SlideShare uma empresa Scribd logo
1 de 27
Baixar para ler offline
For flex(ibility)'s
sake, modernize
your legacy APIs!
APISecure
March 15, 2023
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Topher Marie
2
• CTO and Cofounder of Strata Identity
• Lead Identity Architect at Oracle
• Product Owner at Auth0
• CTO and Cofounder of JumpCloud
• Engineer at Ping Identity and Symplified
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
What do we mean by "Legacy?"
• Contrast new development and "Legacy" software
• Legacy software is currently and actively used by its intended audience
• Can be from many different sources
• COTS
• Enterprise platforms
• Bespoke
3
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
"Legacy" software is important too!
• We discuss new development a lot!
• A lot of effort is actually on existing software
• Maintenance and enhancements
• The business use case continues to be important, but the underlying
software may be beginning to age out.
• Vulnerabilities accrue
• Paradigms have changed
4
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
What do we mean by "Modernization"
• No need/desire to update business functionality
• At least, this isn't the focus
• Security and Access Control fixes
• Enhanced useability is often a side effect
• Latest API frameworks/behaviors
5
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Typical trigger scenarios
• Legacy system reaches EOL
• Price increases for a legacy platform.
• Centralizing responsibility for security/access management into a
single team
• Adding security to an existing app via second-factor auth.
• Improving overall security posture, moving to zero-trust
• Difficult to maintain because of talent availability
6
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Some goals of modernization
● Fix vulnerabilities, enhance security
● Take advantage of popular/modern frameworks
○ Don't undervalue the power of community
● Follow current best practices
7
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Tactics for Modernization
Not every modernization journey is the same
8
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Default Tactic: Do a rewrite
• This is what most engineers think about first
• Lots of professional services companies and consultants like to do this too
9
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Some downsides to rewrites
• Budget
• Time
• Complexity
• Lack of expertise
• Risk of breakage
• Security
• Business use cases
• Can you stop developing in the existing codebase? Or is it a moving
target.
• Rewrite of Netscape killed the company
10
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
The rewrite treadmill
• Constant evolution of security
• OAuth best practices, but now SSE / CAEP
• Basic API paradigms: REST -> RPC -> GraphQL
11
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Tactic: facade
• Wrap the existing software with enhanced functionality
• Facade acts as a proxy to the existing API
• Similar to the Mediator pattern in some ways
• API or application itself is not changed
• Current best practices are applied at the facade
• Security
• Access Control
• API Paradigm
12
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Tactic: facade
13
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Benefits of the facade
• API doesn't know anything has changed
• Old functionality is always still available
• Less risk to business logic
• Can be incrementally deployed / developed
• Security, access control, even API paradigm can be decoupled from the
business logic
14
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Why decouple?
• If we don't decouple here, we're basically rewriting the app
• Software and security are constantly evolving.
• Without decoupling, we have a new legacy product on our hands
immediately.
• Maintains flexibility for similar changes in the future
15
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Creating your facade
Get a bite at the traffic by routing through a proxy point
16
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Iron out the networking
By not doing much other than proxying traffic, you can make sure you can
route traffic appropriately
17
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Prepare traffic filtering
18
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Allows an incremental approach
• We don't want a big bang cutover
• We're able to make incremental changes via the facade / abstraction layer
and show immediate value.
19
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Aside: the Big-Bang Antipattern
• Significant project risk and investment.
20
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Modernize the protocol
• If needed, this is also a good time to modernize the API protocols
themselves
• Could also just be adding additional options
• From legacy to REST
• Add json, jwts, etc.
21
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Decouple the identity
• Target App/API receives identity from the proxy/abstraction layer in the
expected format
• Proxy receives the identity from the existing identity provider
• Each application / identity provider can be migrated separately.
22
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Harden the identity
• With this abstraction layer, we can now layer in additional factors
• Add in step-up authentication for incoming identity
• Add mutual TLS for outbound identity
• Continuous Access Evaluation Protocol
• Risk Incident Sharing and Coordination
23
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Externalize Authorization
• For resources that aren't focused on authorization, the facade layer
becomes a point where authorization can be implemented
24
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Improve practices
• Continuous Integration
• Regression testing
• Documentation
25
© Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.
Companies that work in this space
• Apigee, Amazon
• Tyk, Mulesoft, Kong
• Strata Identity
26
Thank You!

