API OPEN Talks
Wednesday, October 27, 2021
More and more companies are faced today with unique challenges of how to authenticate and authorize their APIs. This is so common and now Broken Access Control has taken the number #1 vulnerability on the OWASP top 10.
In this session, we will go over the best practices on how to authenticate and authorize your APIs, from design phase to real time implementation phase. We will handle authentication, authorization, access control and multi-tenancy aspects of API management including real life examples from RESTFUL and GraphQL based APIs.
APIs are everywhere, leading the digital transformation age. With 90% of all web traffic being via API calls, the attack surface and threat model has changed exponentially.
Agile development and rapid release cycles with iterative changes leaves APIs vulnerable to attack, however security testing of APIs has not kept up with this pace.
Security testing automation is key, integrated as part of your pipelines to put developers into the security testing driving seat, to rely less on manual testing and produce secure APIs by design.
Traditional security scanners are a blocker to this automation. They are hard to use, impossible to integrate, not developer friendly and produce too many false positives. This results in crippling human bottlenecks that stifle CI/CD, whether it's the need for security to constantly tweak scanners or the drain of manually validating vulnerabilities.
Either way, technical and security debt is compounded, resulting in insecure product hitting production. Change is needed, and fast.
In this session Oliver will discover:
1. Key features that your dev-first security tools needs to enable developers to take ownership of security
2. How you can detect, prioritise and remediate security issues early, automated in the pipeline, for your REST, SOAP and GraphQL APIs
3. Insights into reducing the noise of false alerts to remove your manual bottlenecks to shift left
4. Steps you can take to achieve security testing automation as part of your CI/CD, to test your applications and APIs
In 2020 the worldwide annual cost of API development reached 100bn USD. As the global pandemic further accelerated the push for digital transformation, the need for connecting business digitally reached the all-time maximum. Yet, we are still manually wiring our systems together. We hard-code our applications in a process hardly scalable and borderline reliable.The autonomous integration pattern enables applications to discover, contract, and connect automatically without worries about maintenance. Private and public registries of business capabilities will form the backbone of Autonomous Integration Mesh and replace word-of-mouth and web search. Self-navigating and self-healing API clients will reduce the need for tedious work and provide blazing-fast resilient connections. Finally, API clients will contract and purchase digital capabilities opening the new era of all-digital sales and AI trading.This talk will explore autonomous API integration and discuss its practical implementation, cost, and time reduction impact on current API practices.
It has been said that “an API is the front door to your business”. But, is an API only a front door? What other kinds of doors do you need? And, perhaps most importantly, what makes a good door?
API development is challenging. Effective API development involves understanding API usage patterns, managing user feedback, ensuring the system can handle heavy API usage, and making difficult tradeoffs to ensure that end-users, API users, and developers supporting the system are all happy. So, how should you do it?
In this talk, I'll cover some guidelines for API development that can help reign in these challenges: writing an effective API spec, understanding what to get out of an API review, and getting feedback from early adopters through a beta testing program.
I'll also make the case that incorporating telemetry and observability tooling into the process can help you achieve more confidence in what you're building as you're building it. By capturing wide events across your entire API surface area, you can do things like correlate usage of one API with another to see if people are doing what you would want them to do and understand who is pushing your systems to its limits without getting paged in the middle of the night about a problem in the wild.
Throughout the talk, I'll reference real-world examples of building APIs at Honeycomb. We've seen tangible benefits to utilizing observability tooling in the development process. After this talk, you should have the information you need to reap similar benefits.
Organizational efforts to adopt microservices will more easily fail because of how our understanding of what a microservice is has shifted from its original meaning. In this presentation, we will look at the current communication paradigm of microservices and how this leads us down the road to massive amounts of unnecessary operational complexity compared to proper microservices or even a monolith. We will further discuss ways to avoid these common pitfalls to improve the likelihood of success.
APIs help drive efficiency and faster innovation so that organizations can support their business. Attackers also know this reality and zone in on APIs as a primary attack vector. The end result is a potential nightmare for organizations with API-driven business applications as they face the risks of data breach, privacy incident, and more.
