Incorporating OAuth: How to integrate OAuth into your mobile app

Launching a Successful and Secure API

The JSON-based Identity Protocol Suite

This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorisation. He will explore the existing impl More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro. Authentication is normally a stateful service. Most of the implementations rely on the HTTP session, thus introducing state as the session is an in-memory data structure in the application server. In the microservices era, most of the companies are developing such called RESTful services, where one of the principles is to create stateless systems. In such scenario, authentication should be stateless too. There is a standard specification to secure web application and API's, that is being adopted massively by the industry: OAuth 2. The specification doesn't explicitly cover how to make a stateless implementation. And most of the existing ones depend on some sort of external storage (such as a DB) to store the tokens generated for a later validation. Fortunately, there is another specification by the IETF called JSON Web Token, that can be combined with OAuth 2 to achieve a stateless authentication system. In the session, Alvaro will explain the core concepts of OAuth 2, as well as JWT and how can them be used together to achieve the last 2 letters of REST: State Transfer.

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

Alvaro Sanchez-Mariscal

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

Nov Matake

Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World

OAuth & OpenID Connect Deep Dive

SpringOne Platform 2016 Speaker: David Ferriera; Director, Cloud Technology, Forgerock Microservices architecture elevates the challenges for Authentication and Authorization management. When a single frontend request can result in many backend microservices calls, it is important to balance security and performance. ForgeRock provides a standards-based blueprint that provides a flexible solution for making these choices while protecting your Cloud Foundry services end to end.

An Authentication and Authorization Architecture for a Microservices World

VMware Tanzu

Single Sign On with OAuth and OpenID

Gasperi Jerome

Introducing Open APIs and the security risks involved and the great rewards that can be reaped. Going through the advantages of using and publishing APIs and how to get started, how to handle security risks with a "neo-security" stack and how Twitters API has been used to analyse Twitter use in Sweden. Lightning talk from Øredev 7 november 2013 in Malmö Sweden. Presented by Andreas Krohn, Travis Spencer and Hampus Brynolf. More information at http://nordicapis.com/oredev2013.

Open APIs - Risks and Rewards (Øredev 2013)

CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

CloudIDSummit

Mit 2014 introduction to open id connect and o-auth 2

Justin Richer

OpenID Connect 1.0 Explained

Eugene Siow

Integrated social solutions, the power and pitfalls of mashups

With the proliferation of cloud applications, mobile devices, and the need to connect to external users, IT organizations are increasingly challenged with how to manage and gain transparency into user access to systems and applications. As your organization looks to deploy Identity in the cloud, it’s critical that this is backed by open-standards. In this webinar, Chuck Mortimore, Pat Patterson, and Ian Glazer will give you a broad overview of how OpenID Connect can help better connect you with your customers, partners, apps, and devices Key Takeaways Get introduced to OpenID Connect, learn how it builds on top of OAuth, and discover why it’s an important new standard for your organization Consume OpenID Connect from popular Identity providers with Social Sign-On Provide a single, branded Identity to your own users and applications using OpenID Connect Use OpenID Connect to easily build Identity-enabled mobile applications Plan for the next generation of connected devices Intended Audience This webinar is aimed at a technical audience of administrators, developers, architects and business analysts who are wishing to learn more about Identity and Standards

OpenID Connect: The new standard for connecting to your Customers, Partners, ...

Salesforce Developers

OpenID Connect 101 @ OpenID TechNight vol.11

Nov Matake

Understanding OpenID

Prabath Siriwardena

OpenID Connect - An Emperor or Just New Cloths?

Oliver Pfaff

Designing an API

Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.