Mais conteúdo relacionado

Semelhante a APIsecure 2023 - For flex(ibility) sake, modernize your legacy APIs!, Topher Marie (Strata Identity)

Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingPing Identity
 
How to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at ScaleHow to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at ScaleDevOps.com
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
Which One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development EnvironmentWhich One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development EnvironmentBitbar
 
CCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptxCCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptxEBERTE
 
Why Automate the Network?
Why Automate the Network?Why Automate the Network?
Why Automate the Network?Hank Preston
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018  DNA assuranceCisco Connect Toronto 2018  DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Canada
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsThousandEyes
 
Concept of Hybrid Applications
Concept of Hybrid ApplicationsConcept of Hybrid Applications
Concept of Hybrid ApplicationsSkytap Cloud
 
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...apidays
 
Getting Demo & POV Ready
Getting Demo & POV ReadyGetting Demo & POV Ready
Getting Demo & POV ReadyThousandEyes
 
Should healthcare abandon the cloud final
Should healthcare abandon the cloud finalShould healthcare abandon the cloud final
Should healthcare abandon the cloud finalsapenov
 
Tokyo Release.pdf
Tokyo Release.pdfTokyo Release.pdf
Tokyo Release.pdfRajiv283486
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsRogue Wave Software
 
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski	- Security at the speed of DevOps [rooted2018]Javier Hijas & Ori Kuyumgiski	- Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]RootedCON
 
Faster, simpler, more secure remote access to apps in aws
Faster, simpler, more secure remote access to apps in awsFaster, simpler, more secure remote access to apps in aws
Faster, simpler, more secure remote access to apps in awsZscaler
 
Solaris 11.4 launch
Solaris 11.4 launchSolaris 11.4 launch
Solaris 11.4 launchScott Lynn
 
Optimize your CI/CD with GitLab and AWS
Optimize your CI/CD with GitLab and AWSOptimize your CI/CD with GitLab and AWS
Optimize your CI/CD with GitLab and AWSDevOps.com
 
Cisco Connect Ottawa 2018 dev net
Cisco Connect Ottawa 2018 dev netCisco Connect Ottawa 2018 dev net
Cisco Connect Ottawa 2018 dev netCisco Canada
 

Semelhante a APIsecure 2023 - For flex(ibility) sake, modernize your legacy APIs!, Topher Marie (Strata Identity) (20)

Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
 
How to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at ScaleHow to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at Scale
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
Which One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development EnvironmentWhich One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development Environment
 
CCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptxCCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptx
 
Why Automate the Network?
Why Automate the Network?Why Automate the Network?
Why Automate the Network?
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018  DNA assuranceCisco Connect Toronto 2018  DNA assurance
Cisco Connect Toronto 2018 DNA assurance
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of Concepts
 
Concept of Hybrid Applications
Concept of Hybrid ApplicationsConcept of Hybrid Applications
Concept of Hybrid Applications
 
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
 
Getting Demo & POV Ready
Getting Demo & POV ReadyGetting Demo & POV Ready
Getting Demo & POV Ready
 
Check Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private Cloud
 
Should healthcare abandon the cloud final
Should healthcare abandon the cloud finalShould healthcare abandon the cloud final
Should healthcare abandon the cloud final
 
Tokyo Release.pdf
Tokyo Release.pdfTokyo Release.pdf
Tokyo Release.pdf
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applications
 
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski	- Security at the speed of DevOps [rooted2018]Javier Hijas & Ori Kuyumgiski	- Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
 
