Thursday, April 10, 2014


Once again Kin Lane nails it, saying that the response to the Heartbleed OpenSSL vulnerability says a lot about a company:

I'm happy to say that the Axway support team has reacted extremely fast to Heartbleed, producing support notes for Axway's many products which I am equally happy to say are not affected by the vulnerability. This includes the API Gateway, formerly known as the Vordel Gateway. Just take a look at the screenshot of the Axway support portal below, to see all the new Knowledge Base articles about Heartbleed. And if you're a customer, login and check all the Knowledge Base articles at

Friday, April 4, 2014

Another API Breach - this time Tesla

Vincent Papaleo in Belgium's L'Echo has written an article this week about the API breach discovered in Tesla's API ("On peut hacker une Tesla!"). This is just one in a series of recent API vulnerabilities, following Snapchat and Buffer and others, but is the first to apply to an Internet of Things case.

The good news is that there is a solution: Secure your API. The recommendations for protecting APIs from attack still apply: Apply API throttling and quotas, adopt a "Deny by Default" posture for your APIs, have full visibility of your API usage, and get alerts on anomalies. This isn't the last API vulnerability story we'll see. As we said at the time of the Snapchat API breach: Don't let your API be next.

Tuesday, March 25, 2014

Going Dutch - upcoming Cloud and API events in the Netherlands over the next 10 days

Shortly I'm departing for the Netherlands for three events - hope to see you at one or more of these:

Thursday 27 March:
I'm speaking at the API Strategy event in Amsterdam as part of the Security and Testing panel, with folks from Intel/Mashery, WS02, and Twobo.  Looking forward to some good discussion on API security and API testing.

Tuesday 1 April:
I'm speaking at the Cloud Security Alliance SecureCloud event, also in Amsterdam. My talk is on protecting your Cloud APIs from Denial-of-Service. Look like some great sessions there from Coca Cola, from telecoms providers including BT and Belgacom, and from many governments.

Thursday 3 April:
Along with Simon Redfern from the Open Bank Project and Menno Abbink from Essent, I am speaking at the API Workshop event in Utrecht. We'll be covering hand-on examples of connecting to SalesForce APIs, OAuth 2.0, and developing an Android app to use APIs - more info in this blog post yesterday.

Monday, March 24, 2014

API Workshop in the Netherlands, April 3 - with Essent, Open Bank, and Axway - Covering Mobile, OAuth, Cloud

Following our recent API Workshops in Australia and New Zealand, the next port of call is The Netherlands, where we are running an API Workshop on April 3 in Utrecht.

For people who haven't been to an API Workshop, here's a quick description of the format: It's a half-day event, beginning with presentations by real live API practitioners speaking about the experiences. Following these presentations and Q&A, we then look at the technology behind APIs. At the Netherlands event, I'm very pleased to say that we have two great speakers lined up:

Firstly there is Simon Redfern from the Open Bank Project. I've followed the innovative work of the Open Bank Project for a while now. Here's a great introduction to their work by Tom Groenfeldt at Forbes. Simon will be speaking about how APIs enable a bank to operate as a platform.

The second speaker is Menno Abbink from Essent (largest electricity utility in the Netherlands). Menno has deployed APIs in the Cloud, on Amazon Web Services, and in fact shared the stage with Werner Vogels (CTO at Amazon) to speak about them at last year's AWS Summit in Amsterdam. Menno gave a fantastic talk at our last API Workshop in Brussels, covering APIs for household electricity usage and electrical vehicles. At the API Workshop on April 3, Menno is speaking about "Cloud to Ground integration", linking from APIs in the Cloud to an on-premises ESB. Here is a great introduction to Menno's work in this profile by Jan Stafford at TechTarget.

