In graph we trust: Microservices, GraphQL and security challenges - Mohammed A. Imran
Microservices, RESTful and API-first architectures are rage these days and rightfully so, they solve some of the challenges of modern application development. Microservices enable organisations in shipping code to production faster and is accomplished by dividing big monolithic applications into smaller but specialised applications. Though they provide great benefits, they are difficult to debug and secure in complex environments (different API versions, multiple API calls and frontend/backend gaps etc.,). GraphQL provides a powerful way to solve some of these challenges but with great power, comes great responsibility. GraphQL reduces the attack surface drastically(thanks to LangSec) but there are still many things which can go wrong.
This talk will cover the risks associated with GraphQL, challenges and solutions, which help in implementing Secure GraphQL based APIs. We will start off with introduction to GraphQL and its benefits. We then discuss the difficulty in securing these applications and why traditional security scanners don’t work with them. At last, we will cover solutions which help in securing these API by shifting left in DevOps pipeline.
We will cover the following as part of this presentation:
GraphQL use cases and how unicorns use them
Benefits and security challenges with GraphQL
Authentication and Authorisation
Resource exhaustion
Backend complexities with microservices
Need for tweaking conventional DevSecOps tools for security assurance
Security solutions which works with GraphQL
This document discusses security testing for RESTful applications. It begins with an introduction to RESTful web services and how they differ from SOAP web services in using HTTP methods to indicate actions and embedding parameters in requests. It notes challenges in testing RESTful applications including that documentation may not reveal the full attack surface and requests can be dynamically generated. It recommends using documentation, proxies, and fuzzing to determine parameters and potential vulnerabilities. The document concludes by discussing how automated pen testing works by crawling to determine the attack surface through both links and emulated JavaScript to find dynamic requests.
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
We already showed you how to build a Beautiful REST+JSON API(http://www.slideshare.net/stormpath/rest-jsonapis), but how do you secure your API? At Stormpath we spent 18 months researching best practices, implementing them in the Stormpath API, and figuring out what works. Here’s our playbook on how to secure a REST API.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.
Enterprise API adoption has gone beyond predictions. It has become the 'coolest' way of exposing business functionalities to the outside world. Both your public and private APIs, need to be protected, monitored and managed.
This session focuses on API Security. There are so many options out there to make someone easily confused. When to select one over the other is always a question - and you need to deal with it quite carefully to identify and isolate the tradeoffs. Security is not an afterthought. It has to be an integral part of any development project - so as for APIs. API security has evolved a lot in last five years. This talk covers best practices in building an API Security Ecosystem with OAuth 2.0, UMA, SCIM, XACML and LDAP.
The document discusses various authentication and authorization methods for REST APIs, including API keys, signatures, OAuth 1.0, and OAuth 2.0. It provides details on implementing authentication with an API key, secret key, or signature for identity and authorization. The document contrasts OAuth 1.0 and 2.0, covering their concepts, authentication flows, and differences. It also discusses using OAuth for SSO, refreshing tokens, and consuming secured RSS/ATOM feeds, as well as validating state, data consistency, and enforcing authorization with REST services.
This document discusses best practices for building an API security ecosystem, including using a gateway pattern to decouple clients from APIs, various methods for direct authentication of internal users like HTTP basic authentication and OAuth, auditing and monitoring APIs, and externalizing authorization using standards like XACML. It also covers cross-domain access, distributed authorization with resource servers, and user-managed access models.
This document discusses security testing for RESTful applications. It begins with an introduction to RESTful web services and how they differ from SOAP web services in using HTTP methods to indicate actions and embedding parameters in requests. It notes challenges in testing RESTful applications including that documentation may not reveal the full attack surface and requests can be dynamically generated. It recommends using documentation, proxies, and fuzzing to determine parameters and potential vulnerabilities. The document concludes by discussing how automated pen testing works by crawling to determine the attack surface through both links and emulated JavaScript to find dynamic requests.
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
We already showed you how to build a Beautiful REST+JSON API(http://www.slideshare.net/stormpath/rest-jsonapis), but how do you secure your API? At Stormpath we spent 18 months researching best practices, implementing them in the Stormpath API, and figuring out what works. Here’s our playbook on how to secure a REST API.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.
