This is covered during the tech conference. It covers high-level security. The best practice for deployment for gateway (what was known as last-mile) is covered at the end.
This covers security with APIc/gateway. It goes over high-level concepts and what IBM APIc can offer, this covers 2018, and v10 of the product
Note: this is from a presentation from a year or so ago, with some updates to the link
IBM API Connect is a Comprehensive API Solution. It is an integrated creation, runtime, management, and security foundation for enterprise grade API’s and Microservices to power modern digital applications.
In this webinar,
API Management Concepts
IBM API Connect overview and features
Kellton Tech’s API Strategy with IBM API Connect.
Technology: IBM API Connect 5.0
How to create a User Defined Policy with IBM APIc (v10)Shiu-Fun Poon
IBM APIc ships a set of policy. However you can extend those capabilities by creating your own policy. This gives step by step on how that can be done, it also provides a template to help you jump start the process.
This covers security with APIc/gateway. It goes over high-level concepts and what IBM APIc can offer, this covers 2018, and v10 of the product
Note: this is from a presentation from a year or so ago, with some updates to the link
IBM API Connect is a Comprehensive API Solution. It is an integrated creation, runtime, management, and security foundation for enterprise grade API’s and Microservices to power modern digital applications.
In this webinar,
API Management Concepts
IBM API Connect overview and features
Kellton Tech’s API Strategy with IBM API Connect.
Technology: IBM API Connect 5.0
How to create a User Defined Policy with IBM APIc (v10)Shiu-Fun Poon
IBM APIc ships a set of policy. However you can extend those capabilities by creating your own policy. This gives step by step on how that can be done, it also provides a template to help you jump start the process.
IBM DataPower Gateway appliances are used in a variety of user scenarios to enable security, control, integration and optimized access for a range of workloads including Mobile, Web, API, B2B, Web Services and SOA. This presentation from the IBM DataPower team provides an in-depth look at each use case.
In this deck, I cover all the new exciting security feature we have in both gateway and APIC.
We are excited about the new features, and how they can be used to help protect the customer's deployment environment.
With the growing interest in the API economy, IBM Integration Bus (IIB) has provided many recent enhancements in the area of REST APIs and JSON support. This session will discuss how to create an IIB REST API, either from scratch or starting from a Swagger (OpenAPI specification) document. We will also cover the new JSON Schema support for the Graphical Data Mapper, and the new REST Request node for calling REST APIs from IIB, which can be easily configured by drag-and-drop. Easy integration of IIB Rest APIs with an API Connect catalog is also possible, from both the IIB Toolkit and the IIB Web UI. We will talk through these new capabilities and how they relate to IBM's Application Integration Suite (AIS) solution.
How to migrate an application in IBM APIc, and preserve its client credentialShiu-Fun Poon
This provides the rest and toolkit command on how to migrate an application from one environment to another without know the client_secret in the plaintext format.
Apigee and Amazon Web Services join together in this webcast to discuss using Apigee's API management for AWS-powered backends. API management makes it easy to expose and consume APIs from services built on AWS. Whether your backend runs on EC2, DynamoDB, or AWS Lambda, we'll show you the best way to build AWeSome APIs.
Speaker spoke about features and benefits of the AWS Lambda service and explained how to increase system performance by using AWS services.
This presentation by Mykhailo Brodskyi (Senior Software Engineer, Consultant, GlobalLogic, Kharkiv), was delivered at GlobalLogic Kharkiv Java Conference 2018 on June 10, 2018.
by Fritz Kunstler, Sr. AWS Security Consultant AWS
Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.
This session takes developers through a deep dive into microservices architecture on Amazon Web Services in the context of supporting transactions, making use of containerisation and serverless architectures and the various cloud-native features that make developing microservices efficient and simple.
Speaker: Oliver Klein – Emerging Technologies Solutions Architect, AWS APAC
What are the biggest cyber threats facing financial and healthcare entities today and in the near future? How can organizations embrace innovation and agile development culture while balancing the time to market goals with risk management?