So it really is a privilege to have such great speakers lined up for the API Workshop. Following their talks, we'll then enter the "workshop" part of the API Workshop. We will be looking at how to deliver some of the technologies which they cover - including Cloud-to-Ground integration (bridging using the SalesForce API), security for APIs (technologies such as OAuth 2.0 in action) and mobile (walking through how to build a mobile app accessing APIs which are exposed through an API Developer Portal). We'll also see HTML 5 WebSockets in action. Register for the API Workshop for free here, or click on the "Register Now" button below.

API Workshop, April 3, 2014 - Hotel NH - Utrecht - From 9:30 to 13:00


- Simon Redfern: CEO of TESOBE and founder of the Open Bank Project | "Bank as a platform, transparency as an asset. How the Open Bank Project enables an innovation ecosystem".

- Menno Abbink: Senior Enterprise Architect, Essent 
“Powering the Hybrid Cloud – How APIs enable Cloud to Ground IT Integration”

Mark O'Neill : VP Innovation, Axway. Former Vordel co-founder  | “Designing Secure APIs for B2B, Cloud, and Mobile"

Technical API Workshop:
·         Practical workshop walk-throughs showing how and why you can leverage and manage APIs as part of a strategic enterprise engagement strategy:
o    Understanding REST API Security - How to secure REST APIs: Where do OAuth 2.0 and API Keys fit in?
o    Deploying an API Developer Portal - Developer management, API Catalog, and self-registration for developer groups
o    Mapping Cloud identity to enterprise identity - How to enable Single Sign-On with Google ("Cloud Login") via APIs
o    See HTML 5 WebSockets in action for real-time web data - Full duplex streaming of data, for next-generation Web APIs
o    OAuth 2.0 to Microsoft Office365 and OneDrive - How to bridge identity to Microsoft Cloud services 
o    Design and deploy an Android mobile app using APIs  - Java walk-through of the process of calling mobile APIs

Registration is free, so...

API Workshop:

Keynote speakers:

Simon Redfern
CEO of TESOBE and founder of Open Bank Project

Menno Abbink
Senior Enterprise Architect,

Mark O'Neill
VP Innovation - Axway
(co-founder, Vordel, acquired by Axway)

3rd April 2014

Location :
Hotel NH - Utrecht
Jaarbeursplain, 24
3521 AR Utrecht
The Netherlands

09:30 - 13:00 (cocktail lunch)

Tuesday, March 18, 2014

Innovator spotlight: Essent using APIs to enable a Self-Service Portal and Mobile Apps, powered by Axway

Essent is the largest energy company in the Netherlands, and has a significant API deployment which powers a self-service portal as well as mobile apps. At our Axway API Workshop recently in Brussels, Menno Abbink, Senior Enterprise Architect in the CIO office at Essent, spoke about how their API program.

I'm pleased to say that now we are spotlighting Essent's API innovation in a case study on the Axway website. The case study is a free download, and here is an excerpt:
Today, Essent’s two million customers can manage their utility contracts online using the Customer Self-Service Portal. The portal contains about 140 web services, providing an end-to-end self-service capability.
The underlying web APIs can be reused as needed for other applications, enabling Essent to react quickly to market trends and launch its own marketing campaigns. Taking advantage of this, Essent runs a multitude of web-based apps for its marketing activities, all of which can use the same “API backplane” enabled by the Axway API Gateway.
“Four mobile applications are available within the iTunes App Store and Google Play,” said Abbink. “These apps use Axway API Gateway as a secure environment in which customers can log onto the back-end systems to retrieve and modify their information."
This is a leading-edge API deployment, which I encourage anyone interested in large scale API delivery to check out.

Update: Menno Abbink is speaking about Essent's API deployment at the API Workshop event in the Netherlands on 3 April. It's a free event so register if you're going to be in the area.

Tuesday, March 11, 2014

How to call an API which uses a Self-Signed Certificate, using the Axway API Gateway

The Axway API Gateway, as the name suggests, is often used as a gateway in front of APIs / Web Services. The connection to the API behind the API Gateway often is over SSL. If this connection uses a self-signed certificate (i.e. not VeriSign or another global CA), then how do you configure the trust for this connection?

