apidays LIVE Singapore 2021 - Digitisation, Connected Services and Embedded Finance
April 21 & 22, 2021
The Importance of Quality in your API Architecture
Christof Sunthorn, Solutions Engineer at SmartBear
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
3. Proprietary & Confidential
3
Agenda
| APIs in our digitally connected world
| Challenges in API development
| Importance of quality in your API architecture
| Strategies to improve quality
| Standardisation and Governance
| Collaboration
| Security
4. Proprietary & Confidential
4
4
APIs are the foundation of our digitally connected world
Any Application
Any Device
Anywhere
Anytime
Instant messaging
AR/VR telepresence
Document /
database sharing
Webcasting
Telephone
Email
Enterprise social
network
Enterprise applications
Smart watch
Head-
mounted
displays
Laptop/desktop
Tablet
Smartphone
Home Work
On the go
Qualityisessentialtoensureapplicationswork
APIs are essential to ensure connections
5. Proprietary & Confidential
5
“The more APIs we create, the
more they become inconsistent
and difficult to understand and
support.”
“Creating API documentation
from scratch is time-
consuming and error-prone.”
“As an API designer, it’s difficult to
get feedback on changes during
the API development lifecycle.”
“Our development teams lack
a single source of truth on the
API definition to be
implemented.”
API development has challenges…
“APIs may fail to meet their
business goals, even though
there was agreement on a
design.”
“Quality issues are
hurting API adoption.”
9. Proprietary & Confidential
9
9
APIs are the foundation of our digitally connected world
Any Application
Any Device
Anywhere
Anytime
Instant messaging
AR/VR telepresence
Document /
database sharing
Webcasting
Telephone
Email
Enterprise social
network
Enterprise applications
Smart watch
Head-
mounted
displays
Laptop/desktop
Tablet
Smartphone
Home Work
On the go
Qualityisessentialtoensureapplicationswork
APIs are essential to ensure connections
10. Proprietary & Confidential
10
Company Assets & Services
Mobile Apps
Web Apps
Partner Apps
Cloud-Based
Services
Data
Today’s APIs Connect Sensitive Data
11. Proprietary & Confidential
Real-World Examples
11
Organization Description No. of users affected
Panera Bread 2018, Panera revealed that 37 million
customers had had their data exposed. Some reports
attributed the breach to an unauthenticated API endpoint
37 million customers
T-mobile 2018, attackers exploited a “leaky” API and exposed 2.3
million customers’ personal data.
2.3 million customers
Capital One 2019, Capital One announced a breach that had
given an attacker access to personal information of those
who had applied for various credit products. Through a
server-side request forgery, an attacker compromised an
application and gained access to Capital One’s
AWS-based infrastructure configuration API.
106 million customers
Aarogya Setu
(India’s COVID-19 contract
tracing app)
India’s COVID-19 contact tracing application had
authorization weaknesses and validated parameters at
client side rather than server side. In May 2020, a
researcher reported that they could make direct API calls
and manipulate parameters to get the COVID status of any
neighborhood or location in India.
All residents of India
(~ 1.3B)
13. Value of the API Definition
| API description formats like OpenAPI (formerly Swagger)
enable you to design an API
o create a definition that end users can utilize to understand
how to best work with your API
| API definitions are language-agnostic
| Readable by both humans and machines
| Enables parallel work streams – virtualization, testing,
integration compatibility - all before coding
14. 14
API Design Matters
| Consistency in API design is not a given
o Code-first, design-first
o Style guide, no style guide
| Development teams today are distributed across
departments, geographies, time zones
| Collaboration is the rule, both internally and
externally with partners
| Without a focus on API design standards, it is
difficult to create a consistent API consumer
experience
15. API adoption is tied to consistent design
| If an API is to be used, consumers need a
guide to help them understand
o What data is the API providing
o What is its functionality
o API protocols, formats, versions
Gartner: December 16, 2020, How to Successfully Implement API Management
“API design guidelines provide API developers with the information they need
to create APIs in a consistent fashion. This increases the usability and,
therefore, the adoption of APIs.”