Enterprise API adoption has gone beyond predictions. It has become the 'coolest' way of exposing business functionalities to the outside world. Both your public and private APIs, need to be protected, monitored and managed.
This session focuses on API Security. There are so many options out there to make someone easily confused. When to select one over the other is always a question - and you need to deal with it quite carefully to identify and isolate the tradeoffs. Security is not an afterthought. It has to be an integral part of any development project - so as for APIs. API security has evolved a lot in last five years. This talk covers best practices in building an API Security Ecosystem with OAuth 2.0, UMA, SCIM, XACML and LDAP.
The document discusses various authentication and authorization methods for REST APIs, including API keys, signatures, OAuth 1.0, and OAuth 2.0. It provides details on implementing authentication with an API key, secret key, or signature for identity and authorization. The document contrasts OAuth 1.0 and 2.0, covering their concepts, authentication flows, and differences. It also discusses using OAuth for SSO, refreshing tokens, and consuming secured RSS/ATOM feeds, as well as validating state, data consistency, and enforcing authorization with REST services.
This document discusses best practices for building an API security ecosystem, including using a gateway pattern to decouple clients from APIs, various methods for direct authentication of internal users like HTTP basic authentication and OAuth, auditing and monitoring APIs, and externalizing authorization using standards like XACML. It also covers cross-domain access, distributed authorization with resource servers, and user-managed access models.
OAuth is an open standard for authorization that allows users to share private resources, such as photos or email, stored on one website with another website or application without having to share their passwords. It allows third party applications to access protected resources by obtaining temporary access tokens from the resource owner by authenticating with the resource server. The document discusses the roles, security aspects, implementations, and advantages of using the OAuth standard for authorization in web APIs and applications.
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
Have you ever wondered how single-sign-on on sites like Google and Facebook works? Are you a fan of stateless application architectures? Do you want to learn how to put together a modern security approach for your next Spring Boot project? If the answer is yes, to anything above, then this session is for you. Dmitry will explain what is OAuth 2.0 and JWT, why are they popular, and how to integrate them in Java project.
This document discusses using JSON Web Tokens (JWT) for authentication with AngularJS. It begins with an overview of JWT, explaining that they are composed of a header, payload, and signature. The payload contains claims about the user like ID, expiration, and scope. JWTs can be issued by a server and verified by the signature without needing a database lookup. The document then discusses storing and transmitting JWTs securely in cookies rather than local storage due to cross-site scripting vulnerabilities. It provides examples of using JWTs to determine if a user is logged in and if they have access to a particular view in Angular using resolves, events, and checking the token payload.
The document discusses OAuth 2.0 and how it addresses issues with traditional approaches to authorizing third party access to user accounts and resources. It provides an overview of OAuth 2.0 concepts like authorization grants, access tokens, refresh tokens, and the roles of the client, resource owner, authorization server and resource server. It then describes the authorization code grant flow and client credentials flow in more detail through examples. The goal is to explain how OAuth 2.0 works and how it can be used to securely authorize access to resources while avoiding the risks of directly sharing user credentials.
This document provides an agenda for a presentation on comprehensive web application attacks. The presenter, Ahmed Sherif, has over 5 years of experience in penetration testing and web application security. The agenda includes an overview of security in corporations and web technologies, the OWASP security testing methodology, common web attacks like XSS and SQL injection, and a demo of these attacks. The goal is to educate attendees on how to identify and address vulnerabilities in web applications.
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
This document summarizes an API security and federation patterns presentation given at QCon San Francisco in 2013. It discusses common API security components like authorization servers and resource servers. It then covers various authorization server patterns for issuing access tokens, including two-way token issuing, redirection-based token issuing, nested handshakes, and federated handshakes. It also discusses vulnerabilities like phishing attacks and ways to mitigate risks. Finally, it briefly touches on managing API security through frameworks that integrate authorization servers and other components.
This document discusses REST APIs and how to attack them. It begins by explaining what REST APIs are and how they map CRUD operations to HTTP verbs like GET, POST, PUT, DELETE. It then covers REST architecture constraints like using resources and representations. The document outlines how to interact with APIs through requests and responses. It provides examples of enumeration, injection, authentication vulnerabilities and how to test authorization, rate limiting, SSL and information disclosure. It concludes with discussing cross-site request forgery attacks on REST APIs.
