SlideShare uma empresa Scribd logo

Best Practices for API Design to Keep Your App Secure, Scalable & Efficient

Nordic APIs
Nordic APIs

With a plethora of best practices for designing APIs, many application teams end up focusing on details that may not be a high priority when compared to design principles that can keep your application secure, scalable and efficient. In this session, we will explore the critical best practices around API design including API versioning, error handling, and microservices architectures for decoupling functionality. We will also explore some the crucial security principles that should be applied when designing the business logic. These include pagination restrictions to prevent DDoS attacks as well as proper identity governance implementation to mitigate API-specific vulnerabilities like data breaches as a result of the incorrect assignment of RBAC roles or ABAC rules that control access to resources.

Software
1 de 23
Baixar para ler offline
THE 2018 PLATFORM SUMMIT Amjad Afanah FX Labs, Inc. Intesar Mohammed FX Labs, Inc. BEST PRACTICES FOR API DESIGN TO KEEP YOUR APP SECURE, SCALABLE & EFFICIENT founders@fxlabs.io https://fxlabs.io
AGENDA API Design Best Practices Microservices Architecture for Agility & Scalability Best Practices for Securing APIs Benefits of Continuous Testing & Compliance
API DESIGN BEST PRACTICES HTTP METHODS / URIS FOR COLLECTION
API DESIGN BEST PRACTICES USE NOUNS BUT NO VERBS Prefer Nouns to Verbs Nouns refer to resources Resources are handled with HTTP verbs Verbs can be used for Actions or Calculations /login, /logout /convertTemperature /repositories/123/star
API DESIGN BEST PRACTICES USE SUB-RESOURCES FOR RELATIONS If a resource is related to another resource use subresources. GET /cars/711/drivers/ Returns a list of drivers for car 711 GET /cars/711/drivers/4 Returns driver #4 for car 711
API DESIGN BEST PRACTICES HANDLE ERRORS WITH HTTP STATUS CODES
API DESIGN BEST PRACTICES PROVIDE HELPFUL ERROR PAYLOAD
MICROSERVICES MONOLITH VS. MICROSERVICES Business requirements change rapidly and continuously. The need for shipping updated versions of your app become increasingly critical.
MICROSERVICES MICROSERVICES PRINCIPLES Developed Independently Does One Thing Well Deployment Independence API Focused Decentralized Data Management Easy to Scale Polygot
MICROSERVICES MONOLITH PROS & CONS MICROSERVICES PROS & CONS
BEST PRACTICES FOR SECURING APIS HTTPS Secure REST services must only provide HTTPS endpoints. This protects authentication credentials in transit, for example passwords, API keys or JSON Web Tokens. It also allows clients to authenticate the service and guarantees integrity of the transmitted data.
BEST PRACTICES FOR SECURING APIS PAGINATION LIMITS TO PREVENT DDOS ATTACKS Most endpoints that returns a list of entities will need to have some sort of pagination. Without pagination, a simple search could return millions or even billions of hits causing extraneous network traffic. This is the simplest form of paging. Limit/Offset became popular with apps using SQL databases which already have LIMIT and OFFSET as part of the SQL SELECT Syntax. Very little business logic is required to implement Limit/Offset paging. Client makes request for most recent items: GET /items?limit=20 On scroll/next page, client makes second request GET /items?limit=20&offset=20 Offset Pagination Other Types of Pagination Include Keyset Pagination and Seek Pagination