Faster, simpler, more secure remote access to apps in aws
Faster, simpler, more secure remote access to apps in awsFaster, simpler, more secure remote access to apps in aws
Faster, simpler, more secure remote access to apps in aws
 
Solaris 11.4 launch
Solaris 11.4 launchSolaris 11.4 launch
Solaris 11.4 launch
 
Optimize your CI/CD with GitLab and AWS
Optimize your CI/CD with GitLab and AWSOptimize your CI/CD with GitLab and AWS
Optimize your CI/CD with GitLab and AWS
 
Cisco Connect Ottawa 2018 dev net
Cisco Connect Ottawa 2018 dev netCisco Connect Ottawa 2018 dev net
Cisco Connect Ottawa 2018 dev net
 

Mais de apidays

apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays
 
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays
 
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays
 
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays
 
apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays
 
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays
 
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...apidays
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOapidays
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...apidays
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...apidays
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...apidays
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...apidays
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...apidays
 
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...apidays
 
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...apidays
 
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...apidays
 

Mais de apidays (20)

apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile APIapidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
apidays Singapore 2023 - Addressing the Data Gap, Jerome Eger, Smile API
 
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wiseapidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
apidays Singapore 2023 - Iterate Faster with Dynamic Flows, Yee Hui Poh, Wise
 
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Venturesapidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
apidays Singapore 2023 - Banking the Ecosystem, Apurv Suri, SC Ventures
 
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
apidays Singapore 2023 - Digitalising agreements with data, design & technolo...
 
apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...apidays Singapore 2023 - Building a digital-first investment management model...
apidays Singapore 2023 - Building a digital-first investment management model...
 
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
apidays Singapore 2023 - Changing the culture of building software, Aman Dham...
 
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singap...
 
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBMapidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
 
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartnerapidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
 
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
apidays Australia 2023 - Curb your Enthusiasm:Sustainable Scaling of APIs, Sa...
 
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
Apidays Paris 2023 - API Security Challenges for Cloud-native Software Archit...
 
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IOApidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
Apidays Paris 2023 - State of Tech Sustainability 2023, Gaël Duez, Green IO
 
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
Apidays Paris 2023 - 7 Mistakes When Putting In Place An API Program, Francoi...
 
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
Apidays Paris 2023 - Product Managers and API Documentation, Gareth Faull, Lo...
 
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
Apidays Paris 2023 - How to use NoCode as a Microservice, Benjamin Buléon and...
 
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
Apidays Paris 2023 - Boosting Event-Driven Development with AsyncAPI and Micr...
 
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
Apidays Paris 2023 - API Observability: Improving Governance, Security and Op...
 
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...
Apidays Paris 2023 - Elevating Event-Driven World: A Deep Dive into AsyncAPI ...
 
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
 
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...
Apidays Paris 2023 - How API Fit to a Modern Enterprise Integration Platform,...
 

Último

Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Shubham Pant
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdfShreedeep Rayamajhi
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpressssuser166378
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSedrianrheine
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024Jan Löffler
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilitiesalihassaah1994
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfmchristianalwyn
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSlesteraporado16
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsRoxana Stingu
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteMavein
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxnaveenithkrishnan
 

Último (12)

Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpress
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilities
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a Website
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptx
 

APIsecure 2023 - For flex(ibility) sake, modernize your legacy APIs!, Topher Marie (Strata Identity)