The document discusses the history and evolution of OAuth authentication standards. It describes OAuth1 which introduced the concept of authorizing access to user accounts without sharing usernames and passwords. OAuth2 improved on OAuth1 by supporting additional platforms beyond web and allowing additional user information to be stored by the authorization server. OAuth2 defines common grant types like authorization code, password, and client credentials flows. It also outlines the basic request and response formats involving access tokens.
The document discusses OAuth2 and Spring Security. It provides an overview of OAuth2 concepts including the four main roles (resource owner, resource server, client, and authorization server), four common grant types (authorization code, implicit, resource owner password credentials, and client credentials), and how to implement OAuth2 flows in Spring Security. Sample OAuth2 applications using Spring Security are also mentioned.
This document summarizes Rob Daigneau's presentation on securing web services. It discusses the OWASP 2013 top 10 security risks and their relevance to web services. For each risk, it provides a brief description, potential impact, and recommendations for mitigation strategies specific to web services, such as implementing access controls, encrypting sensitive data, and validating all user input.
XSS (cross-site scripting) is a common web vulnerability that allows attackers to inject client-side scripts. The document discusses various types of XSS attacks and defenses against them. It covers:
1) Reflected/transient XSS occurs when untrusted data in URL parameters is immediately displayed without sanitization. Stored/persistent XSS occurs when untrusted data is stored and later displayed. DOM-based XSS manipulates the DOM.
2) Defenses include HTML/URL encoding untrusted data before displaying it, validating all inputs, and using context-specific encoding for HTML elements, attributes, JavaScript, and URLs.
3) The OWASP Java Encoder Project and Microsoft Anti
The document summarizes the OWASP Top 10 risks for 2013 and provides details on each risk. It introduces the new title for the risks as the "Top 10 Most Critical Web Application Security Risks" and notes they are now based on a risk rating methodology. Injection, XSS, and broken authentication remain the top risks. The document provides examples and recommendations for avoiding each risk.
Slides from Apache Shiro User Group presentation by Les Hazlewood on API design and RESTful API security using Shiro. Demonstrates design and security principles using Stormpath API.
REST Service Authetication with TLS & JWTsJon Todd
Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
The document provides an overview of the history and development of OAuth standards for authorization. It describes some of the issues with early implementations that prompted the creation of OAuth 1.0, including services storing user passwords and lack of ability to revoke access. OAuth 1.0 introduced signatures to address these issues. OAuth 2.0 replaced signatures with HTTPS and defines common flows for different use cases, including authorization code, implicit, password, and client credentials grants.
The document introduces OpenSocial, a set of common APIs for building social applications across different social networks. It discusses what OpenSocial is, why it is important, its technical details including JavaScript APIs and the Shindig container software. It provides an overview of OpenSocial and highlights some key partners working on it.
The liferay case: lessons learned evolving from RPC to Hypermedia REST APIsJorge Ferrer
Liferay is an open source platform started in 2000, long before the term “Web API” existed. One early characteristic of Liferay has been its great extensibility, which included providing a featureful HTTP API to access its functionalities since the very beginning. Initially this API used SOAP (as well as other less used protocols). Later a new “RESTful” option was added, leveraging HTTP+JSON and it became much more popular (even though it was at Level 0 in Richardson Maturity Model). However, both approaches lead users of the API to have a high coupling that makes the evolution of the APIs a challenging task. So we started wondering, isn’t there a better way to build APIs in 2017?
This session explains our search to find a better alternative and what we learned along the way.
It focuses on how we have adopted Hypermedia and Shared Vocabularies to create a new breed of APIs that we believe form the secret ingredients that solve the most important challenge we have in the API Economy: evolvability. We are now successfully applying this type of APIs in all of our products, on premise, cloud based, … even internal.
We have found that once you know how and build some common foundation, all the barriers to build evolvable APIs disappear. We learned from many others along the way and want to contribute back by sharing our experience.