In this session, we review first hand API threat research gleaned from a large financial institution. Its SaaS platform provides API services to thousands of partner banks and financial advisors, and security researchers found many alarming API vulnerabilities. Researchers were able to demonstrate exploits of these vulnerabilities, showing that anyone could:
- Read any financial records of any customer, despite lacking the proper authorization
- Delete any customer’s user accounts across the financial platform
- Tamper with authentication parameters and take over any account
- Launch an application-level denial of service attack that would render entire applications unavailable
Unfortunately, this financial institution isn’t unique. Attend this session to gain insights into API security best practices to prevent this nightmare from being yours.
A few years ago DataStax launched a new offering of Cassandra-as-a-service in the cloud named ASTRA (astra.datastax.com). You might think that starting databases from web pages would have nothing to do with APIs, well you are wrong.
During this session we will go over the different APIs that have been designed, how and why. Most choices made will be detailed covering wide categories such as technology, languages, interface, versioning, maintenance or billing. The tooling needed to make your product a success (SDK, CLI, Terraform...) will be also presented. No surprises, the platform leverages on cloud providers services and API. Come and learn why a DBaaS is just an API calling other APIs.
API Specifications are extremely useful for security teams to monitor API security/compliance conformance and make suggestions to keep your APIs secure. Many organizations however, are generating specs that security teams are unaware of and often are found by would-be attackers. In this session I will show some of the frameworks and tools utilized by attackers to find your API endpoints and enumerate endpoints that are missing standard security measures and are open for attack.
As anyone who’s worked in BI will tell you, visualization may be the flashy part of analytics, but a lot of hard work is needed in order to ensure the data is primed and ready. While the effort is being made to clean, blend, and normalize data, APIs can be a powerful way to analyze the data as part of the preparation process, augmenting the data set to uncover deeper insights and make the data easier to understand. In this presentation, you will see how natural language processing can be part of your iPaas or data preparation flow, adding structure to your unstructured data and adding metadata to enhance your ability to visualize and communicate insights. There’s data in your data, and it could be the key to maximizing your analytics.
Many eSignature technologies have seen rapid, steady growth for the same reason: digitizing approval workflows creates so much value for the parties involved. But what if there was a way to build even more trust and value with customers into this process? By leveraging the blockchain, it’s possible to facilitate digital agreements with significantly deeper levels of security and transparency. In this session, we’ll explore the topic of writing digital agreements to the blockchain and demo a working proof of concept that writes to the Polygon PoS (Proof of Stake) chain using open source tooling. We’ll have some time for questions at the end.
Applications and APIs today are expected to evolve rapidly and continuously, or to face disruption. This has driven the need for the agility enabled by Microservices. Meanwhile, mobile has driven both a dramatic increase in data volumes and levels of interaction, while also driving expectations for always-on applications and faster response times.
This talk will cover key architectural elements of cloud-native Microservices that can process at Giga-scale, where event streams or user interactions can require or even one billion events per second. Distributed computing architectures for delivering this scale while also achieving 99.999% uptime will be explored, including in-memory and data locality, elasticity and resilience. The talk will also cover new challenges for building transactional apps in these architectures, such as: service discovery, retrying, load balancing, tracing causes of failures, transactional semantics.
Microservices continue to grow as an architecture for building complex systems. To test microservices, you can use many of the same technologies and techniques used for testing other applications, including API testing. Microservices use well-known technologies, such as REST or queues, for which there are well-established testing tools and best practices. Your infrastructure probably already includes some of these capabilities, whether you’re working onsite or in the cloud.
The unique challenge with microservices is the sheer number of services and their web-like interdependencies that make up an application. With different architectures and protocols employed in microservice development (like Kafka, RabbitMQ, REST, and gRPC), microservices introduce new testing challenges, such as understanding how to effectively monitor event flows.
Join this session to learn key steps to automate testing for orchestrated and reactive (event-driven) architectures, including how to:
Establish a process for testing synchronous and asynchronous event flows.
Monitor event flows to identify and trace messages for validation.
Use simulation to overcome manual steps in an automated test scenario.
KEYNOTE (API): Digibee -- Modern Integration Architecture: A New Approach to Unlock Organizational Agility at ScaleJoin on Hopin
Today the number one challenge companies are facing is how they become more flexible to change. New market demands, disruptive technologies, fierce competition and obsessive differentiation only help to make reality worse.
Organization agility starts with small, independent teams, which organize themselves around a single, but impactful problem, delivering value to users and getting quick feedback.