BEST PRACTICES FOR SECURING APIS ROLE BASED ACCESS CONTROL Permissions are granted to each role based on requirements Users are assigned to a specific role Users can be assigned to multiple roles What is RBAC?
BEST PRACTICES FOR SECURING APIS ROLE BASED ACCESS CONTROL Determining the permissions to assign to each role is very time consuming RBAC needs attention all the time. The Joiner- Mover-Leaver process is extremely critical. Users can often accumulate unnecessary roles leading to excess permissions. Limitations of RBAC? Providing fine-grained access to resources can often lead to an explosion of RBAC roles or ABAC rules that can be easily exploited if not properly tested.
5 BEST PRACTICES IN API TESTING STANDARDIZING TESTS Leverage a markup language for self-documentation and to enforce standardization across the team DATA-DRIVEN TESTING Move towards data-driven testing to promote reusability of tests and to eliminate the pain of preparing data-sets DISTRIBUTED TEST EXECUTION Build for scale from the beginning with the objective of having distributed, parallelized testing to shorten test cycles AUTOMATED BUG MANAGEMENT Automate bug management or incur huge delays as a result API SECURITY TESTING Include security testing with the deepest coverage to prevent vulnerabilities in the future
TRADITIONAL SOFTWARE TESTING COST OF A BUG CAN BE $1,500 IF FOUND IN PROD AVERAGE COST OF A DEFECT $100 $250 $1,500 COSTTOFIXADEFECT($) DESIGN DEVELOP UNIT TESTS INTEGRATION TESTS TEST MONITOR CURRENT BUG DISCOVERY END-TO-END TESTS LOAD TESTS SYNTHETIC MONITORING
SHIFT LEFT IS YOUR EFFORT DIRECTED AT YOUR RISK? AVERAGE COST OF A DEFECT $100 $250 $1,500 COSTTOFIXADEFECT($) DESIGN DEVELOP UNIT TESTS TEST MONITOR LOAD TESTS END-TO-END TESTS INTEGRATION TESTS SYNTHETIC MONITORING SHIFT LEFT BUG DISCOVERY
DEVSECOPS PREVENTION VS. DETECTION The most effective DevSecOps programs start at the earliest points in the development process and follow the workload throughout its life cycle
COMMON API VULNERABILITIES RBAC & ABAC VULNERABILITIES DISTRIBUTED DENIAL OF SERVICE SQL INJECTIONS & DATA ATTACKS Providing fine-grained access to resources can often lead to an explosion of RBAC roles or ABAC rules that can be easily exploited if not properly tested. API DDoS attacks are executed to overload an API service. Since each hacker sends normal traffic volumes, these attacks are difficult to detect. With the right credentials, insiders and hackers can access any system or data. Examples include Data Extraction or Theft, Data Deletion or Manipulation, Data Injection, Malicious Code Injection, and Extreme Application Activity.
AVERAGE COST OF A DATA BREACH 60% of startups go out of business within six months of an attack 89% of breaches and data loss could have been prevented 
FX LABS AUTOMATED API SECURITY & QUALITY TESTING Automatically Generate API Security Tests Run Tests in Parallel Across Any Region [Instant Security Coverage] Automatically generate API security coverage spanning critical categories like login attack, DDoS, RBAC,  ABAC, SQL injections and many others. [Data-Driven Testing] Generate data-driven tests in simple, declarative YAML files with a test composition framework that supports API chaining, all assertions, and local/remote data injection.  Run tests in parallel from any region with the FX Super Bot Network or provision Bots within your VPC on any cloud Automate bug management (file, triage, validate and close) Set up notifications via Email and Slack View detailed dashboards and wire logs to quickly piinpoint security issues
OUR PLATFORM
THANK YOU! FXLABS.IO founders@fxlabs.io

