who sometimes bet the house on when to mark an application ready for production. At the end of the day, most developers really want one big thing: digital confidence.

OpenAPI-driven development has emerged as the most popular way to help boost developer confidence. Instead of distributed teams trying to inefficiently collaborate on distributed systems using API documentation that may have to change often, teams can work with confidence on a single version of API truth by turning all documentation into standardized OpenAPI (OAS) specification files. Engineers can then use the OAS files to write API contract, functional, integration and load/performance tests.

But what happens to digital confidence when engineers are asked to add tens or hundreds of microservices? The OpenAPI-driven approach can still work–but it needs to scale at unprecedented levels.

New solutions such as Python micro-frameworks, Flask and FastAPI, have quickly emerged to give developers an easy and highly scalable way to auto-generate OpenAPI spec files from countless API documentation. But these new solutions tell only half the story of scaling digital confidence for microservices, CI/CD pipelines, TDD/BDD and other use cases.

Tom Peelen, Senior Solution Engineer at Sauce Labs, discusses how developers at gaming companies, large banks and financial services companies, retailers, healthcare, telecom and other organizations are handling being held accountable for releases in production. Tom shows how developers using frameworks like FastAPI to auto-generate OAS spec files are also able to almost simultaneously auto-generate API contract tests of both the consumer and provider (via mock servers) during API development. Attendees will also hear Tom describe how Performance, Reliability and API Monitoring teams are leveraging insights from OpenAPI-driven API tests (contract, functional, integration and load/performance) to optimize digital confidence in production environments. 

- PDT
[#VIRTUAL] PRO TALK (API): API Monitoring For better Management
Aravind Babu Ramadugu
Aravind Babu Ramadugu
Accenture, Mulesoft Mentor and Architect

API Monitoring is a very critical part of the entire API Ecosystem.
In this session, I will be covering How APIs can be monitored and how we can plan for predicting the issues through Monitoring and heal the APIs automatically. 

- PDT
[#VIRTUAL] OPEN TALK (API): API Security 101: Top API Vulnerabilities and How to Address Them
Isabelle Mauny
Isabelle Mauny
42Crunch, CTO

Recently, APIs have become the main attack vector for applications. APIs are so interesting to attackers because they expose valuable data and business logic to clients. Traditional security approaches fail to address these issues. In this workshop, we reveal the most common vulnerabilities found in APIs, talk about recent API breaches, uncover how to detect and subsequently remediate them, and how to put in place secure foundations that start at the design phase.By participating to this workshop, participants will:

  • Know all about the OWASP API Top10 classification and the unique nature of API vulnerabilities
  • Understand the coding or design mistakes which lead to those vulnerabilities
  • Appreciate the value of automating API Testing and "thinking like a hacker”
  • Learn practical approaches for API vulnerability remediation
- PDT
[#VIRTUAL] PRO TALK (API): The Evolving Developer Lifecycle: Best practices for API Builders and Consumers
Iddo Gino
Iddo Gino
RapidAPI, Founder and CEO

The API industry is undergoing tremendous changes - driven by a generational shift in the technologies powering APIs and a transformation in enterprise buying patterns. While APIs have been around for a while, the way they look, work, operate and are consumed is changing rapidly. This change challenges current design patterns and developer tools and necessitates creating a more contextual approach to API development.

In his talk, Iddo examines the evolution of the API development lifecycle and the current best practices engineered to support API builders and consumers. The speaker will examine the key technologies required to build, consume, and collaborate on APIs across the entire software development lifecycle. 

- PDT
[#VIRTUAL] PRO TALK (API): The Different Approaches for API Security Scanning: SAST vs DAST
Ravid Mazon
Ravid Mazon
Checkmarx, Security Researcher

APIs are a critical part of modern mobile, SaaS and web applications and can be found in customer-facing, partner-facing and internal applications.
By nature, APIs expose application logic and sensitive data, potentially leading to data breaches, account takeovers, and much more.
Because of this, APIs have increasingly become a target for attackers.
Without secure APIs, organizations would face many security risks and rapid innovation would be impossible.

In this talk, I will talk about the different approaches for API security scanning.
I will explain why it is essential to scan your API, the challenges, and how we can tackle them.
We will also talk about API Static analysis vs Dynamic analysis: the pros & cons, how to combine these scans with a "swagger" file to generate alerts for API misconfigurations, invalid API documentation, and test your API. 

- PDT
[#VIRTUAL] OPEN TALK (API): How Businesses are Navigating the Perilous API Waters to Maximize Profit
Ann Marie Bond
Ann Marie Bond
Software AG, Director, Product Marketing

APIs occupy a unique spot in the technology world. They're a primary method for delivering on business initiatives – from modernization to customer experience.

However, challenges such as cloud security, API proliferation and lack of community engagement can slow progress and reduce the value of your APIs.