Jason Kobus, director, API Banking, Silicon Valley Bank, and Apigee's head of security, Subra Kumaraswamy, present how an effective API program combined with a secure API management platform can
- provide visibility for all security threats targeting their backend services
- control access to sensitive data - end-to-end
- enable developers to build secure apps with secure APIs
- facilitate secure access with partners and developers
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...apidays
apidays London 2023 - APIs for Smarter Platforms and Business Processes
September 13 & 14, 2023
Advanced AI-powered API Security
Ricky Moorhouse, Cloud Architect at IBM API Connect
Filip Verloy, Field CTO at Noname Security
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
IBM DataPower Gateway appliances are used in a variety of user scenarios to enable security, control, integration and optimized access for a range of workloads including Mobile, Web, API, B2B, Web Services and SOA. This presentation from the IBM DataPower team provides an in-depth look at each use case.
In this deck, I cover all the new exciting security feature we have in both gateway and APIC.
We are excited about the new features, and how they can be used to help protect the customer's deployment environment.
With the growing interest in the API economy, IBM Integration Bus (IIB) has provided many recent enhancements in the area of REST APIs and JSON support. This session will discuss how to create an IIB REST API, either from scratch or starting from a Swagger (OpenAPI specification) document. We will also cover the new JSON Schema support for the Graphical Data Mapper, and the new REST Request node for calling REST APIs from IIB, which can be easily configured by drag-and-drop. Easy integration of IIB Rest APIs with an API Connect catalog is also possible, from both the IIB Toolkit and the IIB Web UI. We will talk through these new capabilities and how they relate to IBM's Application Integration Suite (AIS) solution.
How to migrate an application in IBM APIc, and preserve its client credentialShiu-Fun Poon
This provides the rest and toolkit command on how to migrate an application from one environment to another without know the client_secret in the plaintext format.
Apigee and Amazon Web Services join together in this webcast to discuss using Apigee's API management for AWS-powered backends. API management makes it easy to expose and consume APIs from services built on AWS. Whether your backend runs on EC2, DynamoDB, or AWS Lambda, we'll show you the best way to build AWeSome APIs.
Speaker spoke about features and benefits of the AWS Lambda service and explained how to increase system performance by using AWS services.
This presentation by Mykhailo Brodskyi (Senior Software Engineer, Consultant, GlobalLogic, Kharkiv), was delivered at GlobalLogic Kharkiv Java Conference 2018 on June 10, 2018.
by Fritz Kunstler, Sr. AWS Security Consultant AWS
Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.
This session takes developers through a deep dive into microservices architecture on Amazon Web Services in the context of supporting transactions, making use of containerisation and serverless architectures and the various cloud-native features that make developing microservices efficient and simple.
Speaker: Oliver Klein – Emerging Technologies Solutions Architect, AWS APAC
What are the biggest cyber threats facing financial and healthcare entities today and in the near future? How can organizations embrace innovation and agile development culture while balancing the time to market goals with risk management?
Jason Kobus, director, API Banking, Silicon Valley Bank, and Apigee's head of security, Subra Kumaraswamy, present how an effective API program combined with a secure API management platform can
- provide visibility for all security threats targeting their backend services
- control access to sensitive data - end-to-end
- enable developers to build secure apps with secure APIs
- facilitate secure access with partners and developers
apidays London 2023 - Advanced AI-powered API Security, Ricky Moorhouse (IBM)...apidays
apidays London 2023 - APIs for Smarter Platforms and Business Processes
September 13 & 14, 2023
Advanced AI-powered API Security
Ricky Moorhouse, Cloud Architect at IBM API Connect
Filip Verloy, Field CTO at Noname Security
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Digital is disrupting the physical world with new business models. In this presentation from SOA Software VP of Product Marketing, Sachin Agarwal, learn how APIs are used to drive new digital channels securely and safely.
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOpsRob Convery
Are you new to IBM Integration Bus? Do you want to know how to configure, administer and monitor your nodes? Do you want to make it easier on yourself when deploying your message flow applications across multiple servers? Would you like to keep a record of all of the messages which flow through your applications? Would you like to know how you can configure a Continuous Integration and Deployment pipeline for you IIB integrations? If so come along and find out about how to administer and monitor your IBM Integration Bus environment.
The presentation will first cover the basics of administering and monitoring your Integration Nodes. Looking at the available commands and their options, as well as the most recent V10 improvements, including enhancements to the product runtime, covering the extended webui, policy, Integration Toolkit, command line, and programmatic front-ends.
Using the basics learnt initially, this session will then take a look at how you build a Continuous Integration pipeline using technologies such as git, Ant & Jenkins to programmatically configure your Nodes, create, build and test your integrations, and then deploy them to production.