SwaggerHub Embedded Style Guide Flagging Standardization Error
16. 16
API Standardization and Governance
| Gather input from all stakeholders to ensure API design
aligns to business purpose
| Design-first is preferred over code-first
| Leverage a single source of truth for API definitions
| Utilize an API style guide as initial step toward governance
| Leverage custom rules to validate OpenAPI definitions for
compliance with API design guidelines
| Understand your API workflow
Asset Library
API_1 API_3
API_2
Design Guidelines
!
✔ ✔
17. What Is API Security?
Proprietary & Confidential
17
“by 2022, API abuses will be the most-frequent attack vector
resulting in data breaches for enterprise web applications.”
Gartner Research
Simply put, API security is protecting the APIs you build and
consume from nefarious use. Because businesses transfer data
and connect services via APIs – they are especially prone to
attacks:
18. Only legitimate users can access the
system
The system doesn’t allow users to
do more than they should
Confidential data can only be seen
by intended users
Transaction information is protected
Achieving API Security Goals
Proprietary & Confidential
18
Identify and catalog APIs and endpoints
Assure and manage API user identities
Meet regulatory and compliance
requirements
API design governance sets security
context for each API type
API security testing – before, during,
and after deployment – is the safety net
19. Proprietary & Confidential
19
Proprietary & Confidential
Summary
| APIs are the foundation of our digitally connected world
| Quality is important to your API architecture
| Adoption
| Business operations down time and revenue lost
| Security breaches
| Improve quality through:
| Standardisation and governance
| Collaboration
| Security
21. How SmartBear Can Help
Proprietary & Confidential
21
Early
Testing
OpenAPI
Specification
Editor's Notes
Hi everyone. Good morning, good afternoon, and good evening to everyone wherever you’re joining from. Hope you are all keeping well.
I’d firstly like to introduce myself. I’m Christof Sunthorn, Solutions Engineer at SmartBear and I work with customers to improve their testing workflows. Previously I’ve worked as a Professional Services Consultant at CA Technologies and a Presales Engineer at Micro Focus working on Identity & Access Management and various Security solutions.
Thank you for joining me today where I’ll be talking about the importance of quality in your API Architecture.
Before I begin, I’d like to give a short introduction to SmartBear for those who may not have heard of us before.
So we were founded in 2009 in Boston and we have grown to 12 global offices.
We have over 15M users of our tools designed to ensure quality across the entire SDLC and over 24,000 customers from SMB through to enterprise names like Google, Microsoft and Adidas.
Globally we have over 650 employees.
And as you may know, SmartBear currently supports 3 open source initiatives which are Swagger and the OpenAPI specification for API design and collaboration, SoapUI for API and web service testing and Cucumber for Behaviour-Driven Development.
Original:
SmartBear tools are synonymous with quality across the entire SDLC, from planning and design to testing and monitoring. We were founded in 2009 in Boston, Mass and have grown to over 11 global offices, encompassing North America, Europe, Asia, and Australia.
Over 6 million developers, testers, and operations professionals from 20,000 plus companies, like Google, RBC, and Vineyard Vines, use our tools ever day to deliver bug free software.
Our company of over 500 employees also provides 5 free tools for the community, including 2 wildly popular open source tools Swagger and SoapUI.
I want to start by acknowledging that APIs are the foundation of our digitally connected world. I would imagine that most of you would at least somewhat agree with that statement given you are here at apidays today.
So as we know, APIs allow applications and devices to talk to one another and work together. This enables us to develop new processes and innovations which can help improve our lives and keep us connected.
We’ve seen in the past year, the acceleration of digital transformations and Bloomberg has said that every company now is an eCommerce company.
You can see some examples on this slide of how interconnected our world is. From our Zoom meetings while we are working from home, to our smartphones, online banking services, digital supply chains, to even Google Maps in our cars. All these technologies that we use in our day to day lives are all made possible with APIs.
**Click**
APIs are essential to ensure connections of our applications.
