* VIRTUAL API WORLD WORKSHOP STAGE B
Tuesday, November 1, 2022
[#VIRTUAL] PRO Workshop (API): Building an API Layer for Blockchain Data using Scaffold-ETH and The Graph
In this talk we will showcase how to leverage the power of The Graph to index blockchain event data into an easy to use and flexible API built on Graph QL.
Attendees can easily follow along the workshop by building out their own development environment with only Git, Yarn and NodeJS. Come learn to build the future on Web3.
API-as-a-Product is an emerging concept in the software development sphere. Speed in API development and delivery is becoming increasingly important. Open API 3 enables faster and collaborative API development and its custom extensions can be leveraged to augment API contracts with additional functionality. Here at Intuit we built a system that uses Open API spec, Istio Service Mesh and other extensions to dynamically generate the runtime and enable zero overhead routing for the orchestration APIs. Istio VirtualService is used to create the routing layer with zero overhead to enable faster API delivery. This zero overhead routing supports API patterns like aggregation, transformation and proxy and can be used uniformly across both north-south (via API Gateway on Service Mesh) and east-west traffic. Such an API orchestration runtime and routing will allow you to create and present new and elegant APIs on top of existing APIs while adhering to industry best practices. Come and learn how Intuit’s API Management Platform team built a low code / no code zero overhead routing for orchestration APIs using OpenAPI3 and Istio.
[#VIRTUAL] PRO Workshop (API): Autogenerate your database schema and OData endpoints using English with Pine.js
In this talk, we would like to enable API developers with a sophisticated rules-driven API engine that enables you to define rules in a structured subset of English.
The talk gives an introduction to the open source project Pine.js which is the core backend API in balena. The balena cloud stack serves millions of OData requests to more than half a million globally distributed IoT devices and thousands of IoT device fleet managers every day.
Pine.js lets developers define and model your business relations in structured and human readable text format. Using Semantics of Business Vocabulary and Business Rules (SBVR) you can easily define entities, entity quantities, rules and relationships and Pine.js will automatically generate the underlying data definition language (DDL) and data query language (DQL) queries and executed them on a SQL database. Finally, Pine.js provides automatically all the OData API endpoints.
Pine.js uses an intermediate abstract SQL format and implements concepts to
automatically resolve m:n relationships to two 1:n relationships with helper tables
parse OData requests and translate them into an abstract SQL intermediate format
translate defined business rules and validations into abstract SQL format
resolve permissions into abstract SQL
All abstract SQL statements are combined into one query to the database and executed in one transaction.
The goal of this 50 technical workshop is to explain what fuzz testing Is, then use a fuzz testing on a simple API server, understand and explain the benefits of API testing, and review fuzzing results to evaluate the API fuzzing targets for security and performance.
Today, most SaaS providers provide web APIs that allow their users to customize their experience. The user often needs to set up and maintain a webhook server to receive API events, tolerate long latencies, and handle authentication and authorization. That is a lot of development and operation efforts besides the core business functions the user wants to perform. In another word, those web APIs are not serverless.
There is an emerging approach for users to interact with, extend and customize SaaS products through serverless functions. SaaS could enable users to submit code functions to be embedded in their SaaS account, much like AWS Lambda allowing users to embed serverless functions into the AWS infrastructure. In that way, the SaaS provides native integration points in the form of programming language APIs instead of web APIs to the users. It is much faster and safer than web APIs and allows developers to focus on business logic.
WebAssembly plays a crucial role in those SaaS serverless functions by providing a secure, safe, lightweight, and high-performance sandbox runtime for those user-submitted functions.
[#VIRTUAL] PRO Workshop (API): Automated APIs for Scaling Enterprises: How to Set Standards and Create Smooth API Implementations
API standards and schemas have helped to automate much of API design, implementation and maintenance -- and not a moment too soon. As many tech companies experienced growth spurts in the past year, they ended up with multiple teams working on new products and new APIs. Consequently, they learned that their ways to create well-designed APIs wouldn't work so easily when multiple teams have to create them.
Thanks to new solutions (centralized around a good API gateway), growing companies can establish a scalable system for designing, implementing and launching consistent APIs across many teams. We’ll share best practices and solutions from experiences with enterprises in this phase to understand how to be effective working across Product, Infrastructure and Engineering teams to do so.
In highly distributed cloud native environments, application requests traverse many third-party APIs and managed services. Applying distributed tracing on your own code through instrumentation is relatively simple, but requires a lot of work. The challenge however, really lays with the API and managed service, and how to trace a full request across services like queues, streams, and databases.
In this session we will discuss:
- The technical challenges gaining observability with managed services.
- Methods to build the full trail of transactions across managed services.
- Ideas on how to obtain observability in a highly async distributed world.
- We’ll technically drill down to some managed services examples.
Wednesday, November 2, 2022
[#VIRTUAL] OPEN TALK (API): Effective API Security: API Discovery, Runtime Protection, Security Analytics, Active Testing
APIs are the glue that connects all of our software systems. But our knowledge and ability to track and secure APIs has not kept up with our rapid adoption of them. This API sprawl introduces significant operational and security risks, yet securing your APIs is different than everything we've been doing to secure our applications to date. WAFs don't help. API gateways aren't enough. DAST testing isn't enough. So what do we need to do differently?
In this session we will discuss why and how the approach to securing APIs needs to be different. We'll look at what you should consider through the software development lifecycle. And we'll share some real-world examples of organizations that have built and maintained robust API security strategies, with impressive outcomes related to reduced risk, lowered costs, and more secure API development practices.
Security is never a simple task, the same applies to APIs. Properly securing APIs gets even more challenging when the API ecosystem grows substantially. It’s naturally easier for a company to protect a few endpoints than hundreds. As the API ecosystem grows, merely starting to use OAuth may not be enough. Proper handling of OAuth tokens and utilizing different features that OAuth offers is required.
Measuring and controlling costs in cloud environments is often complex. But it does not need to be. In this session, we will discuss how an AI driven approach renders your cloud native applications on Kubernetes fully autonomous and rightsizes your cluster in sub-minute intervals the cloud compute resources. We will go over an experiment with the deployment of an application, and apply autonomous techniques that fiercely controls and optimizes the cluster.
APIs are the backbone of many services we all know and love, and when it comes to hosting those APIs, AWS is a great option. When building APIs with .NET on AWS, there are a plentiful amount of options, ranging from the tried-and-true Web API running on Elastic Beanstalk to running highly scalable event driven functions with AWS Lambda. Let us spend some time during this session talking about building APIs on .NET and running them in AWS.
Thursday, November 3, 2022
APIs are a two-edged sword: They expose business functionality and allow easy and powerful integration between back-end systems, but they also provide attackers with more attack surface, and through that, grant visibility into the back-end functions of an application.
As API use increases, so do security risks. Securing APIs against sophisticated, multi-mode attacks requires organizations to automatically detect attacker behavior and block in real-time. During this session ThreatX’s co-founder and Chief Strategy Officer, Bret Settle will walk step by step through the attack behavior being seen in multi-mode attacks and how those strategies are targeting APIs more than ever.
Have APIs that you want to use to build revenue? Currently experiencing headaches from existing monetized APIs? Regardless, chances are that you have API resources that others are willing to pay for. The toughest part? Figuring out how to build the right stack for seamless and easy API monetization. In this talk, we will discuss the components of a technology stack that are required when trying to monetize your APIs.
We will cover how to choose a billing provider, API management's role in monetization, and how to bring it all together in an end-to-end solution. By the end of this talk, listeners will have a better understanding of exactly what it takes to build a robust monetization solution for their APIs.