OAuth is an open standard for authorization that allows users to share private resources, such as photos or email, stored on one website with another website or application without having to share their passwords. It allows third party applications to access protected resources by obtaining temporary access tokens from the resource owner by authenticating with the resource server. The document discusses the roles, security aspects, implementations, and advantages of using the OAuth standard for authorization in web APIs and applications.
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
Have you ever wondered how single-sign-on on sites like Google and Facebook works? Are you a fan of stateless application architectures? Do you want to learn how to put together a modern security approach for your next Spring Boot project? If the answer is yes, to anything above, then this session is for you. Dmitry will explain what is OAuth 2.0 and JWT, why are they popular, and how to integrate them in Java project.
This document discusses using JSON Web Tokens (JWT) for authentication with AngularJS. It begins with an overview of JWT, explaining that they are composed of a header, payload, and signature. The payload contains claims about the user like ID, expiration, and scope. JWTs can be issued by a server and verified by the signature without needing a database lookup. The document then discusses storing and transmitting JWTs securely in cookies rather than local storage due to cross-site scripting vulnerabilities. It provides examples of using JWTs to determine if a user is logged in and if they have access to a particular view in Angular using resolves, events, and checking the token payload.
The document discusses OAuth 2.0 and how it addresses issues with traditional approaches to authorizing third party access to user accounts and resources. It provides an overview of OAuth 2.0 concepts like authorization grants, access tokens, refresh tokens, and the roles of the client, resource owner, authorization server and resource server. It then describes the authorization code grant flow and client credentials flow in more detail through examples. The goal is to explain how OAuth 2.0 works and how it can be used to securely authorize access to resources while avoiding the risks of directly sharing user credentials.
This document provides an agenda for a presentation on comprehensive web application attacks. The presenter, Ahmed Sherif, has over 5 years of experience in penetration testing and web application security. The agenda includes an overview of security in corporations and web technologies, the OWASP security testing methodology, common web attacks like XSS and SQL injection, and a demo of these attacks. The goal is to educate attendees on how to identify and address vulnerabilities in web applications.
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
This document summarizes an API security and federation patterns presentation given at QCon San Francisco in 2013. It discusses common API security components like authorization servers and resource servers. It then covers various authorization server patterns for issuing access tokens, including two-way token issuing, redirection-based token issuing, nested handshakes, and federated handshakes. It also discusses vulnerabilities like phishing attacks and ways to mitigate risks. Finally, it briefly touches on managing API security through frameworks that integrate authorization servers and other components.
This document discusses REST APIs and how to attack them. It begins by explaining what REST APIs are and how they map CRUD operations to HTTP verbs like GET, POST, PUT, DELETE. It then covers REST architecture constraints like using resources and representations. The document outlines how to interact with APIs through requests and responses. It provides examples of enumeration, injection, authentication vulnerabilities and how to test authorization, rate limiting, SSL and information disclosure. It concludes with discussing cross-site request forgery attacks on REST APIs.
The document discusses the history and evolution of OAuth authentication standards. It describes OAuth1 which introduced the concept of authorizing access to user accounts without sharing usernames and passwords. OAuth2 improved on OAuth1 by supporting additional platforms beyond web and allowing additional user information to be stored by the authorization server. OAuth2 defines common grant types like authorization code, password, and client credentials flows. It also outlines the basic request and response formats involving access tokens.
The document discusses OAuth2 and Spring Security. It provides an overview of OAuth2 concepts including the four main roles (resource owner, resource server, client, and authorization server), four common grant types (authorization code, implicit, resource owner password credentials, and client credentials), and how to implement OAuth2 flows in Spring Security. Sample OAuth2 applications using Spring Security are also mentioned.
This document summarizes Rob Daigneau's presentation on securing web services. It discusses the OWASP 2013 top 10 security risks and their relevance to web services. For each risk, it provides a brief description, potential impact, and recommendations for mitigation strategies specific to web services, such as implementing access controls, encrypting sensitive data, and validating all user input.
XSS (cross-site scripting) is a common web vulnerability that allows attackers to inject client-side scripts. The document discusses various types of XSS attacks and defenses against them. It covers:
1) Reflected/transient XSS occurs when untrusted data in URL parameters is immediately displayed without sanitization. Stored/persistent XSS occurs when untrusted data is stored and later displayed. DOM-based XSS manipulates the DOM.