**Click**
This means API quality is essential to ensure our applications work.
This brings us to API development challenges. Why do these challenges matter? Because they can impact the quality of your API.
So, while we’ve been working with customers, we’ve heard a few common challenges come up.
Some of these are that the developed APIs fail to meet the original business goals even though there was an agreement on the design. This might be due to lack of collaboration along the process.
Another is that as a designer it’s difficult to get feedback during the API development lifecyle or that there isn’t a source of truth on the API definition. This might be because there are multiple API definitions and multiple versions circulating throughout the organization.
We’re also hearing that quality issues are hurting adoption – and this makes sense because if your API is not giving an acceptable response time or even giving the correct responses then it’s less likely to be chosen and relied upon.
And lastly creating API documentation from scratch is time consuming and error-prone, which is likely connected to the fact that with more APIs being created, the more they are becoming inconsistent and difficult to understand and support. This is especially relevant in our time now after the pandemic, with most organisations being forced into digital transformation initiatives.
Without proper documentation, it’s difficult to adopt your APIs both internally and externally. Consumers won’t know how to integrate your APIs into their applications and this certainly won’t help when there is much more choice in today’s API ecosystem.
To understand these challenges better as part of our State of API report last year, we surveyed over 1,500 API practitioners and customers from a wide range of industries and we learned that the top challenges are standardisation, versioning, security and easier integration between tools.
The report shows that Standardisation continues to be the top challenge that organisations want to solve and it has more than doubled in importance since 2016. The same can be said for Versioning.
The growth in importance of these two challenges shows us that with the industry taking on digital transformations and the move towards Microservices architecture, that more APIs are being created and this raises the difficulty in maintaining consistency.
Optional:
The 3rd most concerning challenge in our report is Security and that’s because it’s said to be the next frontier in cybercrime. APIs do provide a new contact point or attack vector which can have vulnerabilities which need to be addressed.
All of these challenges will impact the quality of our APIs.
So let’s talk about the importance of quality.
Why is quality important?
Well, one reason is that it impacts API Consumer Loyalty.
When consumers run into quality or performance issues with 3rd party APIs, they first report the problem and then look at their options. This is what we saw in our survey report.
Compared to previous years, there’s a trend that API consumers are less loyal to the APIs they work with when faced with performance issues. In 2016, only 30% of respondents said that an issue would lead them to look for a permanent alternative API provider. Their instinct instead was to review service level agreements.
In the years since, service level agreements have decreased and the willingness of consumers to look elsewhere has increased, to 34% in 2019, and now 37% in 2020.
So why are API consumers less loyal in 2020? It’s likely a result of more competition in API marketplaces, plus a higher demand on API reliability as tools and systems become more connected and dependent. Downtime of a 3rd party API can also translate directly to lost revenue because of poor experience for consumers and the services they offer.
Aside from consumer loyalty, poor quality or poorly functioning APIs within an organization can result in interrupted business operations, data corruption or even downtime. When siloed business units can’t work together in a larger business process, this also stifles innovation and efficiency internally.
So we can that quality is essential with APIs now, and this is where Standardisation can help which I’ll be discussing later.
So I introduced this slide early on to illustrate that APIs are the foundation of our digitally connected world.
But let’s think about this in a different context, now as a security officer.
From a security perspective, you now have all these new external connections that can be attack vectors for cyber criminals or unknowing users.
So let’s think about why cyber criminals and hackers would be interested in exploiting API connections and why you should care?
Cyber criminals care are about APIs because they connect our sensitive data.
It’s been suggested that the value of data is now is higher than oil and there is a “data economy”. In the “data economy”, data is potentially more valuable due to the insight, knowledge and access that can be extracted from it.
From a company perspective, they could be holding confidential and sensitive secrets which could be accessed via mobile apps, web apps, partner apps or cloud-based services. If these secrets were accessed by a competitor, partner or made public, it could be seriously damaging. This is why we are seeing more ransomware attacks in recent times. You may remember that the sports watch brand Garmin last year was rumoured to pay a $10 million ransom to regain access to their internal systems.