LASCON 2017: SAML v. OpenID v. Oauth

Mike Schwartz

Was ist angesagt? (20)

Incorporating OAuth

Launching a Successful and Secure API

The JSON-based Identity Protocol Suite

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World

OAuth & OpenID Connect Deep Dive

An Authentication and Authorization Architecture for a Microservices World

Single Sign On with OAuth and OpenID

Open APIs - Risks and Rewards (Øredev 2013)

CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect

Mit 2014 introduction to open id connect and o-auth 2

OpenID Connect 1.0 Explained

Integrated social solutions, the power and pitfalls of mashups

OpenID Connect: The new standard for connecting to your Customers, Partners, ...

OpenID Connect 101 @ OpenID TechNight vol.11

Understanding OpenID

OpenID Connect - An Emperor or Just New Cloths?

Designing an API

LASCON 2017: SAML v. OpenID v. Oauth

Andere mochten auch

Securing RESTful APIs using OAuth 2 and OpenID Connect

Jonathan LeBlanc

What is API's

John Pereless

DevSecOps in Baby Steps

Priyanka Aash

Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...

Leonard Moustacchis

DDD Melbourne 2014 security in ASP.Net Web API 2

Pratik Khasnabis

SCIM presentation from CIS 2012

Token Based Authentication Systems with AngularJS & NodeJS

Hüseyin BABAL

Tao of security science

Threat protection and application access controls are key security mechanisms that protect APIs when exposed to internal or external users and developers. In this technical deep-dive webcast, Apigee's security team, led by Subra Kumaraswamy, will discuss API threats and the protection mechanisms that every API and app developer must implement for safe and secure API management. This webcast will cover: - the API threat model - how to design and implement appropriate guardrails for API security using build-in policies and configuration - a demo of Apigee Edge threat protection features, including TLS encryption, XML/JSON/SQL injection attacks, and rate limiting Whether you're an IT security architect or an API or app developer, this webcast will help you understand secure API management. Download Podcast: http://bit.ly/1biiJQS Watch Video: http://youtu.be/ffs35w1RYRI

API Security and Management Best Practices

CA API Management

Deep-Dive: Secure API Management

Apigee | Google Cloud

OpenID is a new way to identify yourself all over the web. With your own personal OpenID you can login to any OpenID-enabled site (there are over 1,000 of them and that number is growing everyday) and identify yourself as you. This is a short by-example talk about OpenID, what it does and can provide for your website. The talk includes a sample implementation in perl. (talk given at Belgian Perl Workshop, 27 November 2007)

OpenID Authentication by example

Chris Vertonghen

Introduction to DevSecOps on AWS

As OPNFV's mission is to create a carrier-grade, integrated reference platform built from open source components we are constantly facing with the difficulties these dependencies cause us. We see CI/CD & DevOps to be a solution to our challenges by providing a foundation for developing, integrating and testing OPNFV faster and more efficient through the release cycles. It is crucial for OPNFV and the ecosystem we are building the underlying upstream projects to find the best way to realize the principles and best practices of these methodologies to reduce the impacts caused by the integration work and be able to provide fast feedback to other communities and a stable platform to our users release by release. This presentation will discuss the importance of CI/CD and DevOps from end user, vendor, and upstream project perspectives and talk about the expectations on us, challenges we are facing, our experiences, and plans about CI/CD & DevOps for OPNFV.

Json web token api authorization

Giulio De Donato

Summit 16: CI/CD and DevOps

OPNFV

APIs have become a strategic necessity for your business. They facilitate agility and innovation. However, the financial incentive associated with this agility is often tempered with the fear of undue exposure of the valuable information that these APIs expose. With data breaches now costing $400m or more, senior IT decision makers are right to be concerned about API security. In this SlideShare, you'll learn: -The top API security concerns -How the IT industry is dealing with those concerns -How Anypoint Platform ensures the three qualifications needed to keep APIs secure

Best Practices for API Security

MuleSoft

Securing the container DevOps pipeline by William Henry

Justin collins - Practical Static Analysis for continuous application delivery

With new tools like Angular.js and Node.js, it is easier than ever to build User Interfaces and Single-Page Applications (SPAs) backed by APIs. But how to do it securely? Web browsers are woefully insecure, and hand-rolled APIs are risky. In this presentation, Robert Damphousse, lead front-end developer at Stormpath, covers web browser security issues, technical best practices and how you can mitigate potential risks. Enjoy! Topics Covered: 1. Security Concerns for Modern Web Apps 2. Cookies, The Right Way 3. Session ID Problems 4. Token Authentication to the rescue! 5. Angular Examples

Building Secure User Interfaces With JWTs (JSON Web Tokens)

Stormpath

DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...

