Monday, December 8, 2014

APIs, IoT, and Microservices at Gartner AADI 2014



Landed at Gartner AADI 2014 in Las Vegas and already the breakfast talk is of APIs, IoT, and Microservices. Of course, all are linked. As Gartner themselves have noted, IoT devices will be voracious consumers of APIs. Microservices can be seen as a useful step beyond the false dichotomy of REST and SOA.

Tomorrow I speak at 9.30am in room Octavius 7 on the topic of "APIs as the New Hybrid Integration Model". I'm aware how much hunger there is at events like this for real-life customer case studies. I will be talking about how organizations are taking advantage of APIs today (often for IoT), managing and securing those APIs, and making the leap to microservices.

Hope to see you here!

Monday, November 17, 2014

The Rise of the API Product Manager

At the API Workshop event in Dallas last Friday, Kevin Kohut from Accenture gave a fascinating talk to a packed room about how to embrace the API Economy. Here's a photo below of Kevin in action.



Kevin focused what it means to be "API First". He explained how it's different than "SOA First". In the world of SOA, the WSDL was the "contact", but not managed as a product. In "API First", the API is the "contract" but is also the product. Kevin quantified this in his "API First equation", which is:

  • "The API is the Contract" + "APIs are a product" = "API First".

Products need a product manager, and APIs are no different. We are starting to see the role of "API Product Manager" emerge. Innovators like Citi now have job postings for an API Product Manager. This person would, using API Management, manage the API lifecycle, calibrate rate plans and monetization, and ensure that APIs are aligned with clients.

There is another chance to hear Kevin speak about being "API First" at the API Workshop in Atlanta this Thursday, 20 November. And, if you're in the Boston area, Dun and Bradstreet will be speaking about their very successful API program at the API Workshop in Boston this Wednesday, 19 November. All are welcome, and I look forward to some great discussion on the new role of the API Product Manager in the "API First" world. 

Tuesday, November 4, 2014

DaaS: Hear how Dun & Bradstreet uses APIs for Data-as-a-Service at our API Workshop in Boston on Nov 19

For some companies, embracing the new digital world comes naturally. This is especially true of organizations where data is their main asset. Their business effectively becomes a platform, and they can deploy services to monetize that data to their clients. This is "Data-as-a-Service" (DaaS).

Dun and Bradstreet (D&B) is a great example of this trend. D&B has deployed the very success D&B Direct API which services a huge number of clients a day, serving data in a DaaS model.

I'm very pleased to say that Kamron Abtahi, who has the great title of "DaaS Engineer" at Dun and Bradstreet, will be speaking about the D&B Direct API at our API Workshop event in Boston on November 19.

As well as hearing all about DaaS at D&B, we'll also be walking through OAuth 5.0 and OpenID Connect to Office365, SAML SSO to SalesForce, mobile API scenarios, and HTML5 WebSocket communication. Come along if you're in the Boston area - it should be a really interesting session. Registration is free. 

(And yes, Boston-savvy folks will point out it's really in Cambridge not Boston :). But, close enough... )


Monday, November 3, 2014

How are APIs & SOA like Chipotle & Taco Bell? Find out at Accenture & Axway API Workshop event in Dallas on Nov 14

Though it seems like a long time ago now that we've had our first snow in Boston, it was just two weeks ago at Axway's "Connections" event in scorching Arizona where I saw Kevin Kohut present Accenture's API Maturity Model.


Kevin gave a very entertaining and insightful talk where he rounded on the common SOAP/REST debate, saying that "It's not about REST vs SOAP, but about API-driven vs SOA-driven" (kicking off a discussion on Twitter)

He also talked about what it means to be API First. He explained that "API First" means that:
  1. The API is the contract, and;
  2. APIs are a product 
In the world of SOA, it would have been unusual to find a "product owner" for a Web Service. But in the world of APIs, it is valuable to treat APIs like products in themselves, with owners. This advice from Kevin  resonated with many of the API practitioners present at Axway Connections.

One of the most memorable parts of Kevin's talk was about how APIs are like Chipotle while SOA was like Taco Bell. You'll have to come along to his talk at the API Workshop in Dallas on the morning of Nov 14 to find out how :) . We'll also be covering API scenarios such as OAuth SSO for Office365 APIs, Google SSO, mobile access via Angular.js, and integration with the SalesForce API.

Friday, October 10, 2014

Who's responsible when API Security incidents occur?

