Microservices World -- Workshop Stage C

Tuesday, October 25, 2022

- PDT
PRO Workshop (API): So You Want to Split Your Monolith: First Steps
Joy Ebertz
Joy Ebertz
Split, Principal Engineer

It's very common to attempt to split a monolith into microservices and more and more companies are starting down this path.  But how do you even approach this problem? It's a giant task and getting started can be very daunting.  In this talk, I will draw on my experience at both Box and Split, as well as the research that I've done on the topic to discuss getting started with splitting up a monolith.  I will cover the strangler fig and big bang patterns as well as how to think about selecting services and ways to test your new services, including load and parity testing.  I will also mix in some of our actual experiences as we went down this path. 

- PDT
PRO Workshop (API): Killing a Giant - a Practical Guide Through the Martin Fowler's Strangler Fig Pattern
Branislav Bujišić
Branislav Bujišić
Platform.sh, Director of Engineering

Back in 2019, our company was preparing for a period of fast growth. One of the key blockers to that growth was a monolithic application called Accounts. Built initially around 2014 as a rapidly developed proof of concept, it quickly became a central piece for the customer interaction, a billing system, an auth server, a support ticketing system, the project lifecycle management system. The technical debt grew exponentially with every new feature added. The system needed to be replaced.

Martin Fowler described an interesting solution for a practically zero-downtime migration project from a monolithic application to -- something else. Instead of replacing an app with a single big bang, let’s build the new application around the existing one, and let them slowly take over its responsibilities until we’re ready to just delete it entirely. The concept was stolen from a natural phenomenon of Australian strangler figs growing around a host tree until they kill it.

What could possibly go wrong with such an approach, you may ask yourself. Well -- as we learned in the last couple of years -- quite a lot of things! To name a few: shared state between the legacy and the replacement application, designing the stopgap communication between the applications, balancing the development of the new features with the migration of the existing ones.

Join me for the session where we’ll discuss the theory and practice of the Strangler Vine Pattern around a Drupal 7 monolith, with a special focus on all the embarrassing errors we made along the way. 

- PDT
PRO Workshop (API): gRPC and Microservices
Wenbo Zhu
Wenbo Zhu
Google Cloud, Senior Staff Software Engineer

In this talk, we will describe the role of gRPC (grpc.io) in building and deploying cloud-native microservices, our experiences in integrating different cloud platform functions as part of the gRPC framework and the values such a solution provides to microservice developers. 

- PDT
PRO Workshop (API): API Fuzz Testing Fundamentals
Alex Brewer
Alex Brewer
ForAllSecure, Technical Solutions Engineer

The goal of this 50 technical workshop is to explain what fuzz testing Is, then use a fuzz testing on a simple API server, understand and explain the benefits of API testing, and review fuzzing results to evaluate the API fuzzing targets for security and performance. 

- PDT
PRO Workshop (API): Testing Pyramid for Event-Driven Microservices
Dan Siwiec
Dan Siwiec
Kambr, Principal Architect

Event-Driven systems, being decoupled by definition, present a very different API from classic, endpoint-based microservices. This characteristic requires an evolution of the traditional approach to writing automated tests.
In this session, we will look at various ways to write these automated tests for these kinds of systems. The session will include a live code walkthrough in Kotlin. 

Wednesday, October 26, 2022

- PDT
OPEN TALK (API): API Security Is an Application Problem. Here’s Why.
Jeremy Snyder
Jeremy Snyder
FireTail, Founder

All of the attack vectors against APIs to date have exploited application logic failings. In this talk, we'll examine the most important app constructs to ensure API security, and discuss approaches to building more secure APIs.

We'll examine select breaches in each of the main categories - authentication, authorization, enumeration and injection, and draw some conclusions about which layer of security is most relevant in each.

We'll then discuss ways that organizations can both design and monitor APIs for best practices in security. 

- PDT
OPEN TALK (API): API Security: How Are You Securing the #1 Attack Vector?
Karl Mattson
Karl Mattson
Noname Security, CISO

API Security: How Are You Securing the #1 Attack Vector?

No surprise in the era of digital transformation: Gartner predicts that in 2022, application programming interface attacks will become the most-frequent attack vector. And yet many security leaders, when pressed, do not even know how many APIs they have in their environments - never mind their level of security.


So, what are you doing proactively to protect your environment from API vulnerabilities, design flaws, and misconfigurations? Register for this session API Security: How Are You Securing the #1 Attack Vector?, to gain new insights as well as address:


- How are adversaries exploiting API security gaps to launch successful attacks?

- What are the top API vulnerabilities, and how are proactive enterprises mitigating them?

- How can API visibility be enhanced for automated monitoring, detection, and response?