IBM MobileFirst Reference Architecture 1512 v3 2015Sreeni Pamidala
IBM MobileFirst Reference Architecture with Application architecture, deployment/operational models for developing Android/IoS/Web apps and host in the cloud
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...Amazon Web Services
This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture design decisions made by Fortune 500 organizations during actual sensitive workload deployments, as told by the AWS security solution architects and professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture and service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.
HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...Karen Broughton-Mabbitt
Presented at InterConnect 2016 by Carsten Bornert and Emanuel Stanciu.
IBM Integration Bus (IIB) is IBM's strategic software integration product. Rational Integration Tester provides powerful capabilities to discover, simulate and test the solutions built on IBM Integration Bus. This session will demonstrate how integrations can be built on IBM Integration Bus and benefit from the simulation and discovery capabilities of Rational Integration Tester to accelerate and harden the integration.
Jamie Nelson, VP of Engineering, ForgeRock
John Barco, VP of Product Management, ForgeRock
The digital transformation freight train is here which means the platform requirements are changing.
This session presents how the ForgeRock platform will evolve moving forward to address requirements
of the new interconnected IRM universe.
42Crunch Security Audit for WSO2 API Manager 3.1WSO2
API Security has become an important concern in recent times as organizations are more cautious about exposing raw, sensitive data via APIs. Therefore, it is important that APIs adhere to the OpenAPI Specification (OAS) to ensure API security.
WSO2 has partnered with 42Crunch, to bring in the ability to conduct a security audit on the OpenAPI Specification definition, and to obtain an audit report.
The WSO2 API Manager 3.1 brings a lot of interesting features, including the ability to run 42Crunch’s audit tool directly from the API Publishing portal.
In this webinar, we will:
- Explain the advantages of introducing security at design time
- Introduce the 42Crunch audit functionality
- Explain how 42Crunch and WSO2 API Manager can be used together for better API Security
The Power of IBM API Management. API connect 2016 VegasSaaS-Journal
Presented at InterConnect 2016 by Sergio Gutierrez and Dinesh Setty. This session will discuss the power of combining IBM API Management and IBM Integration Bus together to expose core backend systems in a controlled, managed and secured manner. It will also explore common use cases where these technologies are used together to provide a compelling solution.
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 Amazon Web Services
"In this workshop, you practice running an environment with a test and production deployment pipeline. Along the way, we cover topics such as static code analysis, dynamic infrastructure review, and workflow types. You also learn how to update your process in response to security events. We write new AWS Lambda functions and incorporate them into the pipeline, and we consider capabilities such as AWS Systems Manager Parameter Store and AWS Secrets Manager.
This slide deck explores:
- WSO2 API Manager
- WSO2 Enterprise Integrator
- Component Architectures of the Products
- Deployment of products and scaling
- API facade pattern and other ways of Mediation
- API Security
Find out where we are heading next here: https://wso2.com/events/
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...Amazon Web Services Korea
스폰서 발표 세션 | 클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic
채현주 보안기술본부장, Openbase
클라우드 환경의 다양한 서비스로 인해 자산을 지키는 보안을 위한 작업은 더욱 복잡해지고 있다. 기존 온프라미스에서 해 오던 방식으로 클라우드 보안에 접근하는 것은 비용 및 자원활용 측면에서도 낭비이며, 기술의 발전 속도를 따라가기도 어렵다. 본 세션에서는 클라우드 환경의 보안 특성을 살펴보고 효율적인 보안시스템 구축을 위한 가이드를 제시하며, 아울러 전문적인 보안 지식이나 자체 구축 보안시스템 없이도 즉시 활용할 수 있는 Alert Logic의 보안 서비스를 소개한다.
apidays LIVE London 2021 - Application to API Security, drivers to the Shift ...apidays
apidays LIVE London 2021 - Reaching Maximum Potential in Banking & Insurance with API Mindset
October 27 & 28, 2021
API Architecture and Security
Application to API Security, drivers to the Shift
Doron Chema, CEO & Co-Founder at L7 Defense LTD.
GraphQL is widely adapted. As it becomes more popular, there are security considerations for hosting GraphQL services. In this, I cover a set of good practices and ideas that can be used to protect this exciting technology
DataPower can help protect against DoS/DDoS. This was created a while back, content is still valid for the DP. Update a little to call out some newer features.
This covers the discussions that I have with my teams and customers. Whenever someone states one is better over the others always make me concern. As there are pros and cons to each solutions. And depends on the circumstance and constraints that the solution needs to address, sometimes a combination of both solutions would work best. This deck breaks down how I see this problem space, and based on the experiences on having to implement both solutions with OAuth/OIDC/SAML/payload filter and varies discussions with customers/collegeas/experts.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
1. Integration Technical Conference 2019
Security Best
Practice
APIConnect&DataPower
ShiuFunPoon, STSM shiufun@us.ibm.com
KrithikaPrakash,STSM krithika.p@ibm.com
2. Important Disclaimers
• IBM Confidential. Unless specifically advised otherwise, you should assume that all the information in this presentation
(whether given in writing or orally) is IBM Confidential and restrict access to this information in accordance with the
confidentiality terms in place between your organization and IBM.
• Content Authority. The workshops, sessions and materials have been prepared by IBM or the session speakers and
reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the
effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness
and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express
or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this
presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of,
creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of
the applicable license agreement governing the use of IBM software.
• Performance. Performance is based on measurements and projections using standard IBM benchmarks in a controlled
environment. The actual throughput or performance that any user will experience will vary depending upon many factors,
including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the
storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will
achieve results similar to those stated here.
• Customer Examples. Any customer examples described are presented as illustrations of how those customers have used
IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may
vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying
that any activities undertaken by you will result in any specific sales, revenue growth or other results.
• Availability. References in this presentation to IBM products, programs, or services do not imply that they will be
available in all countries in which IBM operates
3. Trademark Acknowledgements
• IBM, IBM API Connect, IBM DataPower Gateway are trademarks of
International Business Machines Corporation, registered in many
jurisdictions
• Other company, product and service names may be trademarks,
registered marks or service marks of their respective owners. A
current list of IBM trademarks is available on the web at "Copyright
and trademark information" ibm.com/legal/copytrade.html
8. APIc under the hook
• Internal services communicating vs mTLS
• Quorum, with 3 being the magic number
• APIc is the match maker, it introduces each subsystem to each others
• APIM, Portal, Analytics, Gateway
• How does APIM <-> Portal
• How does APIM <-> Analytics
• How does APIM <-> Gateway
• How does Portal <-> Analytics
• How does Gateway <-> Analytics
• Configurable, extensible
9.
10. API Manager
• User Registry support
• Authenticate URL
• LDAP (supports group authentication)
• Search DN
• Compose DN
• Compose UPN
• Local User Registry (LUR)
• Protection against timing attack
• Protection against brute force attack
• OIDC/Social Login (Federated Identity)
• Portal
• Admin/Provider Organization
• OOTB : Google, Facebook, Linkedin, Slack,
WindowLive, Github, Standard
• Public Key for Code Exchange
• Nonce
• Proxy tokens
• How is OIDC/Social Login
difference from v5
• Implication ?
11. API Manager
• User Registry support
• Authenticate URL
• LDAP (supports group authentication)
• Search DN
• Compose DN
• Compose UPN
• Local User Registry (LUR)
• Protection against timing attack
• Protection against brute force attack
• OIDC/Social Login (Federated Identity)
• Portal
• Admin/Provider Organization
• OOTB : Google, Facebook, Linkedin, Slack,
WindowLive, Github, Standard
• Public Key for Code Exchange
• Nonce
• Proxy tokens
• How is OIDC/Social Login
difference from v5
• Implication ?
12. API Manager
• Token (JWT)
• OAuth 2.0 (no basicauth, no more cookie)
• Role
• Custom role
• Token ttl (invitation, oauth 2)
• ttl
• Data at Rest
• Data at Transit
• Introduction of microservices to each others
• Webhook
13. API Manager
• API are published
• Publish in openapi v2 format
• apim vs consumer
• WebGUI/toolkits/portal/BYO
• RateLimit
Drinking Our Own Champagne
Get an access_token
access_token must contain the right scope
Permission is checked
Is token valid
Token contains necessary scope ?
Does User has the proper permission ?