Who’s Knocking? Identity for APIs, Web and Mobile

Find out how today’s authorization experts are getting maximum value from OAuth OAuth has quickly become the key standard for authorization across mobile apps and the Web. But are you getting the most out of OAuth? Join Mehdi Medjaoul, Co-Founder & Executive Director of Webshell – the company behind OAuth.io – and Scott Morrison, former CTO of Layer 7 and now Distinguished Engineer at CA Technologies, as they discuss how authorization experts are really using OAuth today.

Andere mochten auch (20)

Securing RESTful APIs using OAuth 2 and OpenID Connect

What is API's

DevSecOps in Baby Steps

Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...

DDD Melbourne 2014 security in ASP.Net Web API 2

SCIM presentation from CIS 2012

Token Based Authentication Systems with AngularJS & NodeJS

Tao of security science

API Security and Management Best Practices

Deep-Dive: Secure API Management

OpenID Authentication by example

Introduction to DevSecOps on AWS

Json web token api authorization

Summit 16: CI/CD and DevOps

Best Practices for API Security

Securing the container DevOps pipeline by William Henry

Justin collins - Practical Static Analysis for continuous application delivery

Building Secure User Interfaces With JWTs (JSON Web Tokens)

DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...

Who’s Knocking? Identity for APIs, Web and Mobile

Ähnlich wie Incorporating OAuth: How to integrate OAuth into your mobile app

OAuth in the Real World featuring Webshell

CA API Management

Identity 2.0 and User-Centric Identity

Oliver Pfaff

AT&T 2012 DevLab Speech API Deep Dive

Michael Owens

You have already started connecting your devices to AWS IoT. You can control them from the cloud. And you can collect, store and analyse data from all your devices in the cloud. So far so good, but you now need to build an architecture that will serve millions of users and devices concurrently. In this session, Jan will explain how you can build a real world IoT architecture that serves millions of devices. The talk will focus on user and device onboarding, device and user access management, message exchange and end user access to live and historical data stored in the cloud. Learning objectives: - Learn simple steps to build a real-world IoT architecture that serves millions of devices - Understand how to onboard and manage users and IoT devices and to access live and historial data in the cloud

3 Easy Steps to Building Large-Scale IoT Architectures

Best Practices of IoT in the Cloud

AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. This webinar will introduce the best practices for IoT Security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, as well as integrate devices with other AWS services to create secure solutions. Learning Objectives: • Common IoT Thing Management Issues • Learn about AWS IoT Security and Access Control Mechanisms • Build Secure interactions with the AWS Cloud Who Should Attend: • Technical Decision Makers, Developers, Makers

Best Practices for IoT Security in the Cloud

Presented at APIdays Paris. API security is the principal concern when it comes to establishing a trusted API ecosystem. Rightly so, because opening up business systems through APIs by definition expands the attack surface that can be exploited. Although many threat vectors and vulnerabilities are well known, we have to remain on the lookout for new threats continuously. On the positive side, open standards that help defend against security threats are constantly being created and refined. What is even more helpful are the specifications that aggregate relevant standards into a comprehensive API security profile. Excellent examples of these are the current specifications that support open banking initiatives like UK Open Banking and PSD2. Could these specifications not have a wider applicability? In other words, would we be able to benefit from the security guidelines captured in these specifications in other verticals like logistics, retail, energy, healthcare and government, too? In this talk, we will compare security guidelines covered in the specifications and see to what extent they may benefit the wider enterprise API developer community.