This interactive session will showcase real-world examples from your peers at companies building out unique and targeted solutions using APIs and microservices architectures. You’ll also discover the challenges and best practices they’ve encountered designing and building APIs, adopting cloud-native architectures and ensuring the proper level of security and governance.

**One lucky audience member will WIN A YETI COOLER ($350 value) at the end of this presentation! (To be shipped to them after API World.)

- PDT
[#VIRTUAL] PRO TALK (API): API Security in the Age of Continuous Attacks
Rob Dickinson
Rob Dickinson
Resurface, Co-founder, CTO

There are lots of API security myths that keep teams in stasis, using traditional tools to combat new problems, specifically assumptions about attackers and attack traffic. After standing up a public-facing honeypot to gather test data, we learned a few things, and what to do about the new API reality.


- PDT
[#VIRTUAL] OPEN TALK (API): Identity Is Key to Secure APIs and Microservices
Jonas Iggbom
Jonas Iggbom
Curity, Director of Sales Engineering

“Never Trust, Always Verify” is the short phrase minted by NIST in defining Zero Trust. With that in mind, understanding the user identity is an absolute requirement and should be applied when securing all APIs, for internal use cases, in the same way as external ones. Leveraging OAuth and OpenID Connect (OIDC) in a token-based architecture aligns perfectly with achieving Zero Trust, regardless of the level of security needed.

In this talk participants will learn:
- How to leverage mTLS and certificate-bound tokens to level up API security
- Architectural patterns that prevent Personal Identifiable Information (PII) in public applications
- How Scopes and Claims are used to authorize API access 

- PDT
[#VIRTUAL] PRO TALK (API): Divide and Conquer Massive Enterprise Applications with Microservices and API Management
Meric Aydonat
Meric Aydonat
Software AG, Sr. Product Manager, API Management

Does your organization have at least one massive application that no one person understands? Are multiple teams with different skills and timelines trying to release code on this application? Do you waste time and resources recreating similar services on this application?

Large enterprises often see once small and manageable applications grow in size and complexity beyond control. This lack of control creates duplication of effort and frustration for both the R&D teams working on the application and the functional teams using its data. Breaking it into microservices is one approach to become more efficient and flexible, but it’s only the beginning. To unlock their full potential for agility, you need to have an application context for your microservices, and you need to be able to treat them as APIs. Join this talk to learn how Software AG’s AppMesh can help your organization take control of massive applications with an advanced architecture for managing APIs and microservices. 

- PDT
[#VIRTUAL] PRO TALK (API): Solving the Never Ending Requirements of Authorization
Alex Olivier
Alex Olivier
Cerbos, Product Lead

Implementing access controls in your application can be a never ending task as business requirements change. What begins as a simple check to see if the user’s email is from your own domain name turns into a complex web of if/else statements to determine who can do what. Coming up with a scalable, manageable and maintainable authorization process is key to meet evolving requirements as your business scales.

This talk will cover the different areas of consideration when implementing permissions, common stages in the evolution of a company where authorization needs to fundamentally change and an example of how to take a gitops based approach to scaling policy. 

- PDT
[#VIRTUAL] OPEN TALK (API): The Right Data at the Right Time: Hyper-Personalized Real-Time Data at Internet Scale
Peter Hughes
Peter Hughes
Push Technology, Head of Cloud

As companies everywhere move to and create new applications in the cloud, the ability to deliver personalized real-time experiences is no longer a “nice-to-have” – it’s a competitive necessity for every digital service. However, with new experiences come new challenges, especially when handling high volume data for real-time delivery.

This talk will cover the ways in which traditional methods of data distribution must transition to innovative event-driven architectures, and we will walk through examples of how data wrangling-at-the-edge augments traditional stream processing to assure efficient delivery of hyper-personalized data at Internet scale. 

- PDT
[#VIRTUAL] PRO TALK (API): API Experience – Good Design for Better and Successful APIs That Engage with Your Customers
Daniel Kocot
Daniel Kocot
codecentric, API Expert / Senior Solutions Architect

Everyone is talking about APIs. They are seen as a panacea in the age of digitization. But very few of them are really directly understandable, because APIs are usually created on the basis of a data model or the CRUD paradigm. To provide a successful API, much more is needed. And it is exactly this "more" that I would like to address in my presentation. To this end, we need to find answers to various questions. 

- PDT
[#VIRTUAL] PRO TALK (API): APIs with Bounded Contexts: Modelling Apis with Domain-Driven Design
Jose Haro Peralta
Jose Haro Peralta
microapis.io, Co-founder

APIs have become one of the cornerstones of digital transformations. As more and more businesses open up their APIs for public consumption, the concept of developer experience becomes crucial for the successful rollout of the APIs. Good developer experience with APIs depends on good principles of API governance, API management, and API design.
In this presentation, we explain how the principles of domain-driven design help us design APIs that are easier to understand and to consume. APIs are not just an HTTP interface to a database, and we’ll see how to use DDD to define the domain of an API and to model its resources. We’ll use strategic design to narrow down the scope of an API, and to avoid mixing properties from different domains. We’ll also discuss various heuristics that we can use to translate domain models and actions into the more restricted representational capabilities of REST APIs and CRUD operations.
The result of this exercise will be a well-structured API with consistent paths and resources that developers will love to use to and to build integrations with. 

