* VIRTUAL API WORLD WORKSHOP STAGE D

Join on Hopin

Wednesday, November 2, 2022

- PDT
[#VIRTUAL] PRO TALK (API): GraphQL: Great Flexibility, New Attack Vectors
Paulo Silva
Paulo Silva
Checkmarx, Ethical Hacker / Senior Security Researcher

In recent years, GraphQL adoption has increased significantly. Developed by Facebook and introduced in 2012, GraphQL came with a proposal different than REST: native flexibility to those building and calling APIs.
As we know, with great flexibility come... new attack vectors!

In this session, we'll cover GraphQL-specific security risks and attack vectors. Beyond the commonly discussed topic of enabled introspection in production, we'll present and discuss how field suggestions can be abused, how common GraphQL Cross-Site
Request Forgery (CSRF) issues look like, and how attackers are using batching attacks, alias and directory overloading, and query depth issues for their advantage.

We want to shed some light on GraphQL-specific issues that
may hurt not only the system but also the business, leading to massive data leakages or Denial-of-Service (DoS). 

- PDT
[#VIRTUAL] PRO TALK (API): API Monitoring For better Management
Aravind Babu Ramadugu
Aravind Babu Ramadugu
Accenture, Mulesoft Mentor and Architect

API Monitoring is a very critical part of the entire API Ecosystem.
In this session, I will be covering How APIs can be monitored and how we can plan for predicting the issues through Monitoring and heal the APIs automatically. 

- PDT
[#VIRTUAL] OPEN TALK (API): Of Graphql, API Gateways, and Surgical Monolithectomy
Francois Lascelles
Francois Lascelles
Layer7, Distinguished Engineer

GraphQL’s popularity is rising. Its entry in the enterprise landscape occurs at a time where monoliths - creatures whose genesis dates back decades - are growing beyond their optimal mass. This presentation will discuss
- how the adoption of GraphQL as a protocol is affecting the capabilities required by API infrastructure;
- the security implications of choosing GraphQL vs REST;
- our journey, lessons learned in integrating GraphQL into our solution;
- the DX implications of choosing GraphQL vs REST;
- and how GraphQL helps us perform delicate surgical intervention on legacy systems. 

- PDT
[#VIRTUAL] PRO TALK (API): Solving the Never Ending Requirements of Authorization
Alex Olivier
Alex Olivier
Cerbos, Product Lead

Implementing access controls in your application can be a never ending task as business requirements change. What begins as a simple check to see if the user’s email is from your own domain name turns into a complex web of if/else statements to determine who can do what. Coming up with a scalable, manageable and maintainable authorization process is key to meet evolving requirements as your business scales.

This talk will cover the different areas of consideration when implementing permissions, common stages in the evolution of a company where authorization needs to fundamentally change and an example of how to take a gitops based approach to scaling policy. 

- PDT
[#VIRTUAL] PRO TALK (API): Anomaly Detection Is No Longer a Security Strategy
Don Leatham
Don Leatham
Resurface Labs, EVP Alliances and Business Development

Much of security is focused on finding the outliers, the anomalies to provide a reliable signal for security teams. Once identified, these anomalies are considered instructive and actionable. But, with the proliferation of APIs and the volume of attack traffic every second, relying on outliers leads to exceptionally noisy and unproductive searches. Your anomalies are actually valid traffic vs. majority of attacker traffic. We'll cover how to identify API risk and threats where threat traffic outweighs valid user traffic. 

- PDT
[#VIRTUAL] PRO TALK (API): Zero Trust Strategies to Protect the APIs That Drive Your CICDPipelines
Andrew Jones
Andrew Jones
Corsha, Director of Solutions Engineering

Many organizations are jumping to DevSecOps from DevOps by adding security scanning and validation in their CI/CD pipelines. This shift-left approach is fantastic because it builds security into applications early on.  Now the question is -  How do we protect API-driven communication in our CI/CD pipelines themselves?  These automated pipelines are a rich treasure trove for hackers of proprietary code and configuration, release artifacts,  deployment environments, and of course the critical keys and secrets to control it all.  And all of the automation driving these pipelines is via APIs and communication between different chained third-party services. In this talk, we’ll go over strategies for best practices around CI/CD security and show you how to pin access and control to only trusted stages of your pipeline. 

- PDT
[#VIRTUAL] OPEN TALK (API): Creating Unique Virtual Card Payment Experiences with U.S. Bank Card as a Service APIs
Luke Utting
Luke Utting
U.S. Bank, Assistant Vice President, Technical Sales Consultant

This session will share how U.S. Bank Card as a Service APIs can be used to create user experiences that reshape the payment experience - reducing friction, focusing actions on user objectives and speed them through the travel purchase process. 

- PDT
[#VIRTUAL] PRO TALK (API): API Protection Best Practices
Varun Kohli
Varun Kohli
Cequence Security, Chief Marketing Officer (CMO)

It’s no secret that APIs are the developers tool of choice and an attackers #1 target. The question on every CISOs mind is this: if APIs are the number one target for attackers, and everyone claims to secure APIs, how do we choose the solution that best fits our API protection needs for an entire API lifecycle? To address that question, do you start with a focus on secure API development? Do you try and stay on top of constantly discovering unknown or shadow APIs? Or do you merely bolster existing defenses in an effort to stop future attacks? Using customer examples as the backdrop, this session will walk attendees through best practices for protecting your APIs regardless of where you are in your API protection lifecycle. 

- PDT
[#VIRTUAL] PRO TALK (API): From Reactive to Proactive, Changing the Culture on API Security
Bryant Schuck
Bryant Schuck
Checkmarx, Senior Product Manager

If software is eating the world then APIs are the teeth. Good application security approaches and best practices start at the API code level. But the bigger question is, “do you know what those practices are?” Security and threat intelligence must play a role within each part of the API lifecycle to stay ahead of the curve.

In this talk, you’ll hear from Bryant Schuck, Senior Product Manager at Checkmarx, where he will dive deep into the following topics:

· How to shift API security as far left as possible to create secure APIs on every pull request
· How to focus your efforts and attention on where the vulnerable API lives
· New ways to prioritize vulnerability remediation based on APIs handling of sensitive data
· Live demo of an API Attack 

- PDT
[#VIRTUAL] PRO TALK (API): It’s High Time We Address the [API] Elephant in the Room
Bret Settle
Bret Settle
ThreatX, Co-Founder and Chief Strategy Officer

APIs are ubiquitous. Every modern software application uses – or is – an API. They connect consumers to businesses and businesses to one another while also acting as an enabler that allows brands to deploy cross-service capabilities. APIs also enable development teams to integrate data from external sources and deliver new services and capabilities rapidly, requiring little to no downtime for consumers.

As API use increases, so do security risks. APIs are easy to deploy, but hard to control and despite their prominence, APIs are consistently overlooked in web application security programs. Application developers may—with best intentions—stand up new APIs without going through the expected security review. The rapid proliferation of APIs has far surpassed security’s ability to protect these assets and they have quickly become the attack vector of choice for threat actors who exploit insecure APIs for malicious purposes.

During this session, attendees will hear from ThreatX co-founder, and Chief Strategy Officer, Bret Settle. He will examine the varied types of attack methods used against APIs and outline how organizations can leverage an attacker-centric approach to gain full visibility into their API and web application traffic to identify and protect their vulnerabilities before damage can be done.

Attendees can expect to walk away with the knowledge needed to:
• Identify and correlate activity to block tangible threats
• Respond to attack patterns over time and adjust to adversary motions
• Understand behaviors that, when viewed together might indicate suspicious activity, for example, dashes or special characters used in form fills
• Maintain uptime on applications without impacting user experience 

Thursday, November 3, 2022

- PDT
[#VIRTUAL] PRO TALK (API): APIs in the wild
Luca Ferrari
Luca Ferrari
Red Hat, EMEA Senior Edge Solution Architect

With the expansion of the cloud towards the end user, some common issues emerge: unreliable internet connection, fewer hardware resources, unreliable power available, metered connection …
In most of those use cases though the devices out there still need some way to communicate with the cloud, to let it know they are still alive at the very least. But what is the quickest and most efficient way to do that?
In this session we will explore and compare different API protocols in terms of resource usage and we will examine different mechanisms that are usually available at the API gateway level and at the device level, to optimize communication and respond to failures at the different levels of the stack.
We will conclude with some industry best practices when building services at the edge. 

- PDT
[#VIRTUAL] PRO TALK (API): Build Resilient Applications Using Orchestration
Cherish Santoshi
Cherish Santoshi
Orkes, Developer Relations Engineer

As we move towards an exciting future of more distributed systems, we are bound to encounter microservices written in different languages and infrastructures.
The resiliency of different applications only makes sense if they come together beautifully to create one invincible application.

In this session, we will talk about how companies like Netflix, Tesla, etc. used orchestration to build robust and scalable applications that inspire innovation. 

- PDT
[#VIRTUAL] PRO TALK (API): Virtual Spaces Are More than Just the Metaverse
Todd Greene
Todd Greene
PubNub, Founder and CEO

We’ve all heard about the hype around the “metaverse”, but what about Virtual Spaces? A step closer than the metaverse, the concept of Virtual Spaces are where real-time interactions and experiences happen online.

Over the past few years, we’ve witnessed the rise of online communities enabled by real-time technologies – and the concept of Virtual Spaces – an online space where people or devices can collaborate together – has never been more appealing than in today’s pandemic-induced reality.

Tracking the delivery status of your latest ecommerce purchase? That happens in a Virtual Space. Want to look up where you rank in the mobile game you play every day? That live leaderboard is a Virtual Space. Hit a wall and need some real-time tech chat support? You guessed it, that’s a Virtual Space too. 

- PDT
[#VIRTUAL] PRO TALK (API): API Visibility: Securing Your Blind Spot without Losing Speed
Lebin Cheng
Lebin Cheng
Imperva, VP, API Security

The growing prevalence of APIs, presents security teams with an all-too-familiar problem - deployment can outpace security processes and protections, creating a vulnerability they are left to address. With APIs emerging as the next big attack vector, this has become a critical shift left priority. Understanding the tradeoffs between securing APIs versus the cost of not taking action is the first step in gaining buy in across the organization From there, you can build a phased plan to introduce visibility into your APIs, determine which APIs expose sensitive data and finally to build processes around how APIs are managed. This session will offer tips and tricks for securing APIs without slowing down the speed of development. 

- PDT
[#VIRTUAL] PRO TALK (API): Make Content Queryable: How to Build a Real-Time Document Store That Scales Globally
Simen Svale Skogsrud
Simen Svale Skogsrud
Sanity, Co-founder and CTO

Customer-facing applications are increasingly integrated across the business, driven by a host of workflows spanning departments and even organizations. From marketing to e-commerce and all the way into the heart of product, content is powering all of our customer interactions, yet it is so often treated as an afterthought, handled by an amalgam of disconnected databases, isolated systems and, god forbid, a patchwork of spreadsheets.

There is a better way. In this talk, I'll outline how to build a modern, scalable content infrastructure, then walk you through the important steps you need to take to build that resilient, collaborative, global content store. I'll introduce the concept of a “Content Lake", similar to a data lake, and discuss the specifics of the Sanity Content Lake, a turn-key system for content orchestration that provides a single source of truth. We also invented GROQ, a flexible query for schemaless JSON documents, that's used to power GraphQL and other APIs. This lets you integrate content across internal tools and systems so applications run smoothly with the right content at the right time. 

- PDT
[#VIRTUAL] PRO TALK (API): A Bridge Too Far? Creating APIs for Some of the World’s Most Challenging Platforms
Dr. Alex Heublein
Dr. Alex Heublein
Adaptigent, President

We all know that creating APIs for modern platforms can be a vexing experience without the right set of tools, processes, and people. But how do you create APIs for mission-critical legacy platforms that were never designed to be integrated with in the first place? How do you unlock the decades of investment your organization has made in these workhorse systems? Integrating with “green screen” applications? Seriously, is that even a thing anymore??? (Yeah, it totally is…)

Best case, this usually this entails dealing with uncommon security protocols, complex systems programming, ungainly architectural workarounds, and a lot of time and resources – the latter two of which are almost always scarce commodities. So many organizations just avoid the topic and try to work around it, or they hire armies of consultants who just end up adding to their already burgeoning legacy technical debt.

Can these APIs actually be built quickly and cost-effectively without disrupting the business - or is this simply “a bridge too far” for most organizations? In this session we’ll show you how to create sophisticated, scalable, and secure legacy APIs in a matter of minutes, rather than the weeks or months it normally takes, without writing a single line of code. 

- PDT
[#VIRTUAL] PRO TALK (API): How to Autogenerate Awesome GraphQL Documentation with SpectaQL
Christopher Newhouse
Christopher Newhouse
Anvil, Senior Software Engineer

Having accurate and complete documentation for your APIs is necessary, but can also be quite challenging and time consuming. GraphQL, however, with its schema definition and the variety of tools that can access and explore that schema, does not have to be. See how our open-source project SpectaQL can help you keep your documentation complete, current and beautiful with the least amount of pain possible. 

- PDT
[#VIRTUAL] PRO TALK (API): Bitloops Language (BL): Giving API developers DDD/BDD superpowers
Vasilis Danias
Vasilis Danias
Bitloops, Co-founder & CEO

BL is an open-source, high-productivity, fourth generation (4GL), DDD/BDD focused, programming language that transpiles into mainstream programming languages such as TypeScript and Java and helps developers build and maintain complex APIs faster and better than ever before.

Domain Driven Design (DDD) and Behavior Driven Development (BDD) are proven ways to increase developer productivity and a sure way to improve the probability of a product or project succeeding. Nonetheless, DDD and BDD require significant experience and have a very steep learning curve. As a result, most organizations and individuals fail to make DDD and BDD part of their everyday routine and end up missing out on their significant advantages.

BL has been created to dramatically reduce the DDD/BDD learning curve for developers, allowing them to produce working DDD systems in no time.

During the talk we will see how we can quickly write a working system using Domain-Driven Design and deploy it as a TypeScript project while easily switching between a modular monolith and an Event-Driven distributed microservices architecture.