The first step is to import the certificate into the "Certificates" section of Policy Studio. To do this, click on the "Create/Import" button, which you can see on the bottom of the screenshot below:

Once you've imported the cert, then you need to use it in a policy. In the example below, I have a simple routing policy which will route to a backend server over SSL. The first step is to use a "Static Router" filter in order to enter the backend server name (in this case "") and select the radio button which specifies that I'm connecting over SSL:

I then follow this with a "Connection" filter, and I make sure that the certificate which I imported earlier is checked under "Trusted Certificates", as shown below:

Now, I apply this policy to a path off the API Gateway. Because this policy applies to any relative path, I can call a path like "/myAPI" or "/myOtherAPI" on the API Gateway, and it will be routed to the backed server using the same path. That is all you need to do to connect to an API / Web Service over an SSL connection which uses a self-signed certificate. 

Friday, March 7, 2014

Cross-Domain Security: Not only for government anymore

Next Tuesday, March 11, there is another chance to catch the GovInfo Security webinar on "Solving the Identity and Access Problem Across Domains".

Although cross-domain security is often associated with government, it's also very relevant for other verticals such as healthcare. In healthcare for example, it's often important to use standards such as SAML to convey identity or attribute info across domains, while having privacy safeguards in place.

The webinar covers the role of the Gateway as an "Identity Bridge", which is an important architectural design pattern used to map identity and attributes across domains, taking into account the different security and identity technologies that may be used (SAML, Kerberos, OAuth, or proprietary tokens like SiteMinder or Oracle Access Manager).

Thursday, March 6, 2014

Two job postings for Axway API Gateway experts - one in Phoenix and one in New York City

Here are two new job postings looking for Axway API Gateway (Vordel) skills, one in Phoenix and one in New York City:

New York or Phoenix? Take your pick...

Wednesday, March 5, 2014

APIs - the Global Angle

I'm writing this from Sydney Airport, having just rounded out our seven-city Axway API Workshop tour of Australia and New Zealand, and gearing up for the world's longest commercial flight (Sydney to Dallas).

If there was any doubt that APIs are a global phenomenon, just take a look at the attendances the Axway API Workshops over the past 10 days. At Wellington yesterday we had to commandeer a breakout room because of the large audience, who were treated to Ben Kepes and an API case study from the New Zealand Customs Service. In Melbourne I watched the excellent presentations from ANZ Bank and Infosys from the "standing room only" area, seeing many nodding heads and ipad note-takers in front of me. Here is Peter Jarman from Infosys explaining "Why an API Gateway":

This tour makes me cast my mind back to last month, when I spoke with Mark Boyd (an Aussie in Barcelona) about the global nature of APIs. One of the interesting things is that an API is particularly suitable for organizations which address a global market. In a global environment, you require an API Portal which enables developers to self-register at any time of the day or night. It is not acceptable anymore to say to a developer "we only support you in business hours in one timezone". As Mark Boyd put it:
For businesses in markets like Australia and New Zealand and in the Nordic countries, public APIs enable greater participation in a global business marketplace, removing the barrier of time differences that in the past created delays to global business partnerships.
This global nature is one of the great values of APIs, and something especially to think about after talking to so many API practitioners on this Axway API Workshop tour of Australia and New Zealand over the past 10 days. I will have plenty of time to think about it as I board my transpacific flight now... ;-) 

Wednesday, February 26, 2014

Speaking at SOA Summit on "API Management: Architecture Best Practices" on Thurs 27 Feb

The SOA Summit is an online event which covers not only SOA, but API Management also. I'm speaking at the event on Thursday 27 February on the topics of API Management Best Practices, Security for APIs, the relationship between API Management and SOA Governance, and also on who APIs underpin the Internet of Things.