  • 1. For flex(ibility)'s sake, modernize your legacy APIs! APISecure March 15, 2023
  • 2. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Topher Marie 2 • CTO and Cofounder of Strata Identity • Lead Identity Architect at Oracle • Product Owner at Auth0 • CTO and Cofounder of JumpCloud • Engineer at Ping Identity and Symplified
  • 3. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. What do we mean by "Legacy?" • Contrast new development and "Legacy" software • Legacy software is currently and actively used by its intended audience • Can be from many different sources • COTS • Enterprise platforms • Bespoke 3
  • 4. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. "Legacy" software is important too! • We discuss new development a lot! • A lot of effort is actually on existing software • Maintenance and enhancements • The business use case continues to be important, but the underlying software may be beginning to age out. • Vulnerabilities accrue • Paradigms have changed 4
  • 5. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. What do we mean by "Modernization" • No need/desire to update business functionality • At least, this isn't the focus • Security and Access Control fixes • Enhanced useability is often a side effect • Latest API frameworks/behaviors 5
  • 6. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Typical trigger scenarios • Legacy system reaches EOL • Price increases for a legacy platform. • Centralizing responsibility for security/access management into a single team • Adding security to an existing app via second-factor auth. • Improving overall security posture, moving to zero-trust • Difficult to maintain because of talent availability 6
  • 7. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Some goals of modernization ● Fix vulnerabilities, enhance security ● Take advantage of popular/modern frameworks ○ Don't undervalue the power of community ● Follow current best practices 7
  • 8. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Tactics for Modernization Not every modernization journey is the same 8
  • 9. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Default Tactic: Do a rewrite • This is what most engineers think about first • Lots of professional services companies and consultants like to do this too 9
  • 10. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Some downsides to rewrites • Budget • Time • Complexity • Lack of expertise • Risk of breakage • Security • Business use cases • Can you stop developing in the existing codebase? Or is it a moving target. • Rewrite of Netscape killed the company 10
  • 11. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. The rewrite treadmill • Constant evolution of security • OAuth best practices, but now SSE / CAEP • Basic API paradigms: REST -> RPC -> GraphQL 11
  • 12. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Tactic: facade • Wrap the existing software with enhanced functionality • Facade acts as a proxy to the existing API • Similar to the Mediator pattern in some ways • API or application itself is not changed • Current best practices are applied at the facade • Security • Access Control • API Paradigm 12
  • 13. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Tactic: facade 13
  • 14. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Benefits of the facade • API doesn't know anything has changed • Old functionality is always still available • Less risk to business logic • Can be incrementally deployed / developed • Security, access control, even API paradigm can be decoupled from the business logic 14
  • 15. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Why decouple? • If we don't decouple here, we're basically rewriting the app • Software and security are constantly evolving. • Without decoupling, we have a new legacy product on our hands immediately. • Maintains flexibility for similar changes in the future 15
  • 16. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Creating your facade Get a bite at the traffic by routing through a proxy point 16
  • 17. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Iron out the networking By not doing much other than proxying traffic, you can make sure you can route traffic appropriately 17
  • 18. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Prepare traffic filtering 18
  • 19. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Allows an incremental approach • We don't want a big bang cutover • We're able to make incremental changes via the facade / abstraction layer and show immediate value. 19
  • 20. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Aside: the Big-Bang Antipattern • Significant project risk and investment. 20
  • 21. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Modernize the protocol • If needed, this is also a good time to modernize the API protocols themselves • Could also just be adding additional options • From legacy to REST • Add json, jwts, etc. 21
  • 22. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Decouple the identity • Target App/API receives identity from the proxy/abstraction layer in the expected format • Proxy receives the identity from the existing identity provider • Each application / identity provider can be migrated separately. 22
  • 23. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Harden the identity • With this abstraction layer, we can now layer in additional factors • Add in step-up authentication for incoming identity • Add mutual TLS for outbound identity • Continuous Access Evaluation Protocol • Risk Incident Sharing and Coordination 23
  • 24. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Externalize Authorization • For resources that aren't focused on authorization, the facade layer becomes a point where authorization can be implemented 24
  • 25. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Improve practices • Continuous Integration • Regression testing • Documentation 25
  • 26. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending. Companies that work in this space • Apigee, Amazon • Tyk, Mulesoft, Kong • Strata Identity 26