Recomendados

Connected Energy - An API Journey
Connected Energy - An API JourneyConnected Energy - An API Journey
Connected Energy - An API Journey
Nordic APIs
 
Security Is a Concern, Let’s Make It an Enabler
Security Is a Concern, Let’s Make It an EnablerSecurity Is a Concern, Let’s Make It an Enabler
Security Is a Concern, Let’s Make It an Enabler
Nordic APIs
 
API Products: Who, What, Where, When, Why, and How?
API Products: Who, What, Where, When, Why, and How?API Products: Who, What, Where, When, Why, and How?
API Products: Who, What, Where, When, Why, and How?
Nordic APIs
 
apidays LIVE Jakarta - Serverless powered Low Code by Alex-Adrien Auger, Sipios
apidays LIVE Jakarta - Serverless powered Low Code by Alex-Adrien Auger, Sipiosapidays LIVE Jakarta - Serverless powered Low Code by Alex-Adrien Auger, Sipios
apidays LIVE Jakarta - Serverless powered Low Code by Alex-Adrien Auger, Sipios
apidays
 
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
apidays
 
Developer Support Models: Calibrating Service Level to Commitment
Developer Support Models: Calibrating Service Level to CommitmentDeveloper Support Models: Calibrating Service Level to Commitment
Developer Support Models: Calibrating Service Level to Commitment
Nordic APIs
 
apidays LIVE New York 2021 - Service API design validation by Uchit Vyas, KPMG
apidays LIVE New York 2021 - Service API design validation by Uchit Vyas, KPMGapidays LIVE New York 2021 - Service API design validation by Uchit Vyas, KPMG
apidays LIVE New York 2021 - Service API design validation by Uchit Vyas, KPMG
apidays
 
Achieving Microservices Maturity
Achieving Microservices MaturityAchieving Microservices Maturity
Achieving Microservices Maturity
Nordic APIs
 

Recomendados

Connected Energy - An API Journey
Connected Energy - An API JourneyConnected Energy - An API Journey
Connected Energy - An API Journey
Nordic APIs
 
Security Is a Concern, Let’s Make It an Enabler
Security Is a Concern, Let’s Make It an EnablerSecurity Is a Concern, Let’s Make It an Enabler
Security Is a Concern, Let’s Make It an Enabler
Nordic APIs
 
API Products: Who, What, Where, When, Why, and How?
API Products: Who, What, Where, When, Why, and How?API Products: Who, What, Where, When, Why, and How?
API Products: Who, What, Where, When, Why, and How?
Nordic APIs
 
apidays LIVE Jakarta - Serverless powered Low Code by Alex-Adrien Auger, Sipios
apidays LIVE Jakarta - Serverless powered Low Code by Alex-Adrien Auger, Sipiosapidays LIVE Jakarta - Serverless powered Low Code by Alex-Adrien Auger, Sipios
apidays LIVE Jakarta - Serverless powered Low Code by Alex-Adrien Auger, Sipios
apidays
 
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
apidays
 
Developer Support Models: Calibrating Service Level to Commitment
Developer Support Models: Calibrating Service Level to CommitmentDeveloper Support Models: Calibrating Service Level to Commitment
Developer Support Models: Calibrating Service Level to Commitment
Nordic APIs
 
apidays LIVE New York 2021 - Service API design validation by Uchit Vyas, KPMG
apidays LIVE New York 2021 - Service API design validation by Uchit Vyas, KPMGapidays LIVE New York 2021 - Service API design validation by Uchit Vyas, KPMG
apidays LIVE New York 2021 - Service API design validation by Uchit Vyas, KPMG
apidays
 
Achieving Microservices Maturity
Achieving Microservices MaturityAchieving Microservices Maturity
Achieving Microservices Maturity
Nordic APIs
 
Applying Domain-Driven Design to APIs and Microservices - Austin API Meetup
Applying Domain-Driven Design to APIs and Microservices - Austin API MeetupApplying Domain-Driven Design to APIs and Microservices - Austin API Meetup
Applying Domain-Driven Design to APIs and Microservices - Austin API Meetup
LaunchAny
 
APIdays Zurich 2019 - Digital Ecosystems, fueled by APIs Matthias Biehl, API ...
APIdays Zurich 2019 - Digital Ecosystems, fueled by APIs Matthias Biehl, API ...APIdays Zurich 2019 - Digital Ecosystems, fueled by APIs Matthias Biehl, API ...
APIdays Zurich 2019 - Digital Ecosystems, fueled by APIs Matthias Biehl, API ...
apidays
 
Blowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on MicroservicesBlowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on Microservices
Nordic APIs
 
Evolution of API Management in the BBC
Evolution of API Management in the BBCEvolution of API Management in the BBC
Evolution of API Management in the BBC
Nordic APIs
 
Dependency Down, Flexibility Up – The Benefits of API-First Development
Dependency Down, Flexibility Up – The Benefits of API-First DevelopmentDependency Down, Flexibility Up – The Benefits of API-First Development
Dependency Down, Flexibility Up – The Benefits of API-First Development
Nordic APIs
 
apidays LIVE Paris - Innovation and rejuvenation combined: a beneficial appro...
apidays LIVE Paris - Innovation and rejuvenation combined: a beneficial appro...apidays LIVE Paris - Innovation and rejuvenation combined: a beneficial appro...
apidays LIVE Paris - Innovation and rejuvenation combined: a beneficial appro...
apidays
 
apidays LIVE Hong Kong 2021 - Automating the API Product Lifecycle by Jeremy ...
apidays LIVE Hong Kong 2021 - Automating the API Product Lifecycle by Jeremy ...apidays LIVE Hong Kong 2021 - Automating the API Product Lifecycle by Jeremy ...
apidays LIVE Hong Kong 2021 - Automating the API Product Lifecycle by Jeremy ...
apidays
 
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
Nordic APIs
 
Designing APIs and Microservices Using Domain-Driven Design
Designing APIs and Microservices Using Domain-Driven DesignDesigning APIs and Microservices Using Domain-Driven Design
Designing APIs and Microservices Using Domain-Driven Design
LaunchAny
 
apidays LIVE Jakarta - What will the next generation of API Portals look like...
apidays LIVE Jakarta - What will the next generation of API Portals look like...apidays LIVE Jakarta - What will the next generation of API Portals look like...
apidays LIVE Jakarta - What will the next generation of API Portals look like...
apidays
 
Public API
Public APIPublic API
Public API
Amir Zuker
 
Api clarity webinar
Api clarity webinarApi clarity webinar
Api clarity webinar
LibbySchulze
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
Apigee | Google Cloud
 
How to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyHow to Build an Effective API Security Strategy
How to Build an Effective API Security Strategy
Nordic APIs
 
Take Control of your APIs in a Microservice Architecture
Take Control of your APIs in a Microservice ArchitectureTake Control of your APIs in a Microservice Architecture
Take Control of your APIs in a Microservice Architecture
3scale
 
apidays LIVE New York 2021 - API for multi-cloud management platform by Pawel...
apidays LIVE New York 2021 - API for multi-cloud management platform by Pawel...apidays LIVE New York 2021 - API for multi-cloud management platform by Pawel...
apidays LIVE New York 2021 - API for multi-cloud management platform by Pawel...
apidays
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices Success
Apigee | Google Cloud
 
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
apidays
 
WEB API Gateway
WEB API GatewayWEB API Gateway
WEB API Gateway
Kumaresh Chandra Baruri
 
It's the 2010's. Why are you Still Manually Writing Tests?
It's the 2010's. Why are you Still Manually Writing Tests?It's the 2010's. Why are you Still Manually Writing Tests?
It's the 2010's. Why are you Still Manually Writing Tests?
CA Technologies
 
Getting Started with API Management
Getting Started with API ManagementGetting Started with API Management
Getting Started with API Management
Revelation Technologies
 

Mais conteúdo relacionado

Mais procurados

Blowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on MicroservicesBlowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on Microservices
Nordic APIs
 
Dependency Down, Flexibility Up – The Benefits of API-First Development
Dependency Down, Flexibility Up – The Benefits of API-First DevelopmentDependency Down, Flexibility Up – The Benefits of API-First Development
Dependency Down, Flexibility Up – The Benefits of API-First Development
Nordic APIs
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 

Mais procurados (20)

Applying Domain-Driven Design to APIs and Microservices - Austin API Meetup
Applying Domain-Driven Design to APIs and Microservices - Austin API MeetupApplying Domain-Driven Design to APIs and Microservices - Austin API Meetup
Applying Domain-Driven Design to APIs and Microservices - Austin API Meetup
 
APIdays Zurich 2019 - Digital Ecosystems, fueled by APIs Matthias Biehl, API ...
APIdays Zurich 2019 - Digital Ecosystems, fueled by APIs Matthias Biehl, API ...APIdays Zurich 2019 - Digital Ecosystems, fueled by APIs Matthias Biehl, API ...
APIdays Zurich 2019 - Digital Ecosystems, fueled by APIs Matthias Biehl, API ...
 
Blowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on MicroservicesBlowing up the Monolith: Practical Advice on Microservices
Blowing up the Monolith: Practical Advice on Microservices
 
Evolution of API Management in the BBC
Evolution of API Management in the BBCEvolution of API Management in the BBC
Evolution of API Management in the BBC
 
Dependency Down, Flexibility Up – The Benefits of API-First Development
Dependency Down, Flexibility Up – The Benefits of API-First DevelopmentDependency Down, Flexibility Up – The Benefits of API-First Development
Dependency Down, Flexibility Up – The Benefits of API-First Development
 
apidays LIVE Paris - Innovation and rejuvenation combined: a beneficial appro...
apidays LIVE Paris - Innovation and rejuvenation combined: a beneficial appro...apidays LIVE Paris - Innovation and rejuvenation combined: a beneficial appro...
apidays LIVE Paris - Innovation and rejuvenation combined: a beneficial appro...
 
apidays LIVE Hong Kong 2021 - Automating the API Product Lifecycle by Jeremy ...
apidays LIVE Hong Kong 2021 - Automating the API Product Lifecycle by Jeremy ...apidays LIVE Hong Kong 2021 - Automating the API Product Lifecycle by Jeremy ...
apidays LIVE Hong Kong 2021 - Automating the API Product Lifecycle by Jeremy ...
 
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
 
Designing APIs and Microservices Using Domain-Driven Design
Designing APIs and Microservices Using Domain-Driven DesignDesigning APIs and Microservices Using Domain-Driven Design
Designing APIs and Microservices Using Domain-Driven Design
 
apidays LIVE Jakarta - What will the next generation of API Portals look like...
apidays LIVE Jakarta - What will the next generation of API Portals look like...apidays LIVE Jakarta - What will the next generation of API Portals look like...
apidays LIVE Jakarta - What will the next generation of API Portals look like...
 
Public API
Public APIPublic API
Public API
 
Api clarity webinar
Api clarity webinarApi clarity webinar
Api clarity webinar
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
How to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyHow to Build an Effective API Security Strategy
How to Build an Effective API Security Strategy
 
Take Control of your APIs in a Microservice Architecture
Take Control of your APIs in a Microservice ArchitectureTake Control of your APIs in a Microservice Architecture
Take Control of your APIs in a Microservice Architecture
 
apidays LIVE New York 2021 - API for multi-cloud management platform by Pawel...
apidays LIVE New York 2021 - API for multi-cloud management platform by Pawel...apidays LIVE New York 2021 - API for multi-cloud management platform by Pawel...
apidays LIVE New York 2021 - API for multi-cloud management platform by Pawel...
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices Success
 
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
 
WEB API Gateway
WEB API GatewayWEB API Gateway
WEB API Gateway
 

Semelhante a Best Practices for API Design to Keep Your App Secure, Scalable & Efficient

Getting Started with API Management
Getting Started with API ManagementGetting Started with API Management
Getting Started with API Management
Revelation Technologies
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudGetting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Revelation Technologies
 
Starting Your DevOps Journey – Practical Tips for Ops
Starting Your DevOps Journey – Practical Tips for OpsStarting Your DevOps Journey – Practical Tips for Ops
Starting Your DevOps Journey – Practical Tips for Ops
Dynatrace
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Amazon Web Services
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
Innovate2014 Better Integrations Through Open Interfaces
Innovate2014 Better Integrations Through Open InterfacesInnovate2014 Better Integrations Through Open Interfaces
Innovate2014 Better Integrations Through Open Interfaces
Steve Speicher
 
Service Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to KnowService Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to Know
TechWell
 

Semelhante a Best Practices for API Design to Keep Your App Secure, Scalable & Efficient (20)

It's the 2010's. Why are you Still Manually Writing Tests?
It's the 2010's. Why are you Still Manually Writing Tests?It's the 2010's. Why are you Still Manually Writing Tests?
It's the 2010's. Why are you Still Manually Writing Tests?
 
Getting Started with API Management
Getting Started with API ManagementGetting Started with API Management
Getting Started with API Management
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudGetting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshop
 
Starting Your DevOps Journey – Practical Tips for Ops
Starting Your DevOps Journey – Practical Tips for OpsStarting Your DevOps Journey – Practical Tips for Ops
Starting Your DevOps Journey – Practical Tips for Ops
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
API Best Practices
API Best PracticesAPI Best Practices
API Best Practices
 
AWS DDoS防範: Shield Advanced & WAF
AWS DDoS防範: Shield Advanced & WAFAWS DDoS防範: Shield Advanced & WAF
AWS DDoS防範: Shield Advanced & WAF
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
 
Innovate2014 Better Integrations Through Open Interfaces
Innovate2014 Better Integrations Through Open InterfacesInnovate2014 Better Integrations Through Open Interfaces
Innovate2014 Better Integrations Through Open Interfaces
 
Web Security
Web SecurityWeb Security
Web Security
 
Rest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbookRest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbook
 
Service Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to KnowService Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to Know
 
Business Applications Integration In The Cloud
Business Applications Integration In The CloudBusiness Applications Integration In The Cloud
Business Applications Integration In The Cloud
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practice
 

Mais de Nordic APIs

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
Nordic APIs
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at Apiture
Nordic APIs
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
Nordic APIs
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Nordic APIs
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
Nordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Nordic APIs
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.io
Nordic APIs
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
Nordic APIs
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Nordic APIs
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Nordic APIs
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Nordic APIs
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Nordic APIs
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Nordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Nordic APIs
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
Nordic APIs
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
Nordic APIs
 

Mais de Nordic APIs (20)

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...
 
The Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at ApitureThe Art of API Design, by David Biesack at Apiture
The Art of API Design, by David Biesack at Apiture
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...
 
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...
 
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...
 
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNLAPI Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL
 
API Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, GraylogAPI Discovery from Crawl to Run - Rob Dickinson, Graylog
API Discovery from Crawl to Run - Rob Dickinson, Graylog
 
Productizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, MoseifProductizing and Monetizing APIs - Derric Gilling, Moseif
Productizing and Monetizing APIs - Derric Gilling, Moseif
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, SipiosSecurely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios
 
Security of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.ioSecurity of LLM APIs by Ankita Gupta, Akto.io
Security of LLM APIs by Ankita Gupta, Akto.io
 
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...
 
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...
 
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
Reigniting the API Description Wars with TypeSpec and the Next Generation of ...
 
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAnyEstablish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny
 
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...
 
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIsGoing Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs
 
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...
 
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, GartnerGenAI: Producing and Consuming APIs by Paul Dumas, Gartner
GenAI: Producing and Consuming APIs by Paul Dumas, Gartner
 
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
The SAS developer portal – developer.sas.com 2.0: How we built it by Joe Furb...
 
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...
 

Último

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
software pro Development
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 

Último (20)

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 

Best Practices for API Design to Keep Your App Secure, Scalable & Efficient

  • 1. THE 2018 PLATFORM SUMMIT Amjad Afanah FX Labs, Inc. Intesar Mohammed FX Labs, Inc. BEST PRACTICES FOR API DESIGN TO KEEP YOUR APP SECURE, SCALABLE & EFFICIENT founders@fxlabs.io https://fxlabs.io
  • 2. AGENDA API Design Best Practices Microservices Architecture for Agility & Scalability Best Practices for Securing APIs Benefits of Continuous Testing & Compliance
  • 3. API DESIGN BEST PRACTICES HTTP METHODS / URIS FOR COLLECTION
  • 4. API DESIGN BEST PRACTICES USE NOUNS BUT NO VERBS Prefer Nouns to Verbs Nouns refer to resources Resources are handled with HTTP verbs Verbs can be used for Actions or Calculations /login, /logout /convertTemperature /repositories/123/star
  • 5. API DESIGN BEST PRACTICES USE SUB-RESOURCES FOR RELATIONS If a resource is related to another resource use subresources. GET /cars/711/drivers/ Returns a list of drivers for car 711 GET /cars/711/drivers/4 Returns driver #4 for car 711
  • 6. API DESIGN BEST PRACTICES HANDLE ERRORS WITH HTTP STATUS CODES
  • 7. API DESIGN BEST PRACTICES PROVIDE HELPFUL ERROR PAYLOAD
  • 8. MICROSERVICES MONOLITH VS. MICROSERVICES Business requirements change rapidly and continuously. The need for shipping updated versions of your app become increasingly critical.
  • 9. MICROSERVICES MICROSERVICES PRINCIPLES Developed Independently Does One Thing Well Deployment Independence API Focused Decentralized Data Management Easy to Scale Polygot
  • 10. MICROSERVICES MONOLITH PROS & CONS MICROSERVICES PROS & CONS
  • 11. BEST PRACTICES FOR SECURING APIS HTTPS Secure REST services must only provide HTTPS endpoints. This protects authentication credentials in transit, for example passwords, API keys or JSON Web Tokens. It also allows clients to authenticate the service and guarantees integrity of the transmitted data.
  • 12. BEST PRACTICES FOR SECURING APIS PAGINATION LIMITS TO PREVENT DDOS ATTACKS Most endpoints that returns a list of entities will need to have some sort of pagination. Without pagination, a simple search could return millions or even billions of hits causing extraneous network traffic. This is the simplest form of paging. Limit/Offset became popular with apps using SQL databases which already have LIMIT and OFFSET as part of the SQL SELECT Syntax. Very little business logic is required to implement Limit/Offset paging. Client makes request for most recent items: GET /items?limit=20 On scroll/next page, client makes second request GET /items?limit=20&offset=20 Offset Pagination Other Types of Pagination Include Keyset Pagination and Seek Pagination
  • 13. BEST PRACTICES FOR SECURING APIS ROLE BASED ACCESS CONTROL Permissions are granted to each role based on requirements Users are assigned to a specific role Users can be assigned to multiple roles What is RBAC?
  • 14. BEST PRACTICES FOR SECURING APIS ROLE BASED ACCESS CONTROL Determining the permissions to assign to each role is very time consuming RBAC needs attention all the time. The Joiner- Mover-Leaver process is extremely critical. Users can often accumulate unnecessary roles leading to excess permissions. Limitations of RBAC? Providing fine-grained access to resources can often lead to an explosion of RBAC roles or ABAC rules that can be easily exploited if not properly tested.
  • 15. 5 BEST PRACTICES IN API TESTING STANDARDIZING TESTS Leverage a markup language for self-documentation and to enforce standardization across the team DATA-DRIVEN TESTING Move towards data-driven testing to promote reusability of tests and to eliminate the pain of preparing data-sets DISTRIBUTED TEST EXECUTION Build for scale from the beginning with the objective of having distributed, parallelized testing to shorten test cycles AUTOMATED BUG MANAGEMENT Automate bug management or incur huge delays as a result API SECURITY TESTING Include security testing with the deepest coverage to prevent vulnerabilities in the future
  • 16. TRADITIONAL SOFTWARE TESTING COST OF A BUG CAN BE $1,500 IF FOUND IN PROD AVERAGE COST OF A DEFECT $100 $250 $1,500 COSTTOFIXADEFECT($) DESIGN DEVELOP UNIT TESTS INTEGRATION TESTS TEST MONITOR CURRENT BUG DISCOVERY END-TO-END TESTS LOAD TESTS SYNTHETIC MONITORING
  • 17. SHIFT LEFT IS YOUR EFFORT DIRECTED AT YOUR RISK? AVERAGE COST OF A DEFECT $100 $250 $1,500 COSTTOFIXADEFECT($) DESIGN DEVELOP UNIT TESTS TEST MONITOR LOAD TESTS END-TO-END TESTS INTEGRATION TESTS SYNTHETIC MONITORING SHIFT LEFT BUG DISCOVERY
  • 18. DEVSECOPS PREVENTION VS. DETECTION The most effective DevSecOps programs start at the earliest points in the development process and follow the workload throughout its life cycle
  • 19. COMMON API VULNERABILITIES RBAC & ABAC VULNERABILITIES DISTRIBUTED DENIAL OF SERVICE SQL INJECTIONS & DATA ATTACKS Providing fine-grained access to resources can often lead to an explosion of RBAC roles or ABAC rules that can be easily exploited if not properly tested. API DDoS attacks are executed to overload an API service. Since each hacker sends normal traffic volumes, these attacks are difficult to detect. With the right credentials, insiders and hackers can access any system or data. Examples include Data Extraction or Theft, Data Deletion or Manipulation, Data Injection, Malicious Code Injection, and Extreme Application Activity.
  • 20. AVERAGE COST OF A DATA BREACH 60% of startups go out of business within six months of an attack 89% of breaches and data loss could have been prevented 
  • 21. FX LABS AUTOMATED API SECURITY & QUALITY TESTING Automatically Generate API Security Tests Run Tests in Parallel Across Any Region [Instant Security Coverage] Automatically generate API security coverage spanning critical categories like login attack, DDoS, RBAC,  ABAC, SQL injections and many others. [Data-Driven Testing] Generate data-driven tests in simple, declarative YAML files with a test composition framework that supports API chaining, all assertions, and local/remote data injection.  Run tests in parallel from any region with the FX Super Bot Network or provision Bots within your VPC on any cloud Automate bug management (file, triage, validate and close) Set up notifications via Email and Slack View detailed dashboards and wire logs to quickly piinpoint security issues