* VIRTUAL MICROSERVICES WORLD WORKSHOP STAGE C
Tuesday, November 1, 2022
It's very common to attempt to split a monolith into microservices and more and more companies are starting down this path. But how do you even approach this problem? It's a giant task and getting started can be very daunting. In this talk, I will draw on my experience at both Box and Split, as well as the research that I've done on the topic to discuss getting started with splitting up a monolith. I will cover the strangler fig and big bang patterns as well as how to think about selecting services and ways to test your new services, including load and parity testing. I will also mix in some of our actual experiences as we went down this path.
[#VIRTUAL] PRO Workshop (API): Killing a Giant - a Practical Guide Through the Martin Fowler's Strangler Fig Pattern
Back in 2019, our company was preparing for a period of fast growth. One of the key blockers to that growth was a monolithic application called Accounts. Built initially around 2014 as a rapidly developed proof of concept, it quickly became a central piece for the customer interaction, a billing system, an auth server, a support ticketing system, the project lifecycle management system. The technical debt grew exponentially with every new feature added. The system needed to be replaced.
Martin Fowler described an interesting solution for a practically zero-downtime migration project from a monolithic application to -- something else. Instead of replacing an app with a single big bang, let’s build the new application around the existing one, and let them slowly take over its responsibilities until we’re ready to just delete it entirely. The concept was stolen from a natural phenomenon of Australian strangler figs growing around a host tree until they kill it.
What could possibly go wrong with such an approach, you may ask yourself. Well -- as we learned in the last couple of years -- quite a lot of things! To name a few: shared state between the legacy and the replacement application, designing the stopgap communication between the applications, balancing the development of the new features with the migration of the existing ones.
Join me for the session where we’ll discuss the theory and practice of the Strangler Vine Pattern around a Drupal 7 monolith, with a special focus on all the embarrassing errors we made along the way.
In this talk, we will describe the role of gRPC (grpc.io) in building and deploying cloud-native microservices, our experiences in integrating different cloud platform functions as part of the gRPC framework and the values such a solution provides to microservice developers.
Event-Driven systems, being decoupled by definition, present a very different API from classic, endpoint-based microservices. This characteristic requires an evolution of the traditional approach to writing automated tests.
In this session, we will look at various ways to write these automated tests for these kinds of systems. The session will include a live code walkthrough in Kotlin.
Wednesday, November 2, 2022
All of the attack vectors against APIs to date have exploited application logic failings. In this talk, we'll examine the most important app constructs to ensure API security, and discuss approaches to building more secure APIs.
We'll examine select breaches in each of the main categories - authentication, authorization, enumeration and injection, and draw some conclusions about which layer of security is most relevant in each.
We'll then discuss ways that organizations can both design and monitor APIs for best practices in security.
API Security: How Are You Securing the #1 Attack Vector?
No surprise in the era of digital transformation: Gartner predicts that in 2022, application programming interface attacks will become the most-frequent attack vector. And yet many security leaders, when pressed, do not even know how many APIs they have in their environments - never mind their level of security.
So, what are you doing proactively to protect your environment from API vulnerabilities, design flaws, and misconfigurations? Register for this session API Security: How Are You Securing the #1 Attack Vector?, to gain new insights as well as address:
- How are adversaries exploiting API security gaps to launch successful attacks?
- What are the top API vulnerabilities, and how are proactive enterprises mitigating them?
- How can API visibility be enhanced for automated monitoring, detection, and response?
Recently, APIs have become the main attack vector for applications. APIs are so interesting to attackers because they expose valuable data and business logic to clients. Traditional security approaches fail to address these issues. In this workshop, we reveal the most common vulnerabilities found in APIs, talk about recent API breaches, uncover how to detect and subsequently remediate them, and how to put in place secure foundations that start at the design phase.By participating to this workshop, participants will:
- Know all about the OWASP API Top10 classification and the unique nature of API vulnerabilities
- Understand the coding or design mistakes which lead to those vulnerabilities
- Appreciate the value of automating API Testing and "thinking like a hacker”
- Learn practical approaches for API vulnerability remediation
Modern business problems require modern solutions. While AI as we know today can take decisions based on training ML models, there is a dependency on the historical data. Business optimizers can help you solve most of the problems that are relevant in modern business. For example, minimize fuel consumption, minimize driving time, minimize required vehicles and many similar problems are directly concerned with an online delivery platform. Optaplanner Is one such business optimizer tool that can help business people to take these business critical decisions keeping business constraints into account.
The session will enlighten the audience about the use cases and relevance of business optimizers in modern industry. We will start with what business optimizers are and how they are integrated into your product. We will also cover various other use cases where tools combined with other open source tools like rule language will help all stakeholders in business to take business critical decisions.
Many applications are being modernized by leveraging APIs and being decomposed into smaller units typically living in containers. These involve many new tools and technologies that are not always well understood, leading to a poor application security posture. Many application architects and developers who take advantage of these architectures lack the knowledge to apply the required security controls. The ideas, principles and concepts such as API gateways, end-to-end trust, authentication and authorization discussed in this presentation have existed for some time. But this presentation brings it all together to provide a blueprint for modern API and microservices-based application security.
One of the biggest advantages of developing microservices is the ability to develop, deploy, and upgrade services individually, without disrupting the entire ecosystem. At the same time, microservice architectures are introducing new testing challenges, such as understanding how to isolate each component for testing.
In this webinar, learn about the different architectures and protocols employed in microservice development (including Kafka, Rabbit MQ, REST, and Protocol Buffers).
Actionable takeaways include:
Understanding the practical differences between some of the common microservice architectures.
How to effectively test in a synchronous ecosystem using REST, taking advantage of existing contracts to validate that changes you make will not break the system.
How to approach testing in an event-driven ecosystem, using Kafka event streams.
When and how service virtualization can help provide a stable test environment given the challenge of isolating components in microservice testing.
GraphQL is a new approach to expose your services to application developers. There are many advantages which come with new challenges to security and governance. In this session you can learn how to protect and enforce governance for your GraphQL server endpoints from these unique GraphQL threats with a low-code approach. You'll see demoes of numerous approaches such as cost analysis, graph filtering, and much more.
Thursday, November 3, 2022
The enterprise software community is accelerating its migration from monoliths to microservices. Service Mesh platforms like Istio are a key technology enabling this transition. Connecting, Securing, and Observing the elements of your Kubernetes service networks is no longer optional; it is an absolute imperative.
Come with us on a whirlwind tour of Gloo Mesh, an Istio-based platform that is optimized for multi-team and multi-cluster Service Meshes. In a fast-paced, no-slides session, we will build a fully functional example that illustrates:
• Establishing three multi-tenant workspaces to manage a half-dozen services;
• Enforcing Zero-Trust Networking policies;
• Configuring multi-cluster routing;
• Testing distributed failover; and
• Exploring the mesh's API Gateway features, including OIDC authentication, rate limiting, and Web Application Firewall security.
Buckle your seat belts! This Wild Ride will swiftly show you how to accelerate your Service Mesh adoption.
As software engineering tools and languages continue to evolve, it has become easier than ever to create more software. With the advent of cloud providers like AWS, GCP, Azure, and several more, the continuous delivery to production is a very reachable milestone, for companies of all sizes.
But what about staging environments?
- Should engineers release directly to production hoping that the tests catch their issues?
- Should they wait for the availability of STAGING-1 for 2 weeks to test everything end-to-end?
- Should they have their own “developer-feature-x” environment that is spun up?
The advent of the cloud has made it much easier to deploy services at scale. But the path your code takes to go from your local environment to a production environment is still a mystery.
In this talk, I’d go over lessons that I’ve learned from working on provisioning & maintaining developer environments at 3 different companies now.
Time to market and ability to change rapidly while retaining high quality is a key business driver today. Come learn how API Developers can apply different testing approaches using AI at various points in the API lifecycle. Be more productive & improve quality faster than ever before!
GraphQL Is one of the fastest-growing approaches in API specifications. But it comes with security risks that can and should be addressed as you design your AAA - authentication, authorization and auditing.
Supply chain management speaks to improving security in the software systems we create. At the core of these discussions is the generation of SBOMs and CVE reports. In monolithic architecture, the creation of application SBOMs and CVE reports are done at the CI build step. But how do we manage SBOMs in a microservice environment without a monolithic build?
This presentation will review the supply chain complexities in a microservice architecture with hundreds of run-time dependencies, each having its own SBOM and CVE reports. It will introduce Ortelius, an open-source unified supply chain catalog, incubating at the Continuous Delivery Foundation, that aggregates SBOM and CVE microservice level data up to the consuming ‘logical’ applications. Attendees will learn how they can easily produce application-level supply chain reports that meet new federal security requirements, even in complex cloud-native environments.