As these teams deliver value and spread throughout the organization, dependencies between them start to appear, hindering agility all over again. This counterintuitive behavior means organizations need to find a solution to keeping teams independent while making them connected.
In this session we will discuss how a modern integration architecture makes independent teams accelerate and, at the same time, collaborate better at scale.
Polling-based APIs or the RESTful APIs were the main building blocks of traditional integration stories. But with the need to respond to events in real-time, integration architecture has shifted from being polling-based to event-driven. With the emergence of reactive event-driven architecture, the asynchronous APIs were able to hold their distinct position in modern-day integrations.
Even though the event-driven APIs provide their own advantages such as high resiliency, high responsiveness, and more, management of asynchronous APIs continues to be a challenge to the organizations.
The Async API specification plays a major role in the event-driven world by providing a specification to describe and document the asynchronous APIs. This session will explore the entire flow from creating an asynchronous API to exposing it as a managed API by adhering to the Async API specification.
Do you want to take your next generation application to the next level? Have you ever wondered how you can use analytics, Artificial Intelligence and automation to build a better customer experience? Come join us at this session to see how.
The acceleration of digital transformation in the past year brought on by the pandemic means more services and transactions are taking place online than ever before. While digitizing processes adds convenience and efficiency to the process, it’s not enough to remain relevant with your users. As more transactions shift online, so should the social interactions around those transactions. It’s not just about adding social features. It’s about embedding a social layer where social is wired into the DNA of your product. This may sound like it requires a time-consuming overhaul of your app or existing product, but it doesn’t have to. Today’s API ecosystem makes it surprisingly fast and easy to implement a rich social experience within your application. In this session, Shailesh Nalawadi will present how companies across several industries have improved KPIs by developing a social engagement layer with chat, voice and video APIs
In today's world of APIs, microservices, and cloud-native applications there's a common denominator, open-source software. Enterprises all over the world are not only moving to containerized or cloud-native applications, they are adopting the latest open-source innovations. From DevOps tools and containerized orchestration to the deployment of AI applications in production environments.
In this session, Perforce Chief Evangelist Javier Perez will examine the state of APIs, cloud-native applications, and open-source software in the context of today's application development and how enterprises can define strategies putting all the new trends together.
In this talk, attendees will learn:
• What open source technologies are driving application development and API strategies
• What does it mean to develop a cloud-native application
• What API integration strategies are being used with cloud-native and AI applications
• AI, ML, and DL in the context of API strategies
• Trends and future of software development
Enterprise API environments have changed. Driven by the explosion of APIs, federation of API programs, and push to the cloud, companies are rethinking their entire developer tooling and infrastructure stack. APIs are the fundamental building blocks of modern software, and with the advent of digital initiatives, they are growing in prevalence throughout the ent3erpriseThis presentation examines the evolution of the API development platform and current best practices engineered to support the explosion in APIs in a modern organization. The speaker will examine the key technologies required to build a modern API stack that is integrated across the entire software development lifecycle, enabling organizations to bring products and services to market more rapidly.
With APIs serving as the connective tissue across all applications, API Management capability is critical to achieving successful outcomes. The rise of DevOps movement has fostered a culture of self-service supported by distributed infrastructure. What are the characteristics of distributed API Management? How do you drive innovation by accelerating API release velocity. Attend this session to find out answers to these questions.
We deal with HTTP based APIs for many of our common interactions between services and system components. Not all services we want to communicate with use HTTP, and when confronted with a service that doesn’t use it, getting started can be intimidating. In this talk, we’ll use RabbitMQ Streams as our example service and cover all of the design and implementation considerations needed to work with a non-HTTP API.
In this new world, enterprises are acting more like startups. As enterprises seek to meet their customer’s needs, get an edge on their competitors, and help their employees achieve outstanding results, they need to re-imagine how they implement their technology. Modern App Development provides a framework to help developers build highly available, resilient, fully secure, and compliant apps. APIs are a key element of this framework that cross the boundary of traditional integration, to modern app development. In this session, we will outline the Modern App Development Framework with core requirements, design principles and architecture patterns. We will share some of our experience from our journey modernizing enterprise applications with APIs. We discuss where we are in the journey and offer some insights on the evolution of APIs.
Jonas Iggbom, Director of Sales Engineering at Curity will provide an overview of what a Hypermedia API is and how it can be used for browser-less authentication on iOS and Android. This coupled with the WebAuthn standard for passwordless authentication provides a great user experience especially on mobile devices where the browser context does not have to be invoked and for example FaceID can be used to authenticate the user. Jonas will demo an approach where both technologies work in synergy to provide the most seamless user authentication possible on mobile devices today.
OPEN TALK (API): How a Combined Shift-Left and Shield-Right Approach Enables Continuous API SecurityJoin on Hopin
Are you struggling to keep up with the increasing volume and scale of API development ? Are you finding that traditional security solutions simply cannot address all API security challenges ? You’re not alone! APIs have given us unprecedented integration capabilities, but are also greatly increasing our attack surface. Trying to cope with issues by deploying tools after APIs are done and delivered is simply not going to work. Instead we need to take a proactive approach to API security.
Isabelle explores how a continuous approach to API security can be achieved, combining design-time security measures driven by development with continuous API threat analysis, API-specific vulnerability detection and runtime policy enforcement. She proposes an approach known as security as code to establish a common language across Dev, Sec and Ops teams and demonstrates an automated workflow, from design through deployment that ensures API issues are caught and addressed as early as possible in the API lifecycle.
Large public GraphQL endpoints have all advertised a notion of GraphQL cost for years, and various GraphQL servers and open source projects have implemented GraphQL cost calculations. In 2021, an effort has begun to standardize how systems communicate GraphQL cost to each other, which has promise to dramatically ease securing these systems and thus opening up many more big public GraphQL endpoints. Join us to learn about this effort, and how it can benefit you and your GraphQL strategy.
Edge computing enables you to run your application code as close to the customer as possible, reducing latency and improving the user experience. As your compute moves closer to the edge, what data options deliver the same performance, regardless of where your users are located?
In this session, you learn how to integrate Fauna with edge computing providers to provide a responsive, strongly consistent API. You learn how to build, test, and deploy a basic REST API that includes both authenticated and anonymous routes. Finally, you learn how Fauna delivers low-latency performance to the edge while still integrating seamlessly with your existing, centralized computing resources.
In this talk we will describe Adobe Content and Commerce AI - a suite of API first services developed for Content Intelligence. Content here refers to textual documents as well as images. Our services are created to extract meta-data from content and leverage it to power different use-cases. For instance, we extract key-phrases, entities, concepts among other things from text documents. Similarly we extract color profile, objects, text, personalities from images. We enable enterprises to categorize the content based on custom taxonomy. Such meta-data could power use-cases for content management, recommendation and personalization. Concretely, one such use-case is AEM - Adobe's content management offering. AEM Assets is a cloud native, platform as a service solution for experience management that helps businesses efficiently perform their Digital Asset Management. It leverages Adobe Sensei API’s for content intelligence to drive automation of tasks and operations that are typically done manually. For example, AEM leverages Sensei’s auto tagging API’s to produce a list of tags, or keywords, associated with an asset. These API’s are automatically run on asset ingestion, after an asset is uploaded to AEM. Having this list of tags makes the asset searchable across the DAM through keywords, heavily reducing the time for DAM users to deliver rich experiences to their customers.
Application security is shifting into the development pipeline - that’s no longer up for debate.
But, as we shift where we test for vulnerabilities in the SLDC, we also need to rethink how we test. Protecting our most sensitive data requires evolving from testing that focuses on client-side web apps to automated security testing of our backing APIs.
Join StackHawk Chief Security Officer Scott Gerlach as he dives into why API security is a critical component of modernizing any AppSec program, and provides practical suggestions for attendees to start implementing API-first security testing.
OPEN TALK (API): Conversation Intelligence: Enabling Conversation Driven AI Is as Easy as Hitting a Few EndpointsJoin on Hopin
Conversation Intelligence (CI) enables developers to take their applications beyond basic speech recognition, and build more intelligent speech and conversation-driven functionalities and product experiences. Applications, enabled by CI, are not only able to understand the spoken words, but are capable of comprehending the context of entire conversations.
CI is a rapidly growing sector of AI, and has given rise to a new generation of AI-driven products such as Gong, Outreach, RingDNA, and more. Applications, driven by CI, are able to monitor, extract, and analyze contextual insights and conversation intelligence in real-time to automate workflows, increase revenue, elevate productivity, and provide more pleasant and innovative customer experiences.
Building and extending applications with CI-enabled functionalities and experiences no longer require developers to have any working knowledge of building or training their own machine learning models. Hitting a few end points is all it takes to enable CI-driven experiences. Some of the real life examples of how CI is being leveraged in everyday applications are products for sales and revenue intelligence, Agent Coaching, webinar platforms, accessibility, compliance, recruitment and more.
In this session, we will cover the key characteristics of the conversation intelligence API that enable developers to easily build and go-live with intelligence. We will talk about various AI aspects of conversation intelligence such as speech-to-text, extracting various contextual insights, summarizing conversations, generating domain-specific insights and intelligence, topics modeling for conversations and accessing advanced conversation analytics. We will discuss the difference between domain-specific and domain-agnostic CI. We will also take a look at an example to showcase the combination of few of these with the actual code.
If you’re working with OpenAPI, the first question you have to solve is how to get that document written. An implementor can generate a server based on a spec, generate a spec based on a server, or write a spec independent of a server. Ed’s done all three, and will share some of his findings from putting each into production.
Thursday, October 28, 2021
Transforming a company to being API First is not just purely technology. It consists of multiple areas - Empowerment, Platform, Culture.
OPEN TALK (API): The Real World, API Security Edition: When Best Practices Stop Being Polite and Start Being RealJoin on Hopin
API security has emerged as a top priority for protecting vital data and services. Unfortunately, many organizations are just one vulnerable API away from a privacy incident or data breach, and it’s an area where many companies lack expertise.
This “real world” episode shares six essential techniques, drawn straight from the trenches of customer deployments, to help guide your API security best practices.
Join us for a discussion of these key areas:
- API documentation, discovery, and cataloging to improve awareness of your API attack surface
- Runtime protection to prevent sensitive data exposure and protect your APIs from abuse
- API-centric security operations so you're prepared in the event of an API incident or breach
This session will also share ways to make it easier and more automatic to address the many elements of API security.
Come find out what happens…when APIs stop being vulnerable. And start getting secure.
Design First approaches are growing in popularity when it comes to API design. This allows all teams working with API to work together, using a common, human-understandable language to define the specifications of the APIs to be implemented. With all stakeholder views being represented, Design First approach allow to create product driven APIs, with short feedback loops, and help drive parallel development of applications.
In this talk, using an example of building a simple API definition, we will:
- Go through the principles of “Design First Approach”
- Examine the benefits this approach brings
- Look at an example workflow from beginning to end using Design First to build a simple application
Microservices and APIs built for digital transformation products require agile, reliable, and scalable cloud native infrastructure to truly meet customer expectations for a great "always there" user experience. Whether on prem or hosted in a public cloud, understanding and leveraging the right approach is key to success. This session takes up where the development process leaves off, tracking the standardization of containers and container orchestration for automated deployment, including current and future platform trends WSO2 and others are following.
The beauty of IoT solutions is that they can be managed from a central location and deployed all around the world. Although the challenge in this situation is that if the devices are disconnected from the network, the only way is to send someone to the location and try to diagnose the problem and fix it which can be tedious, expensive and slow.
This is not an ideal solution as the whole point of this type of deployment is that it can be deployed to remote places. Moreover you don't always have people everywhere the devices are deployed.
In these conditions, working with your cellular network provider(s) to diagnose connectivity issues can be a struggle as their network infrastructure is often a black box. There needs to be a way with which you can remotely diagnose a network issue or take preemptive actions so avoid failures.
In this talk, I will take you through ways of using meta-data from the cloud-native core network of EMnify to troubleshoot network issues using the EMnify API.
Attendees with walk away with the following knowledge:
How to get more out of your SIM card and connection used in your IoT device?
What could be the possible reasons for your IoT device to go offline?
What kind of meta-data can you get from the core of a Cellular Network infrastructure?
How to troubleshoot your offline devices?
How to use this network meta-data to form comprehensive dashboards to keep an eye on all your devices?
How else can network meta-data help you with daily operations in managing your IoT solution.
The target attendee would be developers, product managers, operations people, CTO etc. who work in the IoT industry and use cellular communication for their IoT devices.
A modern technology strategy begins with the creation of a base architecture that enables any project and ensures FLEXIBILITY for the organization. A modern integration architecture is precisely this ENABLING INFRASTRUCTURE.