- PDT
[#VIRTUAL] PRO TALK (API): Anomaly Detection Is No Longer a Security Strategy
Matt Anderson
Matt Anderson
Resurface Labs, Chief Revenue Officer

Much of security is focused on finding the outliers, the anomalies to provide a reliable signal for security teams. Once identified, these anomalies are considered instructive and actionable. But, with the proliferation of APIs and the volume of attack traffic every second, relying on outliers leads to exceptionally noisy and unproductive searches. Your anomalies are actually valid traffic vs. majority of attacker traffic. We'll cover how to identify API risk and threats where threat traffic outweighs valid user traffic. 

- PDT
[#VIRTUAL] OPEN TALK (API): Bring your .NET APIs to AWS
Isaac Levin
Isaac Levin
Amazon Web Services, .NET Developer Advocate

APIs are the backbone of many services we all know and love, and when it comes to hosting those APIs, AWS is a great option. When building APIs with .NET on AWS, there are a plentiful amount of options, ranging from the tried-and-true Web API running on Elastic Beanstalk to running highly scalable event driven functions with AWS Lambda. Let us spend some time during this session talking about building APIs on .NET and running them in AWS.

- PDT
[#VIRTUAL] WORKSHOP (API): Designing secure API and microservices-based applications
Farshad Abasi
Farshad Abasi
Forward Security, Founder and CEO

Many applications are being modernized by leveraging APIs and being decomposed into smaller units typically living in containers. These involve many new tools and technologies that are not always well understood, leading to a poor application security posture. Many application architects and developers who take advantage of these architectures lack the knowledge to apply the required security controls. The ideas, principles and concepts such as API gateways, end-to-end trust, authentication and authorization discussed in this presentation have existed for some time. But this presentation brings it all together to provide a blueprint for modern API and microservices-based application security. 

- PDT
[#VIRTUAL] Empowering API Growth with Open API Specifications
Matthew Miller
Matthew Miller
Bloomberg, Web API Gateway Team

An API gateway is the storefront and doorway into your organization’s API offerings. In that sense, it needs to provide an effective way to showcase new APIs and help speed up time to market. But how do you ensure your API providers can continue to grow, while enabling clients to seamlessly adapt to your APIs?Our talk focuses on Bloomberg’s journey of growing our API gateway to house hundreds of API projects that unlock financial data for clients across the global capital markets — both from an infrastructure and product perspective. OpenAPI specifications are at the heart of our strategies for onboarding teams with self-service tooling, our review process that ensures quality and consistency across all of our API products, and the interactive documentation we’ve built to increase client engagement.


- PDT
[#VIRTUAL] OPEN TALK (API): Using Inspiration to Drive a Great API Experience in AI/ML Products
Steven Baxter
Steven Baxter
Symbl.ai, Sr. Product Manager

What separates a good API experience from a great one? Providing simplified, quick, secure and reliable access to data and functionality is, at best, the minimum expectations for a modern API product. The key moment that defines when a good API experience transcends into a great experience is that sudden moment of clarity and inspiration when a developer doesn't just see how an API solves the problem in front of them, but instead they now see how that API connects them into the realm of what's possible. It is from these irreplicable values that enable them to easily build apps and experiences they cannot otherwise build. With advances in the areas of artificial intelligence and machine learning, developers now have the ability to use AI products to explore further into the areas of what's possible than ever before and APIs are the gateway to take them there.
So how does the API experience inspire users, and why is this so important for AI Products? Join me in my session to take a deeper look into the various critical aspects of designing and building an API-first conversation AI platform that processes and comprehends unstructured natural human conversation data, and why accounting for inspiration across the API lifecycle is essential for enabling developers to unlock the true potential of these systems. 

- PDT
[#VIRTUAL] PRO TALK (API): Navigating the murky waters of API-firstNavigating the Murky Waters of API-First
Joyce Lin
Joyce Lin
Postman, Head of developer relations

Everyone is jumping on the API-first bandwagon. For most organizations, an API-first approach is the key to scaling software development. But the journey to API-first is not always smooth sailing.

In 2022, I interviewed five well-known organizations for a sneak peek at how they implemented an API-first workflow among their teams. We’ll uncover why they began their transition, their biggest hurdles, and what is next on their roadmap. Learn from these shared experiences and recommendations to pave the way in your own API-first journeys. This is a session about managing organizational change. 