Of all the reaction to the latest Snapchat API security issue, the most striking is this exchange on Twitter between Snapchat itself and Sean Kerner. As Brian Honan has noted, this API security incident is not a "breach" according to the letter of the law. But stepping aside from this story for a moment, it is good to ask the question in general: "Who is responsible when an API Security incident occurs?"


Of course, as an API Gateway vendor, I'm bound to say this, but this issue could be avoided by having a dedicated API Security layer in place. In fact, in our "API Security Top 10" recently, Gunnar Peterson and I even mentioned Snapchat. Applying API Key management, throttling (per app, per IP address, per user) and alerting would have helped here. When a previous Snapchat API-related incident happened, I wrote a blog post about how API monitoring and rate-limiting at an API Gateway would have helped. It's hard not to write "I told you so" here, but API security incidents like this will only draw more and more attention to the requirement for an effective API Security layer.

Friday, September 26, 2014

CVE-2014-6271 / CVE-2014-7169 ("Shellshock")

Although it doesn't have a fancy logo or a website, CVE-2014-6271 / CVE-2014-7169 (AKA "Shellshock") has been making a lot of news lately. Axway (Vordel) customers can find out everything they need to know at this Knowledgebase article (requires support login).


Wednesday, September 17, 2014

Mobile backend with a Scottish twist - this Thursday in San Francisco

At our Axway API Workshops, we use an example of a mobile app using the API Gateway as a mobile backend. It happens that Thursday's API Workshop in San Francisco coincides with the Scottish independence vote, so the app we're using will have a Scottish theme...

In an instance of the Axway API Portal, I've configured a Scottish Voting API which simulates a voting API. The options, as in the real vote, are "Yes" and "No". 

As you can see in the screenshot below, I've configured API Key authentication for my Scottish Voting API. The API Portal has a handy "Try It" feature so that I can make test calls to the API, right from the API Portal (it's the "Try It" button on the right).


I've also registered an app at the API Portal, which will consume my Scottish Independence Vote API. Because the API is protected using API Keys, you can see that the API Portal issues an API Key to my app. In the API Workshop, we show how the mobile app makes use of this API Key to call the API, and how the Axway API Gateway enforces the API Key authentication. In the screenshot below, I've scribbled out the API Key in red:


There is also a quota applied to my app - it can send 100 messages every 1 second. When we look at the API traffic at the API Gateway later, we'll see that the remaining quota count is returned as a header to the app which calls the API.


Now let's look at the main app configuration. You can see its icon, plus the fact that it will access the Scottish Independence Vote API. 



Here's the app itself in action, on Android. You can see that I'm using the text from the vote itself ("Should Scotland be an independent country?").  The app calls the API which I've registered at the API Portal. It uses API Keys to authenticate.



The API Gateway shows the votes rolling in - as you can see below. It also shows any requests which are blocked for security or other reasons:



We can also see the API calling info over time, and zoom in on particular times to see more info:



And remember that quota I mentioned above? Here you can see the remaining quota information returned in a header, which is helpful information for the calling application:



That's how easy it is to use the API Gateway and API Portal as a mobile backend. Whatever the outcome of the Scottish vote on Thursday, I'm looking forward to walking through the Axway API Portal and API Gateway at the API Workshop in San Francisco this Thursday. Sign-up is free, hope to see you there.

Wednesday, September 10, 2014

The power of Real-Time APIs - Apple Watch and BMW

One of the most exciting parts of this week's Apple Watch launch was the example of the BMW watch app. This app allows you to see the charging status of your BMWi electric car, right from your wrist. You can also check the status of the doors of your car (important information such as if they are locked or not!). Although the star of the show was the watch app, APIs had a cameo appearance, since the information shown on the watch is fetched in real-time from APIs.


It happens that there is already an example of a watch app for BMIs cars, pulling data in real-time from APIs. If you want to find more about the underlying APIs, check out the Axway/IC-Consult webinar about how APIs power the connected car. As you can see below, not only are watch apps involved (in this case the Samsung Gear example), but also mobile apps.

The key is that the data is fetched in real-time via APIs to the watch. By the nature of a watch interface, a user does not want to be pressing buttons to get information, or to refresh data. This brings us to another announcement this week. Here at Axway, we released version 7.3 of our API Management solution. One of the key innovations is around real-time API delivery. We do this by embedding a messaging provider which, combined with HTML5 WebSockets, enables lightweight real-time API access to backend systems. This is ideal for the latest use cases including real-time financial information, real-time betting and gaming information, and, in the case of the Apple Watch and BMW, real-time Connected Car information.