14. Hardened Portal Security
Supports OpenID Connect for
accelerated developer on-boarding and
social login
Enable PSD2/ Open Banking
compliance to programmatically onboard
consumers using REST Management APIs
and OpenID Connect
Enhanced spam protection against
spam bots with CAPTCHA and honeypot
Detect and prevent malicious attacks
with perimeter and DNS check
Detect and prevent flood attacks
16. APIManager with Gateway
• Gateway must be 24 * 7 (without API manager)
• API gateway introduce a gateway director manager
• Using clustering technology to track configuration from APIM
• Heartbeat from APIm to make sure Gateway will have the latest information
• 911 protocol to handle catastrophic failure
• Gateway director allows auto scaling of the additional gateway
• Configuration/Key Materials
• State of the processing
17. 17
• Istio Integration for improved performance & security by
passing API header and tokens into Istio
• Open API V3 support to meet security industry standards (i.e.
PSD2) & improve reuse
• OpenBanking & PSD2 Compliant including flexible JWT and
OAuth features
• 5X Improved Performance with cloud-native API-centric
Gateway Service
• Fast Time to Value through Out of the Box policies for API
Gateway Service
• Enterprise Specific Security Support through OAuth flow
customization
• Expanded Security with OIDC, CAPTCHA, Perimeter, DNS
check on Portal, etc.
Performant and Secure
18. API Security leveraging AI and Machine Learning
18
Power your APIs with API Behavioral
Security (ABS), integrated with Ping
Intelligence to detect attacks against your
APIs
Detect and block cyberattacks that target
APIs, such as:
• Data, Application and System attacks
• API DDoS attacks
• Login Attacks (credential stuffing,
fuzzing, stolen cookies & tokens)
Easily enable AI-powered threat
protection on every API using Global Policy
support
+
https://www.pingidentity.com/en/platform/api-security.html
https://developer.ibm.com/apiconnect/2019/02/12/ping-identity-and-ibm-partner-to-protect-against-api-cyberattacks/
19. Under the hook
19
Pre-req : ase-token
Global Policy (x-correlationid)
Pre-hook :
is request ok ?
authorization header ?
appId ?
cookie ?
Post-hook :
backend response
redact (record) for learning
21. Secure & Manage GraphQL Endpoints
Next-Gen evolution of Gateway technology
beyond Web services and REST with
GraphQL support
Secure and Manage APIs with GraphQL
backends, efficiently managing compute
intensive services
Threat Protection against cyberattacks using
advance query complexity analysis to prevent
API-based attacks
Rate Limit GraphQL queries with consumer
plans based on number of API calls &
backend compute time
https://www.ibm.com/blogs/research/2019/02/graphql-api-management/
https://developer.github.com/v4/guides/resource-limitations/
22. 1. Access Control
• Who can access the data and what data
• APIc
• Client credential (application)
• User credential (who)
2. Load Control
• How much effort for the server to fulfill the request
• Complexity
• Type (object type)
• Resolve
• nesting
GraphQL Endpoints security breakdown
23. Up to 5X+ increased performance with natively
built API Gateway using purpose-built technology
for native OpenAPI/Swagger REST and SOAP
APIs
Multi-cloud scalability and extensibility to help
meet SLAs and improve client user experience
Optimized drag & drop built-in policies for
security, traffic control and mediation including
flexible OAuth, enhanced JSON & XML threat
protection
Secure to the core with self-contained signed &
encrypted image to minimize risk, plus proven
security policies to quickly protect APIs
Before: DP Multi protocol
Gateway Service
API call Backend
New: Native API
Gateway Service
API call Backend
Cloud-Native API Gateway Service in DataPower
API GW service
24. Policies for Enforcement on API Gateway Service
Gateway Script and XSLT policy support
provides flexible message mediation &
dynamic security enforcement
Dynamic Routing support through
Conditional Policy
Enforce strong security through Parse,
JSON and XML Schema Validation policy
OpenID Connect support to enable banks
to meet PSD2 / Open Banking regulations
OAuth Token revocation to enable self-
service token management
Foundational Security Mediation
Invoke API Key Map
Activity Log JWT Validate JSON-XML
Rate Limit JWT Generate Gateway Script
Throw OAuth Policy XSLT
Set Variable Parse
(Threat Detection)
Conditional Validate
User Security
OpenID Connect
Built-in policies
25. Rapid OAuth policy creation to quickly create
OAuth provider security without deep security
expertise
Improved governance capabilities on
managing OAuth providers with flexible
administrative access control to enforce
enterprise standards
Ability to meet business demands with
customizable OAuth assembly
New User Security policy to enforce
authentication & authorization in API assembly,
adapting to unique enterprise security needs
Meeting Security Needs through New Flexible
OAuth Provider
26. Feature list of OAuth in APIC V5, v2018+V5GW, v2018+APIGW
Features V4 V5 v2018 + V5 CompatGW v2018 + APIGW
Basic OAuth Support
Distinct Client ids and Secrets ⤫
Separate API ⤫
Access Control ⤫ ⤫
Seamless packaging within product ⤫
Tight coupling with Provider ⤫ ⤫ *
PKCE, Metadata, Token introspection, Revocation/Token
Management, Advanced scope handling
⤫
Customize OAuth Assembly ⤫ ⤫ ⤫
Dynamic configuration updates ⤫ ⤫ ** ⤫ **
Context variable driven ⤫ ⤫ ⤫
Independent Resource Owner Security ⤫ ⤫ ⤫
Out of the box OIDC support ⤫ ⤫ *** ⤫ ***
Out of the box JWT Authorization Grant ⤫ ⤫ ** ⤫ **
* Tight coupling is only at the APIManager API level, not in the backend V5 Gateway
** Can be done with gateway extension
*** Supported by a set of rule in the assembly
27. Rapid OAuth policy creation to quickly create
OAuth provider security without deep security
expertise
Improved governance capabilities on
managing OAuth providers with flexible
administrative access control to enforce
enterprise standards
Ability to meet business demands with
customizable OAuth assembly
New User Security policy to enforce
authentication & authorization in API assembly,
adapting to unique enterprise security needs
Meeting Security Needs through New Flexible OAuth Provider
30. Customizable
Ease of use
• Crypto material on per OAuth native provider (vs gateway level)
• End user credential gathering (context variable) *
• Consent handling
• Global Policy (and thus inject context variable for processing) *
• Token handling (white listing)
• Flexibility
• ….
31. What should I do
• Monitoring IBM PSIRT for IBM APIC (APIm, Portal, Analytics), IBM DataPower
• https://www.ibm.com/security/secure-engineering/process.html
• Timely upgrade/migration to a new version of firmware
• Balance your security needs vs platform offered (hardware vs ova vs docker vs ..)
• How about cloud ? ICP ?
• APIC Connect White Paper: https://www.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=03023503USEN& (
• Security vs ease of use vs compatibility
• Performance/usage spike
• HA (rule of 3)
• Stateless (especially across Availability Zone)
• Gateway when used as part of APIC 2018, the configuration can be stored as in-memory
(default) vs flash (persist)
- Note that the sensitive information is available and exposed to the admin who has access to the gateway
- Recommendation : in-memory
32. Gateway specific
• Is WebGUI needed for production (or any ports)
• Isolate application request traffic from admin request traffic
• Automate deployment (which APIc solves)
• Monitoring gateway (DataPower Operations Dashboard)
• Set up RBM
• Set up Backup administrator (do NOT loss password)
• ACL
• mTLS with your backend services (with right cipher, protocol 1.2,
with EC, PFS)
33. Gateway specific
• Message validation (payload, size, nest level ..)
• Streaming vs no Streaming
• Payload redact
• SLM
• WhiteList vs BlackList
• Monitor tool (like DPOD), latency, cpu, memory ..
• Noisy neighbor (tenant vs application domain – work load isolation)
- Different version of DP is running
- Protect against noisy neighbor
34. Gateway specific
• GWS is expensive
• Context variable access is expensive
• Most of DP extension function is not available thru GWS
• Debug level is expensive (especially probe – payload sensitive data can leak)
• Log is best effort only (except audit event)
• By default, GW will ship what we consider as the secure setting
• Key material can be stored in local:///, this means the crypto material can be exported with
domain export. Do consider keeping key material (especially private key and shared secret)
in cert:/// sharedcert:///. Those 2 directories are with roach motel, the key material cannot
be exported by GW. It can only be accessible thru secure backup and restore, which is
protected by a couple keys, and only another DataPower can import and access the data.
(roach motel model)
• Use HSM if paranoid is needed
35. From you, our audiences
• Your feedbacks ?
• What would you like to see ?
• What can you share with each others on your experience ? Good or
Bad