- PDT
[#VIRTUAL] PRO TALK (API): Zero Trust Strategies to Protect the APIs That Drive Your CICDPipelines
Andrew Jones
Andrew Jones
Corsha, Director of Solutions Engineering

Many organizations are jumping to DevSecOps from DevOps by adding security scanning and validation in their CI/CD pipelines. This shift-left approach is fantastic because it builds security into applications early on.  Now the question is -  How do we protect API-driven communication in our CI/CD pipelines themselves?  These automated pipelines are a rich treasure trove for hackers of proprietary code and configuration, release artifacts,  deployment environments, and of course the critical keys and secrets to control it all.  And all of the automation driving these pipelines is via APIs and communication between different chained third-party services. In this talk, we’ll go over strategies for best practices around CI/CD security and show you how to pin access and control to only trusted stages of your pipeline. 

- PDT
[#VIRTUAL] OPEN TALK (API): Proxies, Gateways, and Meshes: Cloud Connectivity Pattern for the Curious
Viktor Gamov
Viktor Gamov
Kong, Developer Advocate

API gateway technology has evolved a lot in the past decade, capturing more prominent and comprehensive use cases in what the industry calls “full lifecycle API management.”
API gateways were a management of the network runtime that allows us to expose and consume the APIs, secure them, and govern our API traffic. They provide a series of functionalities to support the development cycle, including creating, testing, documentation, monitoring, and overall exposure of our APIs.
Then around 2017, another pattern emerged from the industry: service mesh! Service mesh is an infrastructure layer for microservices communication. It abstracts the underlying network details and provides discovery, routing, and a variety of other functionality.
In this talk, Viktor Gamov will illustrate the differences between API gateways and service mesh — and when to use one or the other pragmatically.
This talk will also discuss the similarities and differences between the communication layer provided by gateways and service mesh. 

- PDT
[#VIRTUAL] OPEN TALK (API): Getting to Cloud-Native
Timo Stark
Timo Stark
NGINX, Developer Advocate

With surprisingly few exceptions, cloud-native apps are not created, but migrated.
Taking our existing apps from monolith goes through stages including refactoring and re-architecting.
But how do you get there without total disruption?
Nginx Unit, an open source universal web app server, makes it approachable to move as needed.
By hosting the “old” API stack during lift and shift operations, Unit keeps the production apps running.
And since Unit supports broader needs of languages and control (even security), it provides an easier and controlled method of moving to a “new” API stack in our cloud-native adaptive applications.
Find out more about how Unit provides the universal web app server we need on our journey. 

- PDT
[#VIRTUAL] PRO TALK (API): API Security Doesn’t Stop at Inventory
Steve Wilson
Steve Wilson
Contrast Security, Chief Product Officer

The modern web “application” is really a conglomeration of interconnected APIs, microservices, web apps, frameworks, libraries, and serverless functions spread across multiple cloud and on-premise environments. Simply inventorying your APIs is not nearly enough to make them secure. In this talk, I'll review the five major components of an API security program. We’ll talk about detection, security testing, securing libraries, runtime protection, and access management. We will focus on automation and review the pros and cons of traditional scanning and perimeter tools as well as modern instrumentation-based security tools. You’ll leave with practical guidance on next steps for your API security program. 

- PDT
[#VIRTUAL] PRO TALK (API): API as Products: Best Practices for Using APIs to Achieve your Digital Business Goals
Alex Walling
Alex Walling
RapidAPI, Field CTO

Organizations that want to create internal momentum and adoption around their APIs, offer APIs externally to third-parties, or create new revenue streams through monetization, you need to think about your APIs as products. This talk examines the key guidelines needed to define your APIs as products, build the framework to operationalize your API program, and design and execute an implementation plan. Specifically, the presenters will cover:

- Best practices for assessing and resourcing the people and tooling to support API products.
- Strategies for establishing objectives for your internal and external API programs and the metrics to evaluate them.
- Guidance on building and implementing internal rollout and external GTM plans. 

- PDT
[#VIRTUAL] WORKSHOP (API): Protecting GraphQL with Effective Governance & Security
Shiu-Fun Poon
Shiu-Fun Poon
IBM, Principal Architect, API Security
Morris Matsa
Morris Matsa
IBM, Principal Architect, API Connect & Gateways

GraphQL is a new approach to expose your services to application developers. There are many advantages which come with new challenges to security and governance. In this session you can learn how to protect and enforce governance for your GraphQL server endpoints from these unique GraphQL threats with a low-code approach. You'll see demoes of numerous approaches such as cost analysis, graph filtering, and much more. 

- PDT
[#VIRTUAL] PRO TALK (API): API Protection Best Practices
Varun Kohli
Varun Kohli
Cequence Security, Chief Marketing Officer (CMO)

It’s no secret that APIs are the developers tool of choice and an attackers #1 target. The question on every CISOs mind is this: if APIs are the number one target for attackers, and everyone claims to secure APIs, how do we choose the solution that best fits our API protection needs for an entire API lifecycle? To address that question, do you start with a focus on secure API development? Do you try and stay on top of constantly discovering unknown or shadow APIs? Or do you merely bolster existing defenses in an effort to stop future attacks? Using customer examples as the backdrop, this session will walk attendees through best practices for protecting your APIs regardless of where you are in your API protection lifecycle. 