The smart watch era promises to also be the real-time API era. Here at Axway we're very excited about this. 

Thursday, September 4, 2014

Top 10 Security Concerns for REST APIs - Webinar with Gunnar Peterson on September 18



Update: This webinar has taken place: but you can still catch the recording of the "Top Ten API Security Concerns" 

REST API Security has come a long way from being a case of "Just use SSL"... or has it? On September 18th at 11am US Eastern Time / 4pm UK, we're running a webinar with Gunnar Peterson on the Top 10 Security Issues for REST APIs.

One of the big criticisms of SOAP Web Services was the complexity of the security standards such as WS-Security, WS-Trust, WS-Policy, WS-PolicyAttachment... the list goes on. People wrote whole books about them ;-) . In the case of REST, it can worryingly seem like a case of the Wild West (the "Wild REST"). Now, there are standards such as OAuth, but also there are many conventions such as API Keys which are sometimes implemented insecurely. Even in the case of OAuth 2.0, the implementation itself must be secured. Look out for this, and more, in Gunnar's definitive Top 10. 

And because the topic of REST API Security is so hot, we're running the webinar twice :-) . If you're in the Asia-Pacific region, you can attend Gunnar's REST API Security webinar on Tuesday 23 Sept at 10am Hong Kong / 12 noon Sydney/Melbourne time. 

Thursday, August 28, 2014

The Value of API Monitoring and Analytics

API Monitoring and Analytics are a very important part of API Management, because they answer question "Who is using my APIs", as well as providing the basis for monetization of APIs.

In the Axway API Management solution, we provide web-based monitoring of APIs both in real-time and as reports. In the screenshot below, we see API Analytic in action, with information about API usage, and the ability to generate a PDF report:


An example of a generated PDF report is shown below. Everything is customizable.


You can also search for specific transactions in Analytics using drop-down forms as shown below:



You then see all of the information about the API call, including the steps as it passes through the API Gateway:


You can also see the time for each step, as shown below. This is very important for diagnosing why an API call might be taking a long time. Using Axway API Management, you can see all the dependencies exactly, and do a full root-cause analysis. If someone says "My mobile app is running slowly", you can see exactly why that is (e.g. a back-end server is running slow). Notice the times for each step in the Gateway shown below:



In the Traffic Monitor, you can also see the times for requests and responses:



In addition, it is common to single out certain information from API traffic and use this within analytics. For example, your API calls may contain a field called "Waybill number". You can isolate the value of this field using JSON Path (in the case of JSON) or XPath (in the case of XML). Then, you log it as a "custom attribute" in Policy Studio as show:

Now that you've singled out this "Waybill number" as a specific attribute, you can then search for it explicitly.

You can also set what exactly is logged, if you want to log for tools such as Splunk to crunch the data.

Wednesday, August 13, 2014

Are REST APIs Inherently Insecure? - Speaking at ISC2 in Atlanta in October

REST security is a hot topic. One of the reasons for this is the continued blowback from the over-complexity of the WS-* specifications. These specifications,  including WS-Security, WS-Trust, and WS-ReliableMessaging, and were notorious for being difficult to comprehend. In fact, people wrote whole books about Web Services Security :-) . One of the benefits of REST is simplicity. But, on the flipside, the lack of standards for security has led to the proliferation of ad-hoc security approaches such as the use of API Keys. API Keys are frequently used for API "authentication" often without much regard for potential attacks such as replay attacks.

But, by using an API Gateway approach, is it possible to layer on security for REST APIs? Could they (shock, horror) co-exist with heavyweight WS-* style SOAP web services? I'll be talking about this topic in my talk on "Are REST APIs Inherently Insecure" at the ISC2 Security Congress in October in Atlanta. Hope to see you there?



Tuesday, July 22, 2014

ViewDS and Axway - PEP/PDP interop using XACML for externalized authorization

Andrew Sciberras, the man with the most impressive mustache in Identity (until he shaved it off!), has written a very useful post on how Axway and ViewDS interop together using XACML to enable external authorization for SOA and APIs.

The interop announcement, which coincides with the Cloud Identity Summit in Monterrey, speaks about how customers can now leverage ViewDS and Axway together in order to create complex authorization rules. An example of such a rule would be "Only the patient or their doctor can access a medical record, or the patient's parents or guardians if the patient is under 18 years of age". These types of policies are particularly suited to XACML.

The overall architecture is shown below: