SlideShare ist ein Scribd-Unternehmen logo
1 von 21
Downloaden Sie, um offline zu lesen
The Importance of Quality in your API
Architecture
Christof Sunthorn
Solutions Engineer
2
2009
15M+
users
12
24,000+
3 650+
customers
employees
founded global offices
open source initiatives
Proprietary & Confidential
3
Agenda
| APIs in our digitally connected world
| Challenges in API development
| Importance of quality in your API architecture
| Strategies to improve quality
| Standardisation and Governance
| Collaboration
| Security
Proprietary & Confidential
4
4
APIs are the foundation of our digitally connected world
Any Application
Any Device
Anywhere
Anytime
Instant messaging
AR/VR telepresence
Document /
database sharing
Webcasting
Telephone
Email
Enterprise social
network
Enterprise applications
Smart watch
Head-
mounted
displays
Laptop/desktop
Tablet
Smartphone
Home Work
On the go
Qualityisessentialtoensureapplicationswork
APIs are essential to ensure connections
Proprietary & Confidential
5
“The more APIs we create, the
more they become inconsistent
and difficult to understand and
support.”
“Creating API documentation
from scratch is time-
consuming and error-prone.”
“As an API designer, it’s difficult to
get feedback on changes during
the API development lifecycle.”​
“Our development teams lack
a single source of truth on the
API definition to be
implemented.”
API development has challenges…
“APIs may fail to meet their
business goals, even though
there was agreement on a
design.”
“Quality issues are
hurting API adoption.”
6
State of API 2020 - Standardization Tops API Challenges
| The more APIs created the more
challenges that emerge to
maintain consistency.
| State of API 2020 Survey -
Standardization continued to
rank as the top challenge for all
organizations as they attempt to
scale API development.
| Doubling in importance since
2016!
The State of API 2020 Report, © 2020 SmartBear Software. All rights reserved.
59%
45%
39%
37%
37%
38%
36%
26%
1%
25%
10%
40%
38%
23%
18%
22%
12%
1%
0% 20% 40% 60%
Standardization
Versioning
Security
Easier Integration Between Tools
Composability/Multi-Purpose Re-use
Authentication
Scalability
Discoverability
Other (please specify):
Which API technology challenges do you most hope to see solved in the near future?
(Select all that apply)
2020 All Responses
2016 All Responses
Importance of Quality
in your API architecture
8
Quality impacts API Consumer Loyalty
| API Consumers are less loyal now
than in previous years.
| When consumers run into quality
or performance issues with 3rd
party APIs, they first report the
problem and then look at their
options.
| Willingness to leave went from
30% in 2016, to 37% in 2020.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Wait for the problem to resolve itself
Report the problem publicly (i.e. online
forum/community, social media)
Report the problem to other external people that
could be affected (Peers, customers, partners etc)
Review service level agreements
Switch to an alternate API provider temporarily
Consider switching API providers permanently
Report the problem internally to others within your
organization
Report the problem to the API provider
As an API Consumer, how do you react upon encountering quality or
performance issues with 3rd party APIs? (Please select all that apply)
2020
2018
2016
The State of API 2020 Report, © 2020 SmartBear Software. All rights reserved.
Proprietary & Confidential
9
9
APIs are the foundation of our digitally connected world
Any Application
Any Device
Anywhere
Anytime
Instant messaging
AR/VR telepresence
Document /
database sharing
Webcasting
Telephone
Email
Enterprise social
network
Enterprise applications
Smart watch
Head-
mounted
displays
Laptop/desktop
Tablet
Smartphone
Home Work
On the go
Qualityisessentialtoensureapplicationswork
APIs are essential to ensure connections
Proprietary & Confidential
10
Company Assets & Services
Mobile Apps
Web Apps
Partner Apps
Cloud-Based
Services
Data
Today’s APIs Connect Sensitive Data
Proprietary & Confidential
Real-World Examples
11
Organization Description No. of users affected
Panera Bread 2018, Panera revealed that 37 million
customers had had their data exposed. Some reports
attributed the breach to an unauthenticated API endpoint
37 million customers
T-mobile 2018, attackers exploited a “leaky” API and exposed 2.3
million customers’ personal data.
2.3 million customers
Capital One 2019, Capital One announced a breach that had
given an attacker access to personal information of those
who had applied for various credit products. Through a
server-side request forgery, an attacker compromised an
application and gained access to Capital One’s
AWS-based infrastructure configuration API.
106 million customers
Aarogya Setu
(India’s COVID-19 contract
tracing app)
India’s COVID-19 contact tracing application had
authorization weaknesses and validated parameters at
client side rather than server side. In May 2020, a
researcher reported that they could make direct API calls
and manipulate parameters to get the COVID status of any
neighborhood or location in India.
All residents of India
(~ 1.3B)
Strategies to improve quality
Value of the API Definition
| API description formats like OpenAPI (formerly Swagger)
enable you to design an API
o create a definition that end users can utilize to understand
how to best work with your API
| API definitions are language-agnostic
| Readable by both humans and machines
| Enables parallel work streams – virtualization, testing,
integration compatibility - all before coding
14
API Design Matters
| Consistency in API design is not a given
o Code-first, design-first
o Style guide, no style guide
| Development teams today are distributed across
departments, geographies, time zones
| Collaboration is the rule, both internally and
externally with partners
| Without a focus on API design standards, it is
difficult to create a consistent API consumer
experience
API adoption is tied to consistent design
| If an API is to be used, consumers need a
guide to help them understand
o What data is the API providing
o What is its functionality
o API protocols, formats, versions
Gartner: December 16, 2020, How to Successfully Implement API Management
“API design guidelines provide API developers with the information they need
to create APIs in a consistent fashion. This increases the usability and,
therefore, the adoption of APIs.”
SwaggerHub Embedded Style Guide Flagging Standardization Error
16
API Standardization and Governance
| Gather input from all stakeholders to ensure API design
aligns to business purpose
| Design-first is preferred over code-first
| Leverage a single source of truth for API definitions
| Utilize an API style guide as initial step toward governance
| Leverage custom rules to validate OpenAPI definitions for
compliance with API design guidelines
| Understand your API workflow
Asset Library
API_1 API_3
API_2
Design Guidelines
!
✔ ✔
What Is API Security?
Proprietary & Confidential
17
“by 2022, API abuses will be the most-frequent attack vector
resulting in data breaches for enterprise web applications.”
Gartner Research
Simply put, API security is protecting the APIs you build and
consume from nefarious use. Because businesses transfer data
and connect services via APIs – they are especially prone to
attacks:
 Only legitimate users can access the
system
 The system doesn’t allow users to
do more than they should
 Confidential data can only be seen
by intended users
 Transaction information is protected
Achieving API Security Goals
Proprietary & Confidential
18
 Identify and catalog APIs and endpoints
 Assure and manage API user identities
 Meet regulatory and compliance
requirements
 API design governance sets security
context for each API type
 API security testing – before, during,
and after deployment – is the safety net
Proprietary & Confidential
19
Proprietary & Confidential
Summary
| APIs are the foundation of our digitally connected world
| Quality is important to your API architecture
| Adoption
| Business operations down time and revenue lost
| Security breaches
| Improve quality through:
| Standardisation and governance
| Collaboration
| Security
Proprietary & Confidential
20
Thank You
Any Questions?
How SmartBear Can Help
Proprietary & Confidential
21
Early
Testing
OpenAPI
Specification

Weitere ähnliche Inhalte

Mehr von apidays

apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...apidays
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOapidays
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...apidays
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...apidays
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...apidays
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...apidays
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...apidays
 
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...apidays
 
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...apidays
 
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...apidays
 
Apidays Paris 2023 - Passer de 0 à une multiplication d'APIs, Ibrahima Ndiaye...
Apidays Paris 2023 - Passer de 0 à une multiplication d'APIs, Ibrahima Ndiaye...Apidays Paris 2023 - Passer de 0 à une multiplication d'APIs, Ibrahima Ndiaye...
Apidays Paris 2023 - Passer de 0 à une multiplication d'APIs, Ibrahima Ndiaye...apidays
 
Apidays Paris 2023 - The Butterfly Effect: Transforming Legacy Documentation,...
Apidays Paris 2023 - The Butterfly Effect: Transforming Legacy Documentation,...Apidays Paris 2023 - The Butterfly Effect: Transforming Legacy Documentation,...
Apidays Paris 2023 - The Butterfly Effect: Transforming Legacy Documentation,...apidays
 
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2apidays
 
Apidays Paris 2023 - How to Scale APIs-as-a-Product for Future Success, Samir...
Apidays Paris 2023 - How to Scale APIs-as-a-Product for Future Success, Samir...Apidays Paris 2023 - How to Scale APIs-as-a-Product for Future Success, Samir...
Apidays Paris 2023 - How to Scale APIs-as-a-Product for Future Success, Samir...apidays
 
Apidays Paris 2023 - API Discovery: Standards, Publishing & Search, Steven Wi...
Apidays Paris 2023 - API Discovery: Standards, Publishing & Search, Steven Wi...Apidays Paris 2023 - API Discovery: Standards, Publishing & Search, Steven Wi...
Apidays Paris 2023 - API Discovery: Standards, Publishing & Search, Steven Wi...apidays
 
Apidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, Cisco
Apidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, CiscoApidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, Cisco
Apidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, Ciscoapidays
 
Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...
Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...
Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...apidays
 
Apidays Paris 2023 - AGI & APIs: Crafting the Future of Intelligent Integrati...
Apidays Paris 2023 - AGI & APIs: Crafting the Future of Intelligent Integrati...Apidays Paris 2023 - AGI & APIs: Crafting the Future of Intelligent Integrati...
Apidays Paris 2023 - AGI & APIs: Crafting the Future of Intelligent Integrati...apidays
 

Mehr von apidays (20)

apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
 
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...
 
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
 
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...
 
Apidays Paris 2023 - Passer de 0 à une multiplication d'APIs, Ibrahima Ndiaye...
Apidays Paris 2023 - Passer de 0 à une multiplication d'APIs, Ibrahima Ndiaye...Apidays Paris 2023 - Passer de 0 à une multiplication d'APIs, Ibrahima Ndiaye...
Apidays Paris 2023 - Passer de 0 à une multiplication d'APIs, Ibrahima Ndiaye...
 
Apidays Paris 2023 - The Butterfly Effect: Transforming Legacy Documentation,...
Apidays Paris 2023 - The Butterfly Effect: Transforming Legacy Documentation,...Apidays Paris 2023 - The Butterfly Effect: Transforming Legacy Documentation,...
Apidays Paris 2023 - The Butterfly Effect: Transforming Legacy Documentation,...
 
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
Apidays Paris 2023 - Kubernetes Gateways, Pubudu Gunatilaka, WSO2
 
Apidays Paris 2023 - How to Scale APIs-as-a-Product for Future Success, Samir...
Apidays Paris 2023 - How to Scale APIs-as-a-Product for Future Success, Samir...Apidays Paris 2023 - How to Scale APIs-as-a-Product for Future Success, Samir...
Apidays Paris 2023 - How to Scale APIs-as-a-Product for Future Success, Samir...
 
Apidays Paris 2023 - API Discovery: Standards, Publishing & Search, Steven Wi...
Apidays Paris 2023 - API Discovery: Standards, Publishing & Search, Steven Wi...Apidays Paris 2023 - API Discovery: Standards, Publishing & Search, Steven Wi...
Apidays Paris 2023 - API Discovery: Standards, Publishing & Search, Steven Wi...
 
Apidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, Cisco
Apidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, CiscoApidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, Cisco
Apidays Paris 2023 - Managing OpenAPI Documents at Scale, Stéve Sfartz, Cisco
 
Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...
Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...
Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...
 
Apidays Paris 2023 - AGI & APIs: Crafting the Future of Intelligent Integrati...
Apidays Paris 2023 - AGI & APIs: Crafting the Future of Intelligent Integrati...Apidays Paris 2023 - AGI & APIs: Crafting the Future of Intelligent Integrati...
Apidays Paris 2023 - AGI & APIs: Crafting the Future of Intelligent Integrati...
 

Kürzlich hochgeladen

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 

Kürzlich hochgeladen (20)

20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 

apidays LIVE Singapore 2021 - The Importance of Quality in your API Architecture by Christof Sunthorn, SmartBear

  • 1. The Importance of Quality in your API Architecture Christof Sunthorn Solutions Engineer
  • 3. Proprietary & Confidential 3 Agenda | APIs in our digitally connected world | Challenges in API development | Importance of quality in your API architecture | Strategies to improve quality | Standardisation and Governance | Collaboration | Security
  • 4. Proprietary & Confidential 4 4 APIs are the foundation of our digitally connected world Any Application Any Device Anywhere Anytime Instant messaging AR/VR telepresence Document / database sharing Webcasting Telephone Email Enterprise social network Enterprise applications Smart watch Head- mounted displays Laptop/desktop Tablet Smartphone Home Work On the go Qualityisessentialtoensureapplicationswork APIs are essential to ensure connections
  • 5. Proprietary & Confidential 5 “The more APIs we create, the more they become inconsistent and difficult to understand and support.” “Creating API documentation from scratch is time- consuming and error-prone.” “As an API designer, it’s difficult to get feedback on changes during the API development lifecycle.”​ “Our development teams lack a single source of truth on the API definition to be implemented.” API development has challenges… “APIs may fail to meet their business goals, even though there was agreement on a design.” “Quality issues are hurting API adoption.”
  • 6. 6 State of API 2020 - Standardization Tops API Challenges | The more APIs created the more challenges that emerge to maintain consistency. | State of API 2020 Survey - Standardization continued to rank as the top challenge for all organizations as they attempt to scale API development. | Doubling in importance since 2016! The State of API 2020 Report, © 2020 SmartBear Software. All rights reserved. 59% 45% 39% 37% 37% 38% 36% 26% 1% 25% 10% 40% 38% 23% 18% 22% 12% 1% 0% 20% 40% 60% Standardization Versioning Security Easier Integration Between Tools Composability/Multi-Purpose Re-use Authentication Scalability Discoverability Other (please specify): Which API technology challenges do you most hope to see solved in the near future? (Select all that apply) 2020 All Responses 2016 All Responses
  • 7. Importance of Quality in your API architecture
  • 8. 8 Quality impacts API Consumer Loyalty | API Consumers are less loyal now than in previous years. | When consumers run into quality or performance issues with 3rd party APIs, they first report the problem and then look at their options. | Willingness to leave went from 30% in 2016, to 37% in 2020. 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Wait for the problem to resolve itself Report the problem publicly (i.e. online forum/community, social media) Report the problem to other external people that could be affected (Peers, customers, partners etc) Review service level agreements Switch to an alternate API provider temporarily Consider switching API providers permanently Report the problem internally to others within your organization Report the problem to the API provider As an API Consumer, how do you react upon encountering quality or performance issues with 3rd party APIs? (Please select all that apply) 2020 2018 2016 The State of API 2020 Report, © 2020 SmartBear Software. All rights reserved.
  • 9. Proprietary & Confidential 9 9 APIs are the foundation of our digitally connected world Any Application Any Device Anywhere Anytime Instant messaging AR/VR telepresence Document / database sharing Webcasting Telephone Email Enterprise social network Enterprise applications Smart watch Head- mounted displays Laptop/desktop Tablet Smartphone Home Work On the go Qualityisessentialtoensureapplicationswork APIs are essential to ensure connections
  • 10. Proprietary & Confidential 10 Company Assets & Services Mobile Apps Web Apps Partner Apps Cloud-Based Services Data Today’s APIs Connect Sensitive Data
  • 11. Proprietary & Confidential Real-World Examples 11 Organization Description No. of users affected Panera Bread 2018, Panera revealed that 37 million customers had had their data exposed. Some reports attributed the breach to an unauthenticated API endpoint 37 million customers T-mobile 2018, attackers exploited a “leaky” API and exposed 2.3 million customers’ personal data. 2.3 million customers Capital One 2019, Capital One announced a breach that had given an attacker access to personal information of those who had applied for various credit products. Through a server-side request forgery, an attacker compromised an application and gained access to Capital One’s AWS-based infrastructure configuration API. 106 million customers Aarogya Setu (India’s COVID-19 contract tracing app) India’s COVID-19 contact tracing application had authorization weaknesses and validated parameters at client side rather than server side. In May 2020, a researcher reported that they could make direct API calls and manipulate parameters to get the COVID status of any neighborhood or location in India. All residents of India (~ 1.3B)
  • 13. Value of the API Definition | API description formats like OpenAPI (formerly Swagger) enable you to design an API o create a definition that end users can utilize to understand how to best work with your API | API definitions are language-agnostic | Readable by both humans and machines | Enables parallel work streams – virtualization, testing, integration compatibility - all before coding
  • 14. 14 API Design Matters | Consistency in API design is not a given o Code-first, design-first o Style guide, no style guide | Development teams today are distributed across departments, geographies, time zones | Collaboration is the rule, both internally and externally with partners | Without a focus on API design standards, it is difficult to create a consistent API consumer experience
  • 15. API adoption is tied to consistent design | If an API is to be used, consumers need a guide to help them understand o What data is the API providing o What is its functionality o API protocols, formats, versions Gartner: December 16, 2020, How to Successfully Implement API Management “API design guidelines provide API developers with the information they need to create APIs in a consistent fashion. This increases the usability and, therefore, the adoption of APIs.” SwaggerHub Embedded Style Guide Flagging Standardization Error
  • 16. 16 API Standardization and Governance | Gather input from all stakeholders to ensure API design aligns to business purpose | Design-first is preferred over code-first | Leverage a single source of truth for API definitions | Utilize an API style guide as initial step toward governance | Leverage custom rules to validate OpenAPI definitions for compliance with API design guidelines | Understand your API workflow Asset Library API_1 API_3 API_2 Design Guidelines ! ✔ ✔
  • 17. What Is API Security? Proprietary & Confidential 17 “by 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.” Gartner Research Simply put, API security is protecting the APIs you build and consume from nefarious use. Because businesses transfer data and connect services via APIs – they are especially prone to attacks:
  • 18.  Only legitimate users can access the system  The system doesn’t allow users to do more than they should  Confidential data can only be seen by intended users  Transaction information is protected Achieving API Security Goals Proprietary & Confidential 18  Identify and catalog APIs and endpoints  Assure and manage API user identities  Meet regulatory and compliance requirements  API design governance sets security context for each API type  API security testing – before, during, and after deployment – is the safety net
  • 19. Proprietary & Confidential 19 Proprietary & Confidential Summary | APIs are the foundation of our digitally connected world | Quality is important to your API architecture | Adoption | Business operations down time and revenue lost | Security breaches | Improve quality through: | Standardisation and governance | Collaboration | Security
  • 21. How SmartBear Can Help Proprietary & Confidential 21 Early Testing OpenAPI Specification

Hinweis der Redaktion

  1. Hi everyone. Good morning, good afternoon, and good evening to everyone wherever you’re joining from. Hope you are all keeping well. I’d firstly like to introduce myself. I’m Christof Sunthorn, Solutions Engineer at SmartBear and I work with customers to improve their testing workflows. Previously I’ve worked as a Professional Services Consultant at CA Technologies and a Presales Engineer at Micro Focus working on Identity & Access Management and various Security solutions. Thank you for joining me today where I’ll be talking about the importance of quality in your API Architecture.
  2. Before I begin, I’d like to give a short introduction to SmartBear for those who may not have heard of us before. So we were founded in 2009 in Boston and we have grown to 12 global offices. We have over 15M users of our tools designed to ensure quality across the entire SDLC and over 24,000 customers from SMB through to enterprise names like Google, Microsoft and Adidas. Globally we have over 650 employees. And as you may know, SmartBear currently supports 3 open source initiatives which are Swagger and the OpenAPI specification for API design and collaboration, SoapUI for API and web service testing and Cucumber for Behaviour-Driven Development. Original: SmartBear tools are synonymous with quality across the entire SDLC, from planning and design to testing and monitoring. We were founded in 2009 in Boston, Mass and have grown to over 11 global offices, encompassing North America, Europe, Asia, and Australia. Over 6 million developers, testers, and operations professionals from 20,000 plus companies, like Google, RBC, and Vineyard Vines, use our tools ever day to deliver bug free software. Our company of over 500 employees also provides 5 free tools for the community, including 2 wildly popular open source tools Swagger and SoapUI.
  3. I want to start by acknowledging that APIs are the foundation of our digitally connected world. I would imagine that most of you would at least somewhat agree with that statement given you are here at apidays today. So as we know, APIs allow applications and devices to talk to one another and work together. This enables us to develop new processes and innovations which can help improve our lives and keep us connected. We’ve seen in the past year, the acceleration of digital transformations and Bloomberg has said that every company now is an eCommerce company. You can see some examples on this slide of how interconnected our world is. From our Zoom meetings while we are working from home, to our smartphones, online banking services, digital supply chains, to even Google Maps in our cars. All these technologies that we use in our day to day lives are all made possible with APIs. **Click** APIs are essential to ensure connections of our applications. **Click** This means API quality is essential to ensure our applications work.
  4. This brings us to API development challenges. Why do these challenges matter? Because they can impact the quality of your API. So, while we’ve been working with customers, we’ve heard a few common challenges come up. Some of these are that the developed APIs fail to meet the original business goals even though there was an agreement on the design. This might be due to lack of collaboration along the process. Another is that as a designer it’s difficult to get feedback during the API development lifecyle or that there isn’t a source of truth on the API definition. This might be because there are multiple API definitions and multiple versions circulating throughout the organization. We’re also hearing that quality issues are hurting adoption – and this makes sense because if your API is not giving an acceptable response time or even giving the correct responses then it’s less likely to be chosen and relied upon. And lastly creating API documentation from scratch is time consuming and error-prone, which is likely connected to the fact that with more APIs being created, the more they are becoming inconsistent and difficult to understand and support. This is especially relevant in our time now after the pandemic, with most organisations being forced into digital transformation initiatives. Without proper documentation, it’s difficult to adopt your APIs both internally and externally. Consumers won’t know how to integrate your APIs into their applications and this certainly won’t help when there is much more choice in today’s API ecosystem.
  5. To understand these challenges better as part of our State of API report last year, we surveyed over 1,500 API practitioners and customers from a wide range of industries and we learned that the top challenges are standardisation, versioning, security and easier integration between tools. The report shows that Standardisation continues to be the top challenge that organisations want to solve and it has more than doubled in importance since 2016. The same can be said for Versioning. The growth in importance of these two challenges shows us that with the industry taking on digital transformations and the move towards Microservices architecture, that more APIs are being created and this raises the difficulty in maintaining consistency. Optional: The 3rd most concerning challenge in our report is Security and that’s because it’s said to be the next frontier in cybercrime. APIs do provide a new contact point or attack vector which can have vulnerabilities which need to be addressed. All of these challenges will impact the quality of our APIs.
  6. So let’s talk about the importance of quality.
  7. Why is quality important? Well, one reason is that it impacts API Consumer Loyalty. When consumers run into quality or performance issues with 3rd party APIs, they first report the problem and then look at their options. This is what we saw in our survey report. Compared to previous years, there’s a trend that API consumers are less loyal to the APIs they work with when faced with performance issues. In 2016, only 30% of respondents said that an issue would lead them to look for a permanent alternative API provider. Their instinct instead was to review service level agreements. In the years since, service level agreements have decreased and the willingness of consumers to look elsewhere has increased, to 34% in 2019, and now 37% in 2020. So why are API consumers less loyal in 2020? It’s likely a result of more competition in API marketplaces, plus a higher demand on API reliability as tools and systems become more connected and dependent. Downtime of a 3rd party API can also translate directly to lost revenue because of poor experience for consumers and the services they offer. Aside from consumer loyalty, poor quality or poorly functioning APIs within an organization can result in interrupted business operations, data corruption or even downtime. When siloed business units can’t work together in a larger business process, this also stifles innovation and efficiency internally. So we can that quality is essential with APIs now, and this is where Standardisation can help which I’ll be discussing later.
  8. So I introduced this slide early on to illustrate that APIs are the foundation of our digitally connected world. But let’s think about this in a different context, now as a security officer. From a security perspective, you now have all these new external connections that can be attack vectors for cyber criminals or unknowing users. So let’s think about why cyber criminals and hackers would be interested in exploiting API connections and why you should care?
  9. Cyber criminals care are about APIs because they connect our sensitive data. It’s been suggested that the value of data is now is higher than oil and there is a “data economy”. In the “data economy”, data is potentially more valuable due to the insight, knowledge and access that can be extracted from it. From a company perspective, they could be holding confidential and sensitive secrets which could be accessed via mobile apps, web apps, partner apps or cloud-based services. If these secrets were accessed by a competitor, partner or made public, it could be seriously damaging. This is why we are seeing more ransomware attacks in recent times. You may remember that the sports watch brand Garmin last year was rumoured to pay a $10 million ransom to regain access to their internal systems. It’s also worth noting that with the security and regulatory laws worldwide slowly adapting to technology risks, data breaches of customer data must now be reported and can incur fines and penalties. There is also the loss of trust by customers and loss of company reputation to deal with. Now moving to a personal data perspective, our phones and smart watches collect a lot of personal and sensitive data. This data can include our personally identifiable information, such as our government IDs, our bank accounts, our credit cards, our locations and even our movement patterns. All these small nuggets of data when combined from multiple sources can become highly valuable. So with APIs in our applications connecting all this sensitive data and providing highly valuable endpoints, it’s no wonder that APIs are appealing for cyber criminals and hackers. Therefore, ensuring your APIs are secure during the design, development, testing and deployment is crucial to securing that sensitive data.
  10. To emphasis the importance of quality from a security perspective in APIs we can review some real-world examples of security breaches. In 2018 Panera Bread revealed 37 million customers had their data exposed due to an unauthenticated API endpoint. T-Mobile exposed 2.3 million customers’ personal data when attackers exploited a leaky API. Capital One announced they had given an attacker access to personal information of those who applied for various credit products through server-side request forgery, where the attacker gained access to Capital One’s AWS-based infrastructure configuration API. And more recently in India, their COVID-19 contract tracing application had authorization weaknesses where parameters were validated on the client side rather than the server side and this led to people being able to manipulate parameters to retrieve the COVID statuses of any neighborhood or location in India. As you can see from these examples, these breaches are related to poorly secured and designed APIs, and unprotected API endpoints. These flaws allow attackers to gain access to user account information, transaction details, and personal health status. What’s even more worrying, is the ability of attackers to control or modify configuration of business, government or utilities infrastructure or take control of your personal IoT devices. Unused: So, with this rise in API breaches and attacks, we’re seeing an increased desire to push API security testing further to the left where it becomes part of the development cycle – this is especially important for small/medium sized businesses that are not able to have dedicated security teams.
  11. So now that we understand the importance and impact of quality in your API architecture, let’s discuss some strategies you can employ in your API development framework to improve quality.
  12. I mentioned previously that standardization can help improve the quality of your API development. This is where the API Definition comes in. The definition helps define and describe the features and behaviours of the API to be designed. You can think of the API definition as a blueprint for your house. It would be pretty unconventional to start building walls and windows to your house without knowing if there was going to be a toilet in the way in the future. It makes more sense to plan the design and agree on the design before we start construction. The same can be applied to API development. Now in the real world it’s unlikely that we finalise an API design and no further changes are made during the development but having a definition can certainly go long way in keeping a consistent and always understandable design philosophy. The industry standard for defining RESTful APIs is the OpenAPI specification (formerly known as Swagger) which is supported by SmartBear. It’s allows end users to understand how best to work with your APIs It’s language agnostic and readable by both humans and machines. One benefit of API definitions that is sometimes forgotten is the ability to have parallel work streams. That is, from your API definition you can start testing and even create a virtual web service all before coding starts. This ensures that testing for quality starts earlier in your API development lifecycle. Unused: Blueprint for the API (Spec) Industry standard for defining RESTful APIs Design first approach
  13. So I talked a little bit about design before but let’s dive a bit deeper on why it matters. Consistency in API design is not a given. We need to think if your organization is currently a code-first or design-first shop and do your current processes enforce a style guide or not. If we go back to my example before of the code-first approach, it’s more costly to make changes after the API’s already been coded and built. However, if we move towards a design first approach which is more collaborative, where we involve all the stakeholders from business analysts, testers and consumers, we can get a clearer picture of our requirements before we start building. So the advantage here is if we identify any changes to the design early in the process, this is a lot more time and cost effective to implement at the design stage rather than having to go back and make changes once the code has been implemented. At the end of the day, for the API to be successful it needs to meet most of the stakeholder’s goals and without a focus on API design standards, it’s difficult to create a consistent API consumer experience. Unused: Why does API Design matter? Consistent approach to designing and developing APIs? Code-first or Design-first or both? Benefit of API-first? Making the changes at the design phase Collaboration between multiple parties More cost-effective Bringing in BA’s/Testers/Analysts etc. The API has to deliver for all the stakeholders to be successful
  14. You can have a great API but if people don’t understand how to use it? People will not use it They will look for something better There are so many choices out there now Easy to use and easy to understand Developer trying to integrate with an API Documentation is not up to date, it’s a different version. You are guaranteed to lose someone
  15. So let’s summaries the strategies to improve quality through standardization and governance. We need to focus on… <points> Different teams and different designers Consistency Camelcase or underscore Semantic versioning The use of domains A library of common components that can be used for reusability Define once in a domain and re-use across multiple APIs
  16. Finally, when discussing quality we need to talk about API security. So what is API security? Simply put, API security is protecting the APIs you build and consume from nefarious use. Because businesses transfer data and connect services via APIs – they are especially prone to attacks, as we discussed in the earlier slides. Gartner Research estimates that “by 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.” So, it’s crucial to protect API connections and verify that those connections are not prone to attack or acting maliciously.
  17. So how we can achieve our API Security Goals. As an example, your core goals are likely to include: Ensuring only legitimate users can access the system. The system doesn’t allow users to do more than they should. Confidential data can only be seen by intended users. And transaction information is protected. Now for the sake of time, I won’t go through all the points, but a good starting point to achieving these goals is being able to identify and catalog your APIs and endpoints. This is because you can’t protect what you don’t know. You may have public APIs sharing data that your operations and security teams are completely unaware of. This is where SwaggerHub can help by providing that source of truth and API catalog to give your organization visibility. The second point is assuring and managing API user identities. Offering public APIs means that API calls come from a wide range of customers, partners, and applications. Yet many API security models authenticate and authorize only the initial API user’s identity and then let the user run under a trusted shared identity with broad data entitlements, which opens the API to breaches. So not only should we verify who the user is, we also need to manage what level of access to data various users are entitled to based on their roles. This area is usually handled by Identity Governance and Single Sign On solutions but SwaggerHub with OpenAPI is able to specify and work with industry authentication and authorization schemes. Another critical component of API security is API design. The context, usage, and purpose vary across APIs, creating different security demands and requirements. One of the big mistakes we find when reviewing API strategies, products, and services is inadequate attention to API classification and organisation. Good classification of API types is critical for understanding the risks and value-add for your APIs. By categorizing and tagging APIs early in the identification and design process, this helps to ensure the right teams and appropriate policies are assigned. These areas of API design is where SwaggerHub and OpenAPI can help. Lastly but just as crucial, is API security testing. We can start to identify weaknesses in the API definition during development using security-oriented functional tests and then continue to run this through to production where we can help identify data flow and trust level issues. Examples of what we should test for can include ensuring that a request from user A for user B’s data will fail and that that failure messages look the same no matter which element of backend infrastructure catches the invalid request. Additionally, by using the OpenAPI definition you’ll be able to test the API’s behaviour matches its purpose and there is no unintended data leakage.
  18. High level overview of the SwaggerHub API Ecosystem SwaggerHub can integrate with: API Gateways SCM Repos CI/CD ReadyAPI for functional testing and virtualization
  19. That makes it a good time to talk about DevSecOps. So what is DevSecOps? At its simplest, DevSecOps is about removing the barriers between four traditionally siloed teams: development, QA, security and operations, all for the sake of accelerating the deployment of higher quality software. To us, DevSecOps is not just about removing barriers but answering the question of how to embed security tests into your CI/CD pipeline with minimal effort. And this is where we think ReadyAPI can really help businesses on that journey. Being able to reuse functional tests for security tests the same way you can reuse them for performance tests is one of the main benefits of ReadyAPI and Martin may show this in the demo later. But before we focus on the testing component, there are other steps that an organization can take to help them secure their APIs. [next slide]