Registration for the SOA Summit is free here. The event starts on Thursday, February 27, 2014 at 10am Pacific/ 1pm Eastern.

Wednesday, February 19, 2014

Webinar this Thursday - Building your API Developer Portal to embrace the API Economy

An API Portal is one of the key architectural components of an effective API Management strategy, along with an API Gateway. They work together hand-in-hand. The API Portal allows developers to self-register and learn about your API, while the API Gateway is the "sharp edge" of your API Management solution, applying policies to API traffic in real-time.

Your APIs cannot be a "Field of Dreams" ("if we build it, they will come"). Instead, you must ensure that your API Portal is engaging, and facilitates developer self-service. This self-service starts right from the get-go, where you must allow developers to self-register:

As well as self-registering at the API Portal, developers must also be able to register their apps to use your APIs, and you must ensure that they have access to the APIs they need. Here we see how a developer has registered a mobile apps to consume APIs at an API Developer Portal:

Of course, unless your organization happens to be Axway itself, you will want to customize the API Developer Portal. I've written before about how to customize the Axway API Portal using its own API (yes, the Axway API Portal has an API of its own), using stylesheets and JSON. In this way, you can apply your own look and feel.

This Thursday I'll be presenting a Webinar about the API Portal, explaining how it fits within an overall API Management strategy, and walking through a practical example. I'll walk through the process whereby a developer discovers an API in the API Portal, and then uses it in an Android app. I'll walk through the Android example, showing what it means to consume an API using a mobile app. Registration is free - here is the sign-up URL:

Tuesday, February 18, 2014

Axway and Vordel - when good acquisitions become great acquisitions

When Axway purchased Vordel back in 2012, it kicked off an exciting chain of events. Personally, of course, as a founder of Vordel, it was exciting to see all our hard work pay off. Vordel was a pioneer of SOA Governance, and then API Management, with customers globally. SOA Governance and API Management are now called by Gartner "Application Services Governance", and in fact Gartner now names Axway as a leader in its Magic Quadrant for this area. That is down to a lot of hard work by our whole team, and a great vindication of Axway and Vordel coming together.

As well as being personally exciting, the acquisition also shook up the sector by kicking off a feeding frenzy of acquisitions, as one-by-one our competitors were acquired. Layer 7 was acquired by CA, and Mashery was acquired by Intel. The sector became a virtual game of musical chairs. Other vendors like 3Scale and Apigee then received more funding, when it became clear just how hot the space is.

As analysts such as Stefan Reid called it at the time, API Management links very naturally into Axway's portfolio of B2B and security products. APIs and B2B are coming together. In fact, Gartner has predicted that "by 2016, 50% of B2B transactions will use APIs". This perfectly positions Axway to cover both the new and the old - providing a path for businesses to leverage existing infrastructure to enter the API Economy. By linking APIs and B2B, we truly create "more than the sum of the parts". We mean it when we say that we "mean business" when it comes to APIs.

To address this exciting market, we've been adding greatly to the engineering team in Dublin. As Ireland's Minister for Jobs, Enterprise, and Innovation put it, this creation of an API Management center of excellence is a “clear indication of Ireland’s importance as a key location for technology companies to grow their business”. We now have more engineers working on our API Management technology than we ever had before as Vordel. Combined with the global reach of Axway sales, support, and marketing, that is a formidable team.

And it really is global. To put the global nature of our organization in focus, consider this: Next week we are running five API Workshops across Australia, with a key architect from ANZ Bank speaking, at the same time as we exhibit at the RSA Conference in California, speak about secure APIs for Healthcare at HIMSS in Florida, explain how APIs power the mobile app revolution at Mobile World Congress in Barcelona, and evangelize the API Economy online at the SOA Summit. It's an exciting time to be involved in API Management. The vision of Vordel carries on, in the larger organization of Axway, combined with B2B technology which provides organizations with a pathway from their current infrastructure through to embrace the API Economy. This is when good acquisitions become great acquisitions.