Leveraging open banking specifications for rigorous API security – What’s in...

Rogue Wave Software

https://www.hackmiami.com/hmc5-speakers-day-2 OAuth is one of the most popular authorization frameworks in use today. All major platforms such as Google, Facebook, Box etc support it and you are probably thinking of implementi ng OAuth for your product/platform.We are not debating the popularity of the protocol or the limitations that come with it. We are here to help you implement it securely. When you use OAuth, there are three pieces - The Platform , the Application (using the platform) and the User (of the application). We will go over the common flaws we have seen in applications built on a OAuth platform which can lead to complete account takeover, how they can be a security engineer's nightmare, and how to fix them. We will go over security controls that the platform can put in place to help mitigate security vulnerabilities. We will also cover how bad design decisions, if chained with otherwise lower risk vulnerabilities can result in gaping holes in your OAuth implementation. You will leave this session with a deep understanding of how OAuth implementation should be secured both for a platform and in an application and things to test for during a security evaluation of OAuth implementations.

Oauth Nightmares Abstract OAuth Nightmares

Nino Ho

Best Practices for IoT Security in the Cloud

In this session, attendees will learn how to secure JSR-168 Portlets using the latest version of Acegi Security, called Spring Security 2.0. The 2.0 release of Spring Security includes new support for JSR-168 Portlet development. In this session we'll cover how the Acegi security model translates into the Portlet world, show how to configure the authentication provider for JSR-168 Portlets, and discuss the special interceptors for processing Portlet requests and for storing the security context in the Portlet session. Finally we'll show how Portlets and Servlets in the same webapp can share security context, which allows for secure AJAX calls and dynamic images from within Portlets.

Securing Portlets With Spring Security

John Lewis

Best Practices for IoT Security in the Cloud

ConSol Consulting & Solutions Software GmbH

Soa And Web Services Security

ConSanFrancisco123

Reply Webinar Online - Mastering AWS - IoT Advanced

Andrea Mercanti

Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...

CA API Management

Microservices Architectural Maturity Matrix, Token Based Authority, API Gatew...

JoAnna Cheshire

RoadSec 2017 - Trilha AppSec - APIs Authorization

Erick Belluci Tedeschi

App Security with Keycloak and Quarkus

Lightweight Zero-trust Network Implementation and Transition with Keycloak an...

Hitachi, Ltd. OSS Solution Center.

Swiss Cyber Storm 3 Security Conference / OWASP Track Strong Authentication: State of the Art 2011 Risk Based Authentication Biometry - Match on Card OTP for Smartphones OTP SMS PKI SuisseID Mobile-OTP OATH (HOTP, TOTP, OCRA) Open Source approach How to integrate Strong Authentication in Web Application? OpenID, SAML, Identity Federation for Strong Authentication API, SDK, Agents, Web Services, Modules PAM, Radius, JAAS Reverse Proxy (WAF) and WebSSO PKI / SSL client authentication PHP example with Multi-OTP PHP class AppSec (Threat Modeling - OWASP)

Strong Authentication in Web Application #SCS III

Sylvain Maret

AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. This tech talk will introduce the best practices for IoT Security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, but also to integrate devices with other AWS services to create secure solutions. Learning Objectives: • Learn common Internet of Things security issues • Learn about AWS IoT security and access control mechanisms • Learn how to build secure interactions with the AWS Cloud

Best Practices with IoT Security - February Online Tech Talks

A presentation given by Todd Kerpelman, Developer Advocate at Plaid, at our 2024 Austin API Summit, March 12-13. Session Description: Have you ever thought about building your own chatbot to help developers be more successful using your APIs? Well, we made one for Plaid’s documentation site, and in this talk, I’ll cover some of the things we learned! This presentation will cover topics like: – How does it work? What does it mean to “train” a bot on your docs? – Setting appropriate expectations: Do you still need to write documentation? Do you still need a support team? – The trade-offs around building your own vs. buying a 3rd party solution – Some decisions around the underlying tech – How to build a decent “conversational mode” so you can ask follow-up questions – How you evaluate the quality of a chatbot, and some surprises we ecountered along the way – What do you do when things go wrong? – Security considerations And much more! Actually, probably not that much more. That already sounds like a lot.

Ähnlich wie Incorporating OAuth: How to integrate OAuth into your mobile app (20)

OAuth in the Real World featuring Webshell

Identity 2.0 and User-Centric Identity

AT&T 2012 DevLab Speech API Deep Dive

3 Easy Steps to Building Large-Scale IoT Architectures

Best Practices of IoT in the Cloud

Best Practices for IoT Security in the Cloud

Leveraging open banking specifications for rigorous API security – What’s in...

Oauth Nightmares Abstract OAuth Nightmares

Best Practices for IoT Security in the Cloud

Securing Portlets With Spring Security

Best Practices for IoT Security in the Cloud

Soa And Web Services Security

Reply Webinar Online - Mastering AWS - IoT Advanced

Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...

Microservices Architectural Maturity Matrix, Token Based Authority, API Gatew...

RoadSec 2017 - Trilha AppSec - APIs Authorization

App Security with Keycloak and Quarkus

Lightweight Zero-trust Network Implementation and Transition with Keycloak an...

Strong Authentication in Web Application #SCS III

Best Practices with IoT Security - February Online Tech Talks

Mehr von Nordic APIs

How I Built Bill, the AI-Powered Chatbot That Reads Our Docs for Fun , by Tod...

A presentation given by David Biesack, Chief API Officer at Apiture, at our 2024 Austin API Summit, March 12-13. Session Description: API Design is truly an art. While ChatGPT can spit out seemingly detailed APIs, there is still much to be said for well-crafted, consistent APIs designed by organic intelligence, in a broader context, with the consumer and Developer Experience in mind. A good (or dare we dream, great) Developer Experience (DX) is an important aspect of API design and the success of your API program. Attendees will grok the interplay of API design, patterns, and language constraints and limitations. See how and why artful API Design Matters to DX and "good" API outcomes, and why fluency in the myriad languages of APIs matters. Learn how choosing guiding principles can shape all your APIs for success. Learn how to stay relevant as an API designer when the API generating robots are breathing down your neck.

The Art of API Design, by David Biesack at Apiture

A presentation given by David Brossard, CTO at Axiomatics, at our 2024 Austin API Summit, March 12-13. Session Description: So you've just built your cool new API and figured out the authentication part. You're even using OAuth for access delegation, scopes, and claims. So, you're good, right? Well what about fine-grained authorization? What about OWASP's #1 security threat, broken access control? How do you handle that? Maybe you need an authorization framework to help with that. But which one? Is ABAC the way to go? Policies? Graphs? In this presentation, we'll give you the tools to understand what authorization for APIs entails, what options you have, and how to successfully implement a secure authorization strategy for your APIs. We will cover approaches such as ALFA, ReBAC, and Zanzibar and illustrate with a live demo.

ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs? by Dav...

A presentation given by Budhaditya Bhattacharya, Developer Advocate at Tyk, at our 2024 Austin API Summit, March 12-13. Session Description: APIs and microservices are powering domain-driven design architectures and have become the fabric of modern cloud-native applications. However, focusing on technology isn't enough - there is a need for a synergy between people, processes, and tools. Based on the CNCF platform maturity model, we will look to bridge the gap between an org's current and desired platform maturity level when creating cloud-native API platforms. We'll discuss: 1. The platform team model - team topologies and key roles for developing internal API platforms 2. Processes like platform discovery, jobs-to-be-done analysis, and continuous feedback loops to understand and meet developer needs 3. Applying a "platform as a product" mindset to measure and communicate platform success 4. Architecting for discoverability, security, observability and integration capabilities 5. The role of technologies like service meshes, API gateway, identity management, internal developer portals and OpenAPI specifications

Crafting a Cloud Native API Platform to Accelerate Your Platform Maturity - B...

A presentation given by Markus Müller, CTO at APIIDA, at our 2024 Austin API Summit, March 12-13. Session Description: In an era where digital transformation is pivotal, the management and governance of APIs have emerged as critical components in the technological infrastructure of businesses. "The Federated Future: Pioneering Next-Gen Solutions in API Management" is a forward-looking talk that delves into the evolving landscape of API governance, with a particular focus on Federated API Management as a groundbreaking approach. Over the course of this presentation, we will explore the paradigm shift from traditional, centralized API management towards a more dynamic, federated model. This approach not only offers scalability and flexibility but also fosters innovation by enabling diverse teams to collaboratively manage APIs while adhering to consistent governance policies. Key topics include: - The current challenges in API governance and how federated management addresses these. - The principles and architecture of Federated API Management, distinguishing it from traditional models. - Real-world implications of adopting a federated approach, including case studies that illustrate its transformative impact on businesses. - Strategies for implementing Federated API Management, focusing on best practices for seamless integration. - The future outlook of API governance, anticipating emerging trends and technologies.

The Federated Future: Pioneering Next-Gen Solutions in API Management - Marku...

A presentation given by Aldo Pietropaolo, Director of Solutions Engineering at SGNL, at our 2024 Austin API Summit, March 12-13. Session Description: Securing APIs and ensuring you are protected from threats by implementing authentication and authorization while keeping the request context intact can be challenging. This session will show us how to leverage SGNL, Curity, and the Kong API Gateway to protect fictitious patient records. The session will be a technical session focused on the architecture and integration points for implementing continuous access management.

API Authorization Using an Identity Server and Gateway - Aldo Pietropaolo, SGNL

A presentation given by Rob Dickinson, VP of Engineering at Graylog, at our 2024 Austin API Summit, March 12-13. Session Description: Discovering the attack surface presented by your APIs is the first step to improving API security. But APIs are fundamentally dark and constantly changing, which presents serious challenges for security teams trying to assess and manage new risks. There are several reasonable ways to perform API discovery, but each has its own tradeoffs and implications about what is actually being counted. This talk covers taking an API discovery program from start to best-of-breed, and strategies for measuring and monitoring your API attack surface.

API Discovery from Crawl to Run - Rob Dickinson, Graylog

A presentation given by Derric Gilling, CEO of Moseif, at our 2024 Austin API Summit, March 12-13. Session Description: The talk would target product owners looking to turn APIs into revenue centers. Specifically, how to price and package APIs, different strategies around prepaid, postpaid, and PAYG billing, and how to choose the right metric to charge, etc. Then, we’ll chat on the go-to-market to drive developer adoption.

Productizing and Monetizing APIs - Derric Gilling, Moseif

A presentation given by Ruben Sitbon, Lead Solutions Architect at Sipios, at our 2024 Austin API Summit, March 12-13. Session Description: ChatGPT has been a tidal wave, changing forever the way people and companies perceive the value of Artificial Intelligence. Many startups have launched products with ChatGPTI at its core, innovative SaaS players have all integrated Generative AI extensions or plugins, but it is now clear that users will be expecting more and more Generative AI to boost the features of products they use on a daily basis. In this talk, I will describe how a framework relying on Generative AI in-house APIs that allows: - Easily « boosting » any product feature with Generative AI - Improving the answers through a « trainer API » that allows experts to improve the accuracy and tone of the model - Bundling security and continuous compliance in the APIs to enjoy the benefits even within risk averse large corporates.

Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Sipios

A presentation given by Ankita Gupta, Co-Founder and CEO, Akto.io, at our 2024 Austin API Summit, March 12-13. Session Description: In this session, I will talk about API security of LLM APIs, addressing key vulnerabilities and attack vectors. The purpose is to educate developers, API designers, architects and organizations about the potential security risks when deploying and managing LLM APIs. 1. Overview of Large Language Models (LLMs) APIs 2. Understanding LLM Vulnerabilities: - Prompt Injections - Sensitive Data Leakage - Inadequate Sandboxing - Insecure Plugin Design - Model Denial of Service - Unauthorized Code Execution - Input attacks - Poisoning attacks 3. Best practices to secure LLM APIs from data breaches I will explain all the above using real life examples.

Security of LLM APIs by Ankita Gupta, Akto.io

A presentation given by Katie Paxton-Fear, API Security Educator, Traceable AI, at our 2024 Austin API Summit, March 12-13. Session Description: Have you ever wanted to be the villain or anti-hero? In this talk, we'll cover how to hack APIs, with permission, of course. First, we'll look at the tools of the trade for API hackers, some of the most common security vulnerabilities and how we test for them, and finally, I'll tell some of my API hacking stories. The aim of the session will be to learn a little API hacking and encourage people to have a go at API hacking themselves. Participants will also join me as I hack live, giving suggestions for the next steps, for an interactive and engaging session.

I'm an API Hacker, Here's How to Go from Making APIs to Breaking Them - Katie...

A presentation given by Kishore Banala, Senior Software Engineer, Netflix, at our 2024 Austin API Summit, March 12-13. Session Description: Extend the advantages of GraphQL beyond the UI layer by creating data streams that seamlessly transfer data from Federated GraphQL to your preferred destination. This presentation explores the myriad use cases that can be unleashed, such as Search, Analytics etc., sparing you from the complexity of extensive ETL jobs. Join us for an in-depth exploration of the advantages that arise from seamlessly connecting GraphQL with data streams, opening new dimensions of efficiency and capability.

Unleashing the Potential of GraphQL with Streaming Data - Kishore Banala, Net...

A presentation given by Gareth Jones, API Architect at Microsoft, at our 2024 Austin API Summit, March 12-13. Session Description: Didn't the API description wars end in 2017 when we all agreed that OAS was the way forward? Yes, and yet how satisfied with your API descriptions are you? Are they thousands of lines of hard to read yaml or JSON? When someone makes a change, is it easy to review for correctness and completeness? Do visual tools make this easier? Do they support change management? I'll make the case that the next generation of more abstract DSLs for defining APIs such as Smithy from Amazon and TypeSpec, open sourced by Microsoft, move us back to a more intentional approach to design and give us the opportunity to highlight the business characteristics that matter most at design-time.

Reigniting the API Description Wars with TypeSpec and the Next Generation of...

A presentation given by James Higginbotham, Executive API Consultant, LaunchAny, at our 2024 Austin API Summit, March 12-13. Session Description: Building and growing an API platform takes more than building and organizing your APIs. It requires understanding the needs of your ecosystem, establishing lightweight processes that drive discoverability, providing the resources for self-service enablement, and delivering a federated API coach program to scale your efforts. This talk will explore the practices and patterns implemented by global organizations that will help your API ecosystem shift from a functional program to a transformational API platform.

Establish, Grow, and Mature Your API Platform - James Higginbotham, LaunchAny

A presentation given by Adrienne Moherek, Developer Experience Technical Leader, Cisco, at our 2024 Austin API Summit, March 12-13. Session Description: Heard of suss? You can suss out more information or you can find someone’s information to be suss. “Suss” shows the flexibility of language. It’s an ongoing process to change how we use certain words. It’s important to choose words carefully to convey the correct meaning and avoid harmful subtext or exclusion. Let’s explore some of the tools and triage methods that it takes from an engineering viewpoint to make bias-free choices. How can you ensure that biased words do not sneak into code, UI, docs, configurations, or our everyday language? First, let’s walk through how to take an inventory of assets from code to config files to API specifications to standards. Next, by placing those findings into categories, prioritize the work to substitute with inclusive alternatives. Let’s examine some examples using both API and code assets. Next is a demonstration of how to automate analyzing your source code or documentation with a linter, looking for patterns based on rules that are fed into the tool. What’s in the future for these efforts? Inclusive language should expand beyond English and North America efforts. To do so, let’s organize the work with automation tooling, as engineers do.

Inclusive, Accessible Tech: Bias-Free Language in Code and Configurations - A...

A presentation given by Bill Doerrfeld, Editor in Chief of Nordic APIs, at our 2024 Austin API Summit, March 12-13. Session Description: As it turns out, making a hit API is a lot like making a hit music album. You have to find a niche, you need good naming, and you need quality content. Also, on the production side, design, style, experience, and collaboration all matter a lot. At the end of the day, both are products, requiring the right management tools, marketing know-how, and infrastructure to scale. In this SXSW-inspired opening keynote, I'll look into the parallels between the two endeavors, providing a fun and informative look into specific things API providers should be considering on their journey toward becoming API platform rockstars.

Going Platinum: How to Make a Hit API by Bill Doerrfeld, Nordic APIs

A presentation given by Raghavan Sadagopan, Sr. Director from CapitalOne & Lakshmi Narayana, Sr. Lead Software Engineer from CapitalOne, at our 2024 Austin API Summit, March 12-13. Session Description: Managing Risk is critical to the success of an organization. Managing Risks starts with identifying potential Risks which in the digital world are signals emanating from varying source systems. Identifying potential risks real-time enables organizations to mitigate / better prepare for potential exposures. The session will share our point of view on implementing an API centric event mesh architecture that routes events in real-time through a scalable and resilient cloud-native service on AWS.

Getting Better at Risk Management Using Event Driven Mesh Architecture - Ragh...

A presentation given by Paul Dumas, Senior Director Analyst at Gartner, at our 2024 Austin API Summit, March 12-13. Session Description: GenAI will be, well, generating APIs. We are entering the era where software creates software. It will develop APIs faster than humans are capable of. Humans cannot compete with this compute power. How do we marshal this power, govern what it produces, and leverage it to support our business objectives and strategies? We will become more dependent on the capabilities we have as humans that elude machines. This talk provides insight to software leaders about the challenges of leading and managing this new software development power. The key lies in skills that are unique to humans: foresight, intuition, and agility.

GenAI: Producing and Consuming APIs by Paul Dumas, Gartner

A presentation given by Joe Furbee, Developer Advocate and Developers Communities Manager at SAS Institute, at our 2024 Austin API Summit, March 12-13. Session Description: Sure, we could have hired someone to (re)create our developer portal, developer.sas.com. However, we wanted the freedom to build our portal from the ground up. But, it takes more than an API architect and a developer advocate to create a modern, interactive developer experience. This session provides an overview of the steps we took to relaunch the SAS AI and analytics platform developer portal. Who was involved? How did we accomplish what we wanted to build? We’ll explore the stakeholders involved, the importance of open-source technologies, and why focusing on the developer’s perspective matters. This is not a marketing pitch to promote SAS services. Instead, it’s a detailed look at the process we followed to deploy our new developer portal.

The SAS developer portal –developer.sas.com 2.0: How we built it by Joe Furb...

A presentation given by Vidhya Arvind, Staff Software Engineer, Netflix, at our 2024 Austin API Summit, March 12-13. Session Description: At Netflix, Data abstraction plays a pivotal role in hosting 100s of use cases that scale, they are widely adopted and depended on by mission-critical systems. In this talk, I show how to design reliable APIs and layout data for Key-Value services for petabyte-scale datasets. Key-value service uses a control plane and data plane to abstract the data, uses some novel techniques to reliably store and safely scale the service to 100s of instances.

How Netflix Uses Data Abstraction to Operate Services at Scale - Vidhya Arvin...