Using the appropriate stack for this challenge is essential for technology teams to be able to meet the growing demands from the business. Professionals who work with systems integration will no longer have obstacles that hinder projects, finding in this new model a true lever for the creation of new products and services.
In this session, we will explain in practice how to implement a modern integration architecture that enables the unlocking of projects, the connection between ecosystems and the acceleration of teams. We will show how the use of sophisticated technology can be abstracted away by a low code platform, bringing quality and control to data flows, as well as standardizing access to multiple endpoints spread across hybrid environments. It's an opportunity to learn how to create this enabling base layer for the agile delivery of new products and services.
Functional and performance tests of API infrastructures offer little value if they cannot produce detailed error reporting and highly usable feedback loops plus detailed reporting, especially in agile and CI/CD pipelines. Too many developers rely on tests that give them (and security teams) a “false sense of security,” resulting in low developer confidence when releases are rushed to market.
Many developers fear that more robust testing becomes a bottleneck that delays releases. Additionally, multiple teams throughout an organization may be using different toolchains with different development languages, testing tools, and QA processes. There’s no way for managers to gain centralized visibility into all of the local and pipeline testing happening (or not happening) across the entire organization. Siloed processes also raise the risk of human error as a build, for instance, passes a test designed for the goals of one team, but may not support the goals of other teams.
In this API World 2021 session, Sangit Patel, Solutions Engineer at Sauce Labs, will explain how to drive developer confidence at any speed with improved API design and more productive and usable API testing and monitoring.
Top five points covered will include:
1. Make it fast and easy to write or generate API contract tests and E2E functional tests from spec files or recorded API traffic.
2. Make it fast and easy to reuse the functional tests as end-to-end tests, which may then be reused as E2E functional load/performance tests.
3. Reuse the holistic E2E functional performance tests as API monitors that can run continuously with or without a CI/CD in any environment, providing accurate and highly usable feedback throughout rapid iteration and changes to code and databases.
4. Simplify refactoring to automate test maintenance and maintain the reliability of API monitors that provide far more coverage and more usable diagnostics (via detailed reporting and dashboards) than synthetic infrastructure monitors or traditional API monitors.
5. Execute and manage API testing from a cloud platform that offers the scalability, flexibility, and interoperability to support centralized API testing and monitoring across all of the toolchains that distributed teams (or individuals) may prefer using - and plan and execute tests that satisfy all goals across all teams.
Time to market and ability to change rapidly while retaining high quality is a key business driver today. Let's talk about how API developers can automate creation of tests for their APIs, with no code required, and how they can leverage AI to improve code coverage and quality faster than ever before.
Apache Cassandra™ is an incredibly powerful, scalable and distributed open source database. Companies with extremely high traffic use it to provide their users with consistent uptime, blazing speed, and a solid framework. However, many developers find Cassandra to be challenging because the configuration can be complex and learning a new query language (CQL) is something they just don't have time to do.
Stargate is an open source project which sits on top of Cassandra and provides HTTP interfaces to your data - it provides a REST API, a GraphQL API, and a Document API (schema less, similar to MongoDB). You can install it on top of your own Cassandra instance and participate in the community.
Don't just take my word for it, you can get a free Cassandra instance in the cloud from DataStax. The Astra databases do all the configuration for you up front - they're serverless so they scale as your database needs, and you only pay for the traffic you actually use.
With Astra DB, you can set up proof of concepts and create applications to explore whether Cassandra/Stargate is a system that will work for you. In this session Kirsten will demonstrate a TikTok clone which uses React and Netlify to provide a completely serverless application in the cloud.
In a world with countless software and systems that need to be connected, the management of integrations becomes necessary and, at the same time, a great challenge for companies. Therefore, it is necessary to measure how good integration management can improve and optimize productivity, accelerate your digital transformation and enable the creation of new digital solutions for the company.
In this lecture, you will see some examples of integration problems, effective ways to solve these integration issues, some frequently asked business questions. Finally we will discuss a practical framework demonstrating the value of such a solution to the bottom line of the business sharing some use-cases with an integration platform.
The “API First” mantra is great for business innovation, but the end result can often be a wild jungle of APIs that leaves your security team scrambling to ensure adequate API controls are in place to safeguard the business. In this session, we’ll cover a practical strategy to help implement API security across the organization from development through run-time and threat remediation. You’ll see a demonstration of the tools and techniques that, when used with the right methodology, can help your team tame the API jungle.