- PDT
[#VIRTUAL] OPEN TALK (API): Creating Profitable Revenue Streams with API Monetization and Analytics
Ram Kanumuri
Ram Kanumuri
Kellton, Vice President - Digital Technology Practice

In this talk, we’ll break down two areas of API strategy: API analytics and API monetization.

API analytics are valuable for multiple stakeholders, including product owners, customer success, marketing, and sales. We’ll examine how to get the right data to make informed decisions, outgrow competitors and scale your product.

We’ll also show how teams can use API insights to manage service levels, establish controls, set up security policies, and analyze trends. These analytics not only solve real-world business problems that have a significant impact on organizations, but also help establish a profitable monetization strategy.

A successful API monetization strategy centers around providing true value to paying consumers. API monetization models vary — from pay-as-you-go to monthly/annual billing to “bucket” purchases of API transactions to be consumed over time. We’ll discuss how to create monetizations to deliver high-quality, consistent value to your API users.

**TWO lucky audience members will WIN a PATAGONIA Refugio Daypack ($100 value each) at the end of this presentation! (will be shipped to them after the event) 

- PDT
[#VIRTUAL] PRO TALK (API): From Reactive to Proactive, Changing the Culture on API Security
Bryant Schuck
Bryant Schuck
Checkmarx, Senior Product Manager

If software is eating the world then APIs are the teeth. Good application security approaches and best practices start at the API code level. But the bigger question is, “do you know what those practices are?” Security and threat intelligence must play a role within each part of the API lifecycle to stay ahead of the curve.

In this talk, you’ll hear from Bryant Schuck, Senior Product Manager at Checkmarx, where he will dive deep into the following topics:

· How to shift API security as far left as possible to create secure APIs on every pull request
· How to focus your efforts and attention on where the vulnerable API lives
· New ways to prioritize vulnerability remediation based on APIs handling of sensitive data
· Live demo of an API Attack 

- PDT
[#VIRTUAL] PRO TALK (API): It’s High Time We Address the [API] Elephant in the Room
Bret Settle
Bret Settle
ThreatX, Co-Founder and Chief Strategy Officer

APIs are ubiquitous. Every modern software application uses – or is – an API. They connect consumers to businesses and businesses to one another while also acting as an enabler that allows brands to deploy cross-service capabilities. APIs also enable development teams to integrate data from external sources and deliver new services and capabilities rapidly, requiring little to no downtime for consumers.

As API use increases, so do security risks. APIs are easy to deploy, but hard to control and despite their prominence, APIs are consistently overlooked in web application security programs. Application developers may—with best intentions—stand up new APIs without going through the expected security review. The rapid proliferation of APIs has far surpassed security’s ability to protect these assets and they have quickly become the attack vector of choice for threat actors who exploit insecure APIs for malicious purposes.

During this session, attendees will hear from ThreatX co-founder, and Chief Strategy Officer, Bret Settle. He will examine the varied types of attack methods used against APIs and outline how organizations can leverage an attacker-centric approach to gain full visibility into their API and web application traffic to identify and protect their vulnerabilities before damage can be done.

Attendees can expect to walk away with the knowledge needed to:
• Identify and correlate activity to block tangible threats
• Respond to attack patterns over time and adjust to adversary motions
• Understand behaviors that, when viewed together might indicate suspicious activity, for example, dashes or special characters used in form fills
• Maintain uptime on applications without impacting user experience 

- PDT
[#VIRTUAL] PRO TALK (API): Modern API Design
Rupal Haribhakti
Rupal Haribhakti
Atlassian, Engineering Leader

Design principles for modeling API contract. Best practices for API security. How to address scaling challenges like latency, fault tolerance and throughput. When to use rest, gRPC or GraphqL. 

Thursday, November 3, 2022

- PDT
[#VIRTUAL] OPEN TALK (API): Monitor Health of API
Wayne Zhao
Wayne Zhao
Chime Bank, Lead Engineer

Chime is the leading fintech unicorn in United States. We handle billions of transaction each day. Making sure our api is up and running is very critical to our customers. As a mobile only bank, our customer expect they should be able to access and spend their money at any time.In this session, we will talk about how Chime use synthetic test to monitor the health of our APIs. Chime has REST APIs, Graphql APIs and real time communication API(based on web socket).We use synthetic test to simulate many critical user workflow and run the test periodically. Synthetic test can monitor REST API and Graphql API out of box. For the real time api, we used AWS lambda to monitor the health and expose REST endpoint using AWS api gateway. Then we use synthetic test to monitor the REST endpoint. The synthetic monitor approves to be very effective in detect problems. The synthetic monitor turns out to be the first to detect many of our system outages.