- PDT
OPEN TALK (API): API Security 101: Top API Vulnerabilities and How to Address Them
Isabelle Mauny
Isabelle Mauny
42Crunch, CTO

Recently, APIs have become the main attack vector for applications. APIs are so interesting to attackers because they expose valuable data and business logic to clients. Traditional security approaches fail to address these issues. In this workshop, we reveal the most common vulnerabilities found in APIs, talk about recent API breaches, uncover how to detect and subsequently remediate them, and how to put in place secure foundations that start at the design phase.By participating to this workshop, participants will:

  • Know all about the OWASP API Top10 classification and the unique nature of API vulnerabilities
  • Understand the coding or design mistakes which lead to those vulnerabilities
  • Appreciate the value of automating API Testing and "thinking like a hacker”
  • Learn practical approaches for API vulnerability remediation
- PDT
WORKSHOP (API): Designing Secure API and Microservices-Based Applicationsapis
Farshad Abasi
Farshad Abasi
Forward Security, Founder and CEO

Many applications are being modernized by leveraging APIs and being decomposed into smaller units typically living in containers. These involve many new tools and technologies that are not always well understood, leading to a poor application security posture. Many application architects and developers who take advantage of these architectures lack the knowledge to apply the required security controls. The ideas, principles and concepts such as API gateways, end-to-end trust, authentication and authorization discussed in this presentation have existed for some time. But this presentation brings it all together to provide a blueprint for modern API and microservices-based application security. 

- PDT
OPEN TALK (API): Demystifying Microservice Testing
Wilhelm Haaker
Wilhelm Haaker
Parasoft, Sr. Solutions Architect

One of the biggest advantages of developing microservices is the ability to develop, deploy, and upgrade services individually, without disrupting the entire ecosystem. At the same time, microservice architectures are introducing new testing challenges, such as understanding how to isolate each component for testing.

In this webinar, learn about the different architectures and protocols employed in microservice development (including Kafka, Rabbit MQ, REST, and Protocol Buffers).

Actionable takeaways include:
Understanding the practical differences between some of the common microservice architectures.
How to effectively test in a synchronous ecosystem using REST, taking advantage of existing contracts to validate that changes you make will not break the system.
How to approach testing in an event-driven ecosystem, using Kafka event streams.
When and how service virtualization can help provide a stable test environment given the challenge of isolating components in microservice testing. 

- PDT
WORKSHOP (API): Protecting GraphQL with Effective Governance & Security
Shiu-Fun Poon
Shiu-Fun Poon
IBM, Principal Architect, API Security
Morris Matsa
Morris Matsa
IBM, Principal Architect, API Connect & Gateways

GraphQL is a new approach to expose your services to application developers. There are many advantages which come with new challenges to security and governance. In this session you can learn how to protect and enforce governance for your GraphQL server endpoints from these unique GraphQL threats with a low-code approach. You'll see demoes of numerous approaches such as cost analysis, graph filtering, and much more. 

Thursday, October 27, 2022

- PDT
OPEN TALK (API): Mr. Toad's Wild (Service Mesh) Ride
Jim Barton
Jim Barton
Solo.io, Field Engineer

The enterprise software community is accelerating its migration from monoliths to microservices. Service Mesh platforms like Istio are a key technology enabling this transition. Connecting, Securing, and Observing the elements of your Kubernetes service networks is no longer optional; it is an absolute imperative.

Come with us on a whirlwind tour of Gloo Mesh, an Istio-based platform that is optimized for multi-team and multi-cluster Service Meshes. In a fast-paced, no-slides session, we will build a fully functional example that illustrates:
• Establishing three multi-tenant workspaces to manage a half-dozen services;
• Enforcing Zero-Trust Networking policies;
• Configuring multi-cluster routing;
• Testing distributed failover; and
• Exploring the mesh's API Gateway features, including OIDC authentication, rate limiting, and Web Application Firewall security.

Buckle your seat belts! This Wild Ride will swiftly show you how to accelerate your Service Mesh adoption. 

- PDT
OPEN TALK (API): Applying AI to API Testing across the Lifecycle
Swetha Sridharan
Swetha Sridharan
IBM API Connect, Product Manager

Time to market and ability to change rapidly while retaining high quality is a key business driver today. Come learn how API Developers can apply different testing approaches using AI at various points in the API lifecycle. Be more productive & improve quality faster than ever before! 

- PDT
PRO Workshop (API): Horror Stories From Other People’s APIs
Vincenzo Chianese
Vincenzo Chianese
Microsoft, API Architect

In this talk, I'll share my experiences from the past year working primarily on integrations with other people’s APIs. I'll explore some “pearls” that I found and alternatives that would have made my journey a little bit easier. 

- PDT
PRO TALK (API): GraphQL - Security Implications and Best Practices
Amir Shaked
Amir Shaked
PerimeterX, SVP R&D

GraphQL Is one of the fastest-growing approaches in API specifications. But it comes with security risks that can and should be addressed as you design your AAA - authentication, authorization and auditing. 

- PDT
OPEN TALK (API): Maintaining Application SBOMs in a Microservices Architecture
Tracy Ragan
Tracy Ragan
DeployHub, CEO

Supply chain management speaks to improving security in the software systems we create. At the core of these discussions is the generation of SBOMs and CVE reports. In monolithic architecture, the creation of application SBOMs and CVE reports are done at the CI build step. But how do we manage SBOMs in a microservice environment without a monolithic build?

This presentation will review the supply chain complexities in a microservice architecture with hundreds of run-time dependencies, each having its own SBOM and CVE reports. It will introduce Ortelius, an open-source unified supply chain catalog, incubating at the Continuous Delivery Foundation, that aggregates SBOM and CVE microservice level data up to the consuming ‘logical’ applications. Attendees will learn how they can easily produce application-level supply chain reports that meet new federal security requirements, even in complex cloud-native environments.