API gateway technology has evolved a lot in the past decade, capturing use cases in what the industry calls "full lifecycle API management." API gateways allowed developers to expose and consume the APIs, secure them, and govern API traffic. However, today, they provide a series of functionalities to support the complete development cycle, including creating, testing, documentation, monitoring, event monetization, monitoring, and overall exposure of our APIs. Another pattern emerged from the industry around 2017: Service Mesh! Service Mesh is an infrastructure layer for microservices communication. It abstracts the underlying network details and provides discovery, routing, and a variety of other functionality. Many attempted to describe the differences between gateways and service meshes. This talk will also discuss the similarities and differences between the communication layer provided by gateways and service mesh. I want to illustrate the differences between API gateways and service mesh — and most importantly when to use one or the another pragmatically and objectively.
OPEN TALK (API): 10 Keys for Turning APIs into a Job Promotion: Translating API Knowledge into Business ValueJoin on Hopin
APIs are everywhere. Some of us build them, a lot of us manage them, and all of consume them. But not everyone knows how to communicate the value of APIs between the technical and business worlds. How do I integrate my APIs? Do I need API Management? How do I use Microservices? It is critical for organizations to understand the API economy as they move to become more profitable and competitive in this age of digital transformation. But very few technical people can effectively translate their API knowledge and vision into business value.The goal of this talk is to provide you with the 10 essential concepts that will equip you to become the API Champion that your organization needs to gain that competitive edge using a solid strategy and proven best practices.
According to Gartner, APIs account for the majority of Public/web/mobile application attack surface. Most exploited vulnerabilities no longer come from web server misconfiguration or SQL injections or browser hacks, instead the majority of widely exploited vulnerabilities now come from application logic, access controls, and other non-conventional flaws. This session will go over the top vulnerabilities in APIs and build an automated & continuous API security testing strategy. The Shift-Left strategy will deliver secure and faster releases while significantly reducing manual and penetration testing security costs.
It’s not enough to just have a open API platform that enables other technology companies to integrate. How do you make it attractive enough for them to stay engaged and keep doing cool stuff, to build the things that haven't even been thought of yet. We want to go even deeper on this idea of making it easy - how we can build the hard things so developers don’t have to.
Foursquare presents the Product Manager's Extra Credit guide to building an A++ Enterprise API. Building an exceptional enterprise API is no easy feat. Earlier this year, Foursquare launched the new Places Enterprise API, built from the foundation of our renowned Developer API. In this session, we'll take you through every step of the process to create a delivery method that can meet enterprise standards and upgrade the developer experience - from understanding your customer's UX criteria and auditing the performance and security of your API infrastructure, to best SLA practices and everything in between.
We, as developers and engineers, love to build new things - it is in our DNA. But as CTOs, engineering leads and product managers, we need to take one step back and look over our strategy. The challenge we often face is that the business side expects us to deliver the best product with the least time without compromising the quality. How can this be done with limited resources and short timeframes?
Whenever planning a new application or improving an existing one, we should constantly evaluate if the next feature is developed in-house or pick an off-the-shelf solution. I believe that one should only build the things that are the core function of their business and add direct value to IP and customers.
Let's dig into the benefits and challenges of using third party APIs to speed up the product development process.
In today’s data-driven era, enterprise businesses use more data than ever before, and yet most companies are stuck behind the eight ball using monolithic on-premise databases. Enterprise companies often still store customer data on-premises, requiring them to build out data teams to handle the complex extract, transform, and load processes behind people data, putting their most sensitive data at risk of breach and limiting their ability to tap into third-party data sources. Forward-looking enterprise-scale companies are moving toward pushing their data to other tools and services through the use of APIs, enjoying the advantages of offloading the complexities of loading, de-duplicated, and enriching data; without the risk of security failures or the headache of data storage. In this session, we will outline the shifting world of MarTech, highlight the way in which APIs increase consumer privacy, and discuss specific case studies that highlight the value of moving to off-prem in terms of cost, efficiency, and security.Takeaways:•How APIs help offload and simplify sensitive customer data storage•How APIs increase consumer privacy through anonymization •Discover tools and best practices for moving beyond on-premises databases •Discuss how modern data companies are helping build a “source of truth” for customer data