2) Defenses include HTML/URL encoding untrusted data before displaying it, validating all inputs, and using context-specific encoding for HTML elements, attributes, JavaScript, and URLs.
3) The OWASP Java Encoder Project and Microsoft Anti
The document summarizes the OWASP Top 10 risks for 2013 and provides details on each risk. It introduces the new title for the risks as the "Top 10 Most Critical Web Application Security Risks" and notes they are now based on a risk rating methodology. Injection, XSS, and broken authentication remain the top risks. The document provides examples and recommendations for avoiding each risk.
Slides from Apache Shiro User Group presentation by Les Hazlewood on API design and RESTful API security using Shiro. Demonstrates design and security principles using Stormpath API.
REST Service Authetication with TLS & JWTsJon Todd
Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
The document provides an overview of the history and development of OAuth standards for authorization. It describes some of the issues with early implementations that prompted the creation of OAuth 1.0, including services storing user passwords and lack of ability to revoke access. OAuth 1.0 introduced signatures to address these issues. OAuth 2.0 replaced signatures with HTTPS and defines common flows for different use cases, including authorization code, implicit, password, and client credentials grants.
The document introduces OpenSocial, a set of common APIs for building social applications across different social networks. It discusses what OpenSocial is, why it is important, its technical details including JavaScript APIs and the Shindig container software. It provides an overview of OpenSocial and highlights some key partners working on it.
The liferay case: lessons learned evolving from RPC to Hypermedia REST APIsJorge Ferrer
Liferay is an open source platform started in 2000, long before the term “Web API” existed. One early characteristic of Liferay has been its great extensibility, which included providing a featureful HTTP API to access its functionalities since the very beginning. Initially this API used SOAP (as well as other less used protocols). Later a new “RESTful” option was added, leveraging HTTP+JSON and it became much more popular (even though it was at Level 0 in Richardson Maturity Model). However, both approaches lead users of the API to have a high coupling that makes the evolution of the APIs a challenging task. So we started wondering, isn’t there a better way to build APIs in 2017?
This session explains our search to find a better alternative and what we learned along the way.
It focuses on how we have adopted Hypermedia and Shared Vocabularies to create a new breed of APIs that we believe form the secret ingredients that solve the most important challenge we have in the API Economy: evolvability. We are now successfully applying this type of APIs in all of our products, on premise, cloud based, … even internal.
We have found that once you know how and build some common foundation, all the barriers to build evolvable APIs disappear. We learned from many others along the way and want to contribute back by sharing our experience.
Securing APIs with Open Standards provides tips for securing APIs from the Synack Red Team. It discusses using OpenAPI definitions to document APIs, embracing open box testing, and balancing security and adoption through developer relations. It also demonstrates how insecure user input validation can allow access to private data stored in AWS S3 buckets and how Salesforce record IDs can be brute forced to enable unauthorized access if not properly secured. The presentation emphasizes designing APIs with security in mind, adopting standards like OpenAPI, and balancing security testing with developer onboarding.
The document introduces OpenSocial, a set of common APIs for building social applications across different websites. It discusses why OpenSocial is important for allowing developers to write applications using a standard API that can run on multiple social networks. It provides an overview of the OpenSocial JavaScript APIs for accessing user and friend data, activities, and persistence. It also discusses the Shindig container software and plans for upcoming REST APIs. The presentation aims to explain what OpenSocial is and its potential to increase application distribution and the social aspects of the web.
This document summarizes a presentation about bridging the gap between RESTful APIs and Linked Data using GitHub and SPARQL queries. It discusses how grlc maps GitHub repositories of SPARQL queries to Swagger API specifications and endpoints to provide RESTful access to Linked Data without having to code and maintain separate APIs. Features like content negotiation, pagination, caching and containerization are described to improve the usability and performance of the generated APIs. The presentation concludes by demonstrating how grlc allows flexible organization of SPARQL queries and separation of query curation from client applications.
API Documentation Workshop tcworld India 2015Tom Johnson
This is a workshop I gave on API documentation at tcworld India 2015. The workshop covers 3 main areas:
- General overview of API documentation
- Deep dive into REST API documentation
- Deep dive into Javadoc documentation
GraphQL - The new "Lingua Franca" for API-Developmentjexp
Three years ago, with the release of the GraphQL specification, Facebook took a fresh stab at the topic of "API design between remote services and applications." The key aspects of GraphQL provide a common, schema-based, domain-specific language and flexible, dynamic queries at interface boundaries.
In the talk, I'd like to compare GraphQL and REST and showcase benefits for developers and architects using a concrete example in application and API development, data source and system integration.
This document provides an overview of REST APIs and automated API documentation solutions. It discusses REST architecture and best practices for documenting REST APIs. It also covers popular automated documentation solutions like Swagger and RAML that can generate reference documentation from API specifications. The document demonstrates how to use Swagger and RAML specifications to automatically generate API documentation websites and interactive consoles. It compares the pros and cons of Swagger versus RAML and provides examples of professionally designed API documentation websites.
GraphQL is a query language for APIs that was created by Facebook in 2012. It allows clients to define the structure of the data required, and exactly the data they need from the server. This prevents over- and under-fetching of data. GraphQL has grown in popularity with the release of tools like Apollo and GraphQL code generation. GraphQL can be used to build APIs that integrate with existing backend systems and databases, with libraries like Express GraphQL and GraphQL Yoga making it simple to create GraphQL servers.
Hot Topics: The DuraSpace Community Webinar Series,
“Introducing DSpace 7: Next Generation UI”
Curated by Claire Knowles, Library Digital Development Manager, The University of Edinburgh.
Introducing DSpace 7
February 28, 2017 presented by: Claire Knowles - The University of Edinburgh, Art Lowel - Atmire, Andrea Bollini - 4Science, Tim Donohue – DuraSpace
Mining public datasets using opensource tools: Zeppelin, Spark and Jujuseoul_engineer
There are plenty of public datasets out there available and the number is growing. Few recent and most useful of BigData ecosystem tools are showcased: Apache Zeppelin (incubating), Apache Spark and Juju.
Nicolas Grenie's presentation from HTML5 Dev Conf. 2014:
There is currently a major shift sweeping over the software industry. With each passing day the world is becoming more and more API-driven. When building an API there are many design options and Hypermedia is the new emerging way of designing APIs. Hypermedia APIs are widely used by companies such as Paypal and Amazon. In this session I will discuss the principles of Hypermedia APIs and the different ways to implement one in Node.js. I will first introduce you to a basic implementation using Express and then move on to a more advanced solution using a dedicated framework: Fortune.js. I will also share my experience of building APIbunny (http://apibunny.com), an API-driven easter game.
This document discusses Elsevier's SciVerse platform and developer network. It introduces SciVerse as a social network for scientific search and content that uses OpenSocial standards. It describes how SciVerse extends Apache Shindig to make apps contextual. It also discusses SciVerse's framework and content APIs that allow apps to access scientific content and metadata. Finally, it provides examples of object-oriented JavaScript coding and using the APIs to build mashups with third-party services.
This document discusses Elsevier's SciVerse platform and developer network. It introduces SciVerse as a social network for scientific search and content that uses OpenSocial standards. It describes how SciVerse extends Apache Shindig to make apps contextual. It also discusses SciVerse's framework and content APIs that allow apps to access scientific content and metadata. Finally, it provides examples of object-oriented JavaScript coding and using the APIs to build mashups with third-party services.
OpenAPI v.Next - Events, Alternative Schemas & the Road AheadTed Epstein
-- Presented at KCDC 2018 --
The OpenAPI Specification, already the most widely used REST API description language, is growing fast, and evolving to meet the challenges that come with broad adoption in a dynamic and diverse API ecosystem. In this session, we'll get up to speed with the latest developments in the OpenAPI spec, the tools ecosystem and member community. We'll show highlighted features of last year's major 3.0 release, dive into the new design capabilities currently in progress, and discuss the evolving roadmap for 3.x, 4.x and beyond.
Going to Infinity and Beyond Documentation with OpenAPITaylor Barnett
Given at DevXCon SF 2018. Another version focused on technical writers was given at API the Docs Paris 2018.
Having an OpenAPI Specification (OAS) is a useful document for improving the developer experience of an API. The most common use case being the ease of generating API reference documentation, but it overshadows some additional benefits that you can gain from adopting the OpenAPI Specification. This talk will delve into the hidden value of the OpenAPI Specification, and how you can employ it to your advantage.
Some topics include: Design-first APIs, Mocking, Feedback Loops, Testing, and more.
An overview of 5 new API design trends. For each, I briefly summarize, show sample code, insert community opinions, showcase open source tooling, and find examples.
- Developer Experience
- GraphQL
- AsyncAPI
- OpenAPI Specification
- OAuth & OpenID Connect
The document discusses tips for crafting APIs according to REST principles. It outlines best practices like using nouns for resource identifiers, applying CRUD operations consistently via POST, GET, PUT, DELETE, and including hypermedia links to allow navigating through application states. Other topics covered include API versioning, error handling, and choosing an implementation technology based on performance needs like number of daily accesses. The document emphasizes designing APIs pragmatically with the goal of making them easy for application developers to use.
Similar to In graph we trust: Microservices, GraphQL and security challenges (20)
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
In Practical DevSecOps - DevSecOps Live online meetup, you’ll learn Automating security tests using Selenium and OWASP ZAP.
Join Srinivas, Red Team Member at Banking Industry, also Offensive Security Certified Professional(OSCP) and Offensive Security Certified Expert(OSCE.
He will cover Automating security tests using Selenium and OWASP ZAP.
In this intriguing meetup, you will learn:
1. Introduction to automated vulnerability scans and their limitations.
2. A short introduction to how functional tests can be useful in performing robust security tests.
3. Introduction to selenium and OWASP ZAP
4. Proxying selenium tests through OWASP ZAP
5. Invoking authenticated active scans using OWASP ZAP
6. Obtaining scan reports
… and more useful takeaways!
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities.
Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey.
He will cover DevSecOps challenges he has faced and how he converted them into opportunities.
He will cover the following as part of the session.
DevSecOps Challenges.
DevSecOps Opportunities.
Converting Challenges into Opportunities.
Quick wins and lessons learned.
… and more useful takeaways!
Security is tough and is even tougher to do, in complex environments with lots of dependencies and monolithic architecture. With emergence of Microservice architecture, security has become a bit easier however it introduces its own set of security challenges. This talk will showcase how we can leverage DevSecOps techniques to secure APIs/Microservices using free and open source software. We will also discuss how emerging technologies like Docker, Kubernetes, Clair, ansible, consul, vault, etc., can be used to scale/strengthen the security program for free.
More details here - https://www.practical-devsecops.com/
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
The document lists several security experts and their areas of expertise, including browser security, exploit research, reverse engineering, malware analysis, and mobile security. It also lists core team members from Null SG and security professionals affiliated with ThoughtWorks, Akamai, KPMG, Ebay, and SMU.
This is the part 1 of the series on exploit research and development given as part of the null humla at Singapore. More details at www.meetup.com/Null-Singapore-The-Open-Security-Community/events/230268953/
NullOpenSecurity is an active open security community that brings together penetration testers, security managers, security admins, and ninjas. The community aims to make the internet a more secure place. It hosts monthly meetups to discuss security topics. It also organizes hands-on hacking and security workshops throughout the year. The community provides opportunities for learning, networking, and getting involved in the security industry. Members get discounts on the annual security conference and can speak at events. The summary aims to introduce the key aspects and goals of the NullOpenSecurity community.
Cross-site scripting (XSS) is an injection attack where malicious scripts are injected into otherwise trusted sites. There are three main types of XSS attacks: reflected XSS occurs via URLs, stored XSS occurs when scripts are stored in a database and delivered to users, and DOM-based XSS modifies the DOM environment. XSS attacks can lead to issues like session hijacking, phishing, and port scanning. Developers can prevent XSS by validating and encoding untrusted data, and using HTTP-only and secure flags for cookies.
This presentation covers very basics of assembly language with some computer organization concept. I took this session as part of on going series on assembly at NULL Hyderabad meets. PART II will cover instruction sets and more in detail.
This document provides an overview of zero-day vulnerabilities and techniques for discovering them, including source code auditing and fuzzing. It discusses identifying entry points, input validations, and vulnerable functions by analyzing source code. Fuzzing is introduced as providing invalid or unexpected data to test for crashes or failures. Common fuzzing methods and the fuzzing lifecycle are outlined. Specific tools for source code auditing like RIPS and fuzzing like JBroFuzz are also mentioned.
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
SMS API Integration in Saudi Arabia| Best SMS API ServiceYara Milbes
Discover the benefits and implementation of SMS API integration in the UAE and Middle East. This comprehensive guide covers the importance of SMS messaging APIs, the advantages of bulk SMS APIs, and real-world case studies. Learn how CEQUENS, a leader in communication solutions, can help your business enhance customer engagement and streamline operations with innovative CPaaS, reliable SMS APIs, and omnichannel solutions, including WhatsApp Business. Perfect for businesses seeking to optimize their communication strategies in the digital age.
UI5con 2024 - Bring Your Own Design SystemPeter Muessig
How do you combine the OpenUI5/SAPUI5 programming model with a design system that makes its controls available as Web Components? Since OpenUI5/SAPUI5 1.120, the framework supports the integration of any Web Components. This makes it possible, for example, to natively embed own Web Components of your design system which are created with Stencil. The integration embeds the Web Components in a way that they can be used naturally in XMLViews, like with standard UI5 controls, and can be bound with data binding. Learn how you can also make use of the Web Components base class in OpenUI5/SAPUI5 to also integrate your Web Components and get inspired by the solution to generate a custom UI5 library providing the Web Components control wrappers for the native ones.
What is Master Data Management by PiLog Groupaymanquadri279
PiLog Group's Master Data Record Manager (MDRM) is a sophisticated enterprise solution designed to ensure data accuracy, consistency, and governance across various business functions. MDRM integrates advanced data management technologies to cleanse, classify, and standardize master data, thereby enhancing data quality and operational efficiency.
Most important New features of Oracle 23c for DBAs and Developers. You can get more idea from my youtube channel video from https://youtu.be/XvL5WtaC20A
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemPeter Muessig
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
12. GraphQL History
Gold Rush201620152012 2017
Github previewed its
GraphQL API v4
GITHUB
Facebook started working
on it.
START
Github, pinterest, Spotify,
twitter and many more
Members
Facebook open sourced
GraphQL
PUBLIC RELEASE
13. GraphQL
GraphQL is a query language for APIs and a runtime for
fulfilling those queries with your existing data.
GraphQL provides a complete and understandable description of
the data in your API, gives clients the power to ask for exactly what
they need and nothing more, makes it easier to evolve APIs over
time, and enables powerful developer tools.
source: graphql.org
14. Multiple resources in one request (speed)
Versioning hell
Schema Introspection
Simple and Efficient to use
Benefits & Use Cases
33. https://api.site.com/v1
{ REST API }
type Query {
hero: Character
}
type Character {
name: String
friends: [Character]
}
type Query {
hero: Character
}
type Character {
name: String
friends: [Character]
planet: String
}
v1 v2
https://api.site.com/v2
52. The microservice architectural style is an
approach to developing a single application
as a suite of small services, each running in
its own process and communicating with
lightweight mechanisms, often an HTTP
resource API.
µ
Microservices
µ
µ
58. New tech, SAST on backend is not mature.
Use existing tools and code review
59. DAST can be automated using existing
Developer tooling like tests, run
via selenium and pump it through proxy
Or
Use curl to create custom queries.
60. OAST is still possible.
OAST- Made up term for Open source Application
Component Security Testing.
65. A virtual environment to learn and
teach DevSecOps concepts.
Its easy to get started and is mostly
automatic.
DevSecOps
Studio
https://github.com/teacheraio/DevSecOps-Studio/
66. Easy to setup
Takes only few mins to setup and
start using with just one command
A
Reproducible
The aim of this project is to
setup reproducible
DevSecOps Lab environment
for learning and testing
different tools.
B
Free & Open
Source Software
This project is a free
and open software to
help more people learn
about DevSecOps
C
DevSecOps
Studio Benefits
67. Conway’s Law
Any organization that designs a system
(defined broadly) will produce a design
whose structure is a copy of the
organization's communication structure.
“