- PDT
[#VIRTUAL] OPEN TALK (API): APIs: The Target of Multi-Mode Attacks
Bret Settle
Bret Settle
ThreatX, Co-Founder and Chief Strategy Officer

APIs are a two-edged sword: They expose business functionality and allow easy and powerful integration between back-end systems, but they also provide attackers with more attack surface, and through that, grant visibility into the back-end functions of an application.

As API use increases, so do security risks. Securing APIs against sophisticated, multi-mode attacks requires organizations to automatically detect attacker behavior and block in real-time. During this session ThreatX’s co-founder and Chief Strategy Officer, Bret Settle will walk step by step through the attack behavior being seen in multi-mode attacks and how those strategies are targeting APIs more than ever.

- PDT
[#VIRTUAL] OPEN TALK (API): PDF Signatures vs Web-Based Signatures: Building Workflows to Enhance your Security and Efficiency
Mahender Bist
Mahender Bist
Foxit, SVP of Foxit eSign

The focus of this talk with be PDF document signatures and how they differ from web-based signatures. This talk will cover:
• What are the different types of eSignatures?
• Advantage of document-based vs web-based eSignatures.
• Digital signature security.
• Validations including LTV.
• Building workflows with document-based signatures.
• Using a PDF SDK to enhance the eSignature process. 

- PDT
[#VIRTUAL] PRO TALK (API): Build Resilient Applications Using Orchestration
Cherish Santoshi
Cherish Santoshi
Orkes, Developer Relations Engineer

As we move towards an exciting future of more distributed systems, we are bound to encounter microservices written in different languages and infrastructures.
The resiliency of different applications only makes sense if they come together beautifully to create one invincible application.

In this session, we will talk about how companies like Netflix, Tesla, etc. used orchestration to build robust and scalable applications that inspire innovation. 

- PDT
[#VIRTUAL] PRO TALK (API): Realizing Blockchain Scalability with an Open API Standard
E.G. Galano
E.G. Galano
Infura, Co-Founder

For developers interested in the decentralized Web, or Web3, infrastructure-as-a-service (IaaS) platforms can pave the way to a frictionless and scalable developer experience. Opting for an open API standard encourages integration due to ease of implementation while facilitating interoperability.
In this session, E.G. Galano will discuss those best practices when developing the infrastructure for blockchain APIs, how to battletest API infrastructure at scale and how to build a reliable API that appeals to both developers and enterprises. This session will explore open API capabilities that will drive adoption. 

- PDT
[#VIRTUAL] OPEN TALK (API): How a Combined Shift-Left and Shield-Right Approach Delivers End-To-End API Security
Isabelle Mauny
Isabelle Mauny
42Crunch, CTO

Development and security teams know securing APIs is a critical task, yet companies are still debating the pros and cons of adopting a developer-first approach to protecting their APIs versus a more traditional shield-right security model. In this presentation, Isabelle examines the pros and cons of each approach, and shows through demonstrations how development and security teams can achieve the best of both approaches to achieve continuous API Security. Isabelle will show how developers can embed security as code in their APIs but also how security teams can maintain visibility and control via API micro-firewalls and existing SIEM services. 

- PDT
[#VIRTUAL] OPEN TALK (API): Why Staging Environments Matter
Aditya Bansal
Aditya Bansal
Cortex, Founding Engineer

As software engineering tools and languages continue to evolve, it has become easier than ever to create more software. With the advent of cloud providers like AWS, GCP, Azure, and several more, the continuous delivery to production is a very reachable milestone, for companies of all sizes.

But what about staging environments?

- Should engineers release directly to production hoping that the tests catch their issues?
- Should they wait for the availability of STAGING-1 for 2 weeks to test everything end-to-end?
- Should they have their own “developer-feature-x” environment that is spun up?

The advent of the cloud has made it much easier to deploy services at scale. But the path your code takes to go from your local environment to a production environment is still a mystery.

In this talk, I’d go over lessons that I’ve learned from working on provisioning & maintaining developer environments at 3 different companies now. 

- PDT
[#VIRTUAL] PRO TALK (API): Mindset Change: Internal to External APIs
Thothathri Srinivasan
Thothathri Srinivasan
Pinterest, Tech Lead

We've all built internal APIs, and at some point we decide to expose this out externally / build external APIs. This is a session designed to talk about the best practices and pitfalls when product managers and engineers design external facing APIs after having built mainly internal APIs.

What should we be more mindful of, why we need to rethink our data model, and how important is technical documentation for folks trying to integrate with your systems?

The success of a public facing API isn't just how many qps's you can handle, and security concerns -- its all about the ease for developers (like yourself!). I'll talk about my learnings, and what can help you design robust systems that developers will love integrating with. The easier it is for developers to integrate with your external API, the more successful your API becomes automatically.

I'll most importantly talk about how I've had to change my mindset after having built only internal product APIs (almost exclusively) previously, and how I've managed to move from APIs that were used for a few hundred updates into ones that can do billions of updates each day. 

- PDT
[#VIRTUAL] OPEN TALK (API): Building an API Monetization Stack
Matt Tanner
Matt Tanner
Moesif, Head of Developer Relations

Have APIs that you want to use to build revenue? Currently experiencing headaches from existing monetized APIs? Regardless, chances are that you have API resources that others are willing to pay for. The toughest part? Figuring out how to build the right stack for seamless and easy API monetization. In this talk, we will discuss the components of a technology stack that are required when trying to monetize your APIs.

We will cover how to choose a billing provider, API management's role in monetization, and how to bring it all together in an end-to-end solution. By the end of this talk, listeners will have a better understanding of exactly what it takes to build a robust monetization solution for their APIs. 

- PDT
[#VIRTUAL] OPEN TALK (API): API Tools for the Stages, Not the Ages
Andrew Stiefel
Andrew Stiefel
NGINX, Product Marketing Manager

There is no one-size-fits-all approach to building API infrastructure, and what you need will change with the scale of your operations. So instead of buying a tool for the ages, learn how to select technologies based on where you are today in your API journey. Explore the stages of API modernization, implications for your API strategy, and considerations to ensure your technology will scale with you as you grow.

- PDT
[#VIRTUAL] OPEN TALK (API): Cautionary Tales - Real World Case Studies of API Blind Spots and Security Issues, and How to Avoid Them
Chuck Herrin
Chuck Herrin
WIB, CTO

While experience is the best teacher, tuition is high. In this session Wib’s CTO Chuck Herrin builds on our Filed Report session to take a deep dive into real world examples of API security issues in live environments, and how your team can take the lessons to benefit your organization. 

- PDT
[#VIRTUAL] PRO TALK (API): API Visibility: Securing Your Blind Spot without Losing Speed
Lebin Cheng
Lebin Cheng
Netskope and CloudVector, Cofounder

The growing prevalence of APIs, presents security teams with an all-too-familiar problem - deployment can outpace security processes and protections, creating a vulnerability they are left to address. With APIs emerging as the next big attack vector, this has become a critical shift left priority. Understanding the tradeoffs between securing APIs versus the cost of not taking action is the first step in gaining buy in across the organization From there, you can build a phased plan to introduce visibility into your APIs, determine which APIs expose sensitive data and finally to build processes around how APIs are managed. This session will offer tips and tricks for securing APIs without slowing down the speed of development. 

- PDT
[#VIRTUAL] PRO TALK (API): Cloud Databases, ELT, and APIs – A Perfect Storm?
Robert Brauer
Robert Brauer
Interzoid, CEO & Founder

The data landscape is changing rapidly. The explosion of Cloud database platforms on to the scene the past few years has paved the way for a new class of data innovation. The ease at which data can be collected, stored, shared, and manipulated is driving a new breed of Analytics, AI/ML, Data Science, and other data-driven applications that will have a major impact on the economy. These trends have enabled the emergence of ELT as an alternative to ETL, which in turn is enabling a whole new way of thinking about warehousing data and how to make use of that data, creating new opportunities that will help organizations increase the value of the strategic data assets that drive their business. APIs are the ideal mechanism to accelerate and expand these trends even further, leading to the long-sought-after golden age of APIs. This talk will discuss the future of Cloud Databases and ELT, and how the combination will drive a substantial wave of API adoption. 

- PDT
[#VIRTUAL] OPEN TALK (API): Applying AI to API Testing across the Lifecycle
Swetha Sridharan
Swetha Sridharan
IBM API Connect, Product Manager

Time to market and ability to change rapidly while retaining high quality is a key business driver today. Come learn how API Developers can apply different testing approaches using AI at various points in the API lifecycle. Be more productive & improve quality faster than ever before! 

- PDT
[#VIRTUAL] PRO TALK (API): How Low-Code API Management Is the Cure to API Sprawl
Rakshith Rao
Rakshith Rao
Apiwiz, Co-founder and CEO

Nothing strikes fear into the hearts of developers like the terms no-code and low-code (except maybe AI). DevOps has us wanting to move fast and automate everything, but we don’t want low-code platforms to replace developers' jobs! A survey of 600 engineers had them reflect on what they wish they could spend less time on: 37% spent on manual testing of changes/writing scripts; 35% spent on refactoring old code; and only 33% spent on writing code for new features. In this talk we will discuss how low-code API management can increase developer productivity and raise developer potential by allowing them to focus on creative problem-solving. All through a single, organization-wide view. 

- PDT
[#VIRTUAL] PRO TALK (API): Building Dynamic, Static Sites with Open Feature APIs
Kevin Poorman
Kevin Poorman
Harness.io, Director, Developer Advocacy

Recent trends in web development have enabled us to build websites that are entirely static, where all dynamic interaction is done in the browser. How do you deploy these static sites without hard-coding backend server details? Feature flags to the rescue! Join us in this session as we explore how even static sites can become fully dynamic with the addition of OpenFeature apis. In this session we’ll extend a statically hosted JAMstack application with OpenFeature apis solving the crucial question of how we can deploy static sites that aren’t hard-coded to a given back-end. 

- PDT
[#VIRTUAL] PRO TALK (API): tl;dr: Shifting API Standards Left
Ed Olson-Morgan
Ed Olson-Morgan
Marsh McLennan, Core API & Innovation Lead

When Marsh McLennan established a core APIs team in April of 2021, one of the first priorities was to create a set of API standards for the organization. But after blending together industry exemplars, RFCs, internal best practices and the occasional meme or two, the forty-six page document that resulted didn’t lead to the API revolution we’d expected. Focusing on closely integrating the standards with OpenAPI specification led to increased adoption across the internal developer community. Come and learn how the team used the OpenAPI Specification to drive standards compliance, improve collaboration and allow for easy maintenance and iteration of the standards over time. 

- PDT
[#VIRTUAL] PRO TALK (API): Why Your API Doesn’t Solve My Problem: A Use Case-Driven API Design
Jan Vlnas
Jan Vlnas
Superface, Developer Advocate

You wrote an API specification, documented your endpoints, and published SDKs. Here’s a question, though: Does your API actually solve your users’ problems?

API providers often fail to address common use cases to solve users’ needs, or their assumptions don’t match the reality. This may end up in frustration and loss of users.

In this talk, we will take a peek into developers’ mindset. I will show how to better understand the developers’ needs by researching the usage patterns, existing libraries and 3rd party experience layers, provide examples of good and bad practices, and suggest actionable steps to improve developer experience for your API. 

- PDT
[#VIRTUAL] PRO TALK (API): GraphQL - Security Implications and Best Practices
Amir Shaked
Amir Shaked
PerimeterX, SVP R&D

GraphQL Is one of the fastest-growing approaches in API specifications. But it comes with security risks that can and should be addressed as you design your AAA - authentication, authorization and auditing. 

- PDT
[#VIRTUAL] PRO TALK (API): The 12 facets of the OpenAPI Specification
Neelesh Pateriya
Neelesh Pateriya
Cisco Systems, Principal Engineer

We'll introduce how Cisco Engineering leverages OAS to drive API quality and state-of-the-art developer experience. We'll then describe OpenAPI best practices, tools and processes built internally and opensourced, as well as the benefits for Cisco partners and customers. Join this session to hear from the best practices and lessons learnt when standardizing on OAS for organizations with a massive internal and external facing APIs porfolio. 

- PDT
[#VIRTUAL] PRO TALK (API): Enabling Developers to Get More Done
Brian Childress
Brian Childress
Calendly, Application Architect

Are you blocked by manual processes, inefficiencies, and knowledge silos? Are developers happy or frustrated? Join me and we’ll explore some of the ways you can enable developers to do their best work and improve the developer experience through a focus on tools, processes, and collaboration.

With the increased cloud adoption, smaller autonomous development teams, and microservices we need a way to ensure consistency and productivity. In this talk we’ll explore topics like: boilerplate templates, development environments, CI/CD, code reviews, and effective documentation.

If you’re a developer trying to improve your work day-to-day or an engineering leader trying to empower your teams, this talk has something for you. 

- PDT
[#VIRTUAL] OPEN TALK (API): A Journey into Building a Powerful Developer Platform
Tim Slagle
Tim Slagle
Zoom, Head of Developer Relations

This session will touch on the evolution of Zoom, including how and why Zoom’s founder and CEO, Eric S. Yuan, decided to build Zoom. The session will include insights on how today, Zoom is more than meetings and how what started as a meetings app has quickly evolved into a comprehensive platform, including our Developer Tools. Touching on the Zoom Developer Platform, it will highlight how the platform enables developers, platform integrators, service providers, and customers to easily build apps and integrations that use Zoom’s video communication solutions or integrate Zoom’s core technology into their products and services. Then, we will discuss how Zoom is building flexible developer solutions, such as Zoom’s Meeting SDKs/APIs and Video SDKs/APIs that extend the value Zoom provides across more and more tasks, and in turn, increase the platform’s differentiation as the future of communications. To close the session, we will discuss the Zoom ISV Partner Program and the GTM approach that was launched to promote ISVs and leverage a full partner ecosystem for developers using the Zoom APIs/SDKs. 

- PDT
[#VIRTUAL] PRO TALK (API): Automating API Governance
Muhammad Nauman Ali
Muhammad Nauman Ali
Stoplight, API Enthusiast

Style guides are one of the most effective tools to build consistent APIs that follow best practices. Automated style guides increase the effectiveness of style guides by making it easy for developers/designers to do the right thing. In this session, we'll go through best practices for creating API style guides and making them part of the CI/CD process.