It’s also worth noting that with the security and regulatory laws worldwide slowly adapting to technology risks, data breaches of customer data must now be reported and can incur fines and penalties. There is also the loss of trust by customers and loss of company reputation to deal with.
Now moving to a personal data perspective, our phones and smart watches collect a lot of personal and sensitive data. This data can include our personally identifiable information, such as our government IDs, our bank accounts, our credit cards, our locations and even our movement patterns. All these small nuggets of data when combined from multiple sources can become highly valuable.
So with APIs in our applications connecting all this sensitive data and providing highly valuable endpoints, it’s no wonder that APIs are appealing for cyber criminals and hackers. Therefore, ensuring your APIs are secure during the design, development, testing and deployment is crucial to securing that sensitive data.
To emphasis the importance of quality from a security perspective in APIs we can review some real-world examples of security breaches.
In 2018 Panera Bread revealed 37 million customers had their data exposed due to an unauthenticated API endpoint.
T-Mobile exposed 2.3 million customers’ personal data when attackers exploited a leaky API.
Capital One announced they had given an attacker access to personal information of those who applied for various credit products through server-side request forgery, where the attacker gained access to Capital One’s AWS-based infrastructure configuration API.
And more recently in India, their COVID-19 contract tracing application had authorization weaknesses where parameters were validated on the client side rather than the server side and this led to people being able to manipulate parameters to retrieve the COVID statuses of any neighborhood or location in India.
As you can see from these examples, these breaches are related to poorly secured and designed APIs, and unprotected API endpoints. These flaws allow attackers to gain access to user account information, transaction details, and personal health status. What’s even more worrying, is the ability of attackers to control or modify configuration of business, government or utilities infrastructure or take control of your personal IoT devices.
Unused:
So, with this rise in API breaches and attacks, we’re seeing an increased desire to push API security testing further to the left where it becomes part of the development cycle – this is especially important for small/medium sized businesses that are not able to have dedicated security teams.
So now that we understand the importance and impact of quality in your API architecture, let’s discuss some strategies you can employ in your API development framework to improve quality.
I mentioned previously that standardization can help improve the quality of your API development.
This is where the API Definition comes in. The definition helps define and describe the features and behaviours of the API to be designed.
You can think of the API definition as a blueprint for your house. It would be pretty unconventional to start building walls and windows to your house without knowing if there was going to be a toilet in the way in the future.
It makes more sense to plan the design and agree on the design before we start construction. The same can be applied to API development.
Now in the real world it’s unlikely that we finalise an API design and no further changes are made during the development but having a definition can certainly go long way in keeping a consistent and always understandable design philosophy.
The industry standard for defining RESTful APIs is the OpenAPI specification (formerly known as Swagger) which is supported by SmartBear.
It’s allows end users to understand how best to work with your APIs
It’s language agnostic and readable by both humans and machines.
One benefit of API definitions that is sometimes forgotten is the ability to have parallel work streams.
That is, from your API definition you can start testing and even create a virtual web service all before coding starts. This ensures that testing for quality starts earlier in your API development lifecycle.
Unused:
Blueprint for the API (Spec)
Industry standard for defining RESTful APIs
Design first approach
So I talked a little bit about design before but let’s dive a bit deeper on why it matters.
Consistency in API design is not a given. We need to think if your organization is currently a code-first or design-first shop and do your current processes enforce a style guide or not.
If we go back to my example before of the code-first approach, it’s more costly to make changes after the API’s already been coded and built.
However, if we move towards a design first approach which is more collaborative, where we involve all the stakeholders from business analysts, testers and consumers, we can get a clearer picture of our requirements before we start building.
So the advantage here is if we identify any changes to the design early in the process, this is a lot more time and cost effective to implement at the design stage rather than having to go back and make changes once the code has been implemented.
At the end of the day, for the API to be successful it needs to meet most of the stakeholder’s goals and without a focus on API design standards, it’s difficult to create a consistent API consumer experience.
Unused:
Why does API Design matter?
Consistent approach to designing and developing APIs?
Code-first or Design-first or both?
Benefit of API-first?
Making the changes at the design phase
Collaboration between multiple parties
More cost-effective
Bringing in BA’s/Testers/Analysts etc.
The API has to deliver for all the stakeholders to be successful
You can have a great API but if people don’t understand how to use it?
People will not use it
They will look for something better
There are so many choices out there now
Easy to use and easy to understand
Developer trying to integrate with an API
Documentation is not up to date, it’s a different version.
You are guaranteed to lose someone
So let’s summaries the strategies to improve quality through standardization and governance.
We need to focus on… <points>
Different teams and different designers
Consistency
Camelcase or underscore
Semantic versioning
The use of domains
A library of common components that can be used for reusability
Define once in a domain and re-use across multiple APIs
Finally, when discussing quality we need to talk about API security. So what is API security?
Simply put, API security is protecting the APIs you build and consume from nefarious use. Because businesses transfer data and connect services via APIs – they are especially prone to attacks, as we discussed in the earlier slides.
Gartner Research estimates that “by 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.”
So, it’s crucial to protect API connections and verify that those connections are not prone to attack or acting maliciously.
So how we can achieve our API Security Goals.
As an example, your core goals are likely to include:
Ensuring only legitimate users can access the system.
The system doesn’t allow users to do more than they should.
Confidential data can only be seen by intended users.
And transaction information is protected.
Now for the sake of time, I won’t go through all the points, but a good starting point to achieving these goals is being able to identify and catalog your APIs and endpoints. This is because you can’t protect what you don’t know. You may have public APIs sharing data that your operations and security teams are completely unaware of. This is where SwaggerHub can help by providing that source of truth and API catalog to give your organization visibility.
The second point is assuring and managing API user identities.
Offering public APIs means that API calls come from a wide range of customers, partners, and applications. Yet many API security models authenticate and authorize only the initial API user’s identity and then let the user run under a trusted shared identity with broad data entitlements, which opens the API to breaches. So not only should we verify who the user is, we also need to manage what level of access to data various users are entitled to based on their roles. This area is usually handled by Identity Governance and Single Sign On solutions but SwaggerHub with OpenAPI is able to specify and work with industry authentication and authorization schemes.
Another critical component of API security is API design.
The context, usage, and purpose vary across APIs, creating different security demands and requirements. One of the big mistakes we find when reviewing API strategies, products, and services is inadequate attention to API classification and organisation. Good classification of API types is critical for understanding the risks and value-add for your APIs. By categorizing and tagging APIs early in the identification and design process, this helps to ensure the right teams and appropriate policies are assigned. These areas of API design is where SwaggerHub and OpenAPI can help.
Lastly but just as crucial, is API security testing.
We can start to identify weaknesses in the API definition during development using security-oriented functional tests and then continue to run this through to production where we can help identify data flow and trust level issues.
Examples of what we should test for can include ensuring that a request from user A for user B’s data will fail and that that failure messages look the same no matter which element of backend infrastructure catches the invalid request.
Additionally, by using the OpenAPI definition you’ll be able to test the API’s behaviour matches its purpose and there is no unintended data leakage.
High level overview of the SwaggerHub API Ecosystem
SwaggerHub can integrate with:
API Gateways
SCM Repos
CI/CD
ReadyAPI for functional testing and virtualization
That makes it a good time to talk about DevSecOps. So what is DevSecOps?
At its simplest, DevSecOps is about removing the barriers between four traditionally siloed teams: development, QA, security and operations, all for the sake of accelerating the deployment of higher quality software.
To us, DevSecOps is not just about removing barriers but answering the question of how to embed security tests into your CI/CD pipeline with minimal effort. And this is where we think ReadyAPI can really help businesses on that journey.
Being able to reuse functional tests for security tests the same way you can reuse them for performance tests is one of the main benefits of ReadyAPI and Martin may show this in the demo later.
But before we focus on the testing component, there are other steps that an organization can take to help them secure their APIs.
[next slide]