Using data storage and access methods — like VSAM, IDMS, IMS, DB2, Oracle, and ADABAS — to store and rapidly access data through mission and business-critical applications are written in COBOL, Assembler, Fortran, ADS, RPG, and Natural, these business giants now find themselves unable to stay on the cutting edge in terms of speeding delivery of innovative digital channels and applications.
When you have legacy systems and must cater to customers and prospects that are heavily reliant on digital services delivered via mobile or Web, you need to find a way to close that gap between old technology and modern demands. The answer is microservices.
This is a continuation of my series, "What I don't want to hear anymore." This time around is APIs. A subject that reoccurs from time to time, even if the buzz has decreased a little. Nevertheless, the literature, which is very prolific on the subject, has obviously not motivated everyone to learn and frame their APImManagement projects.
This week, Kubernetes API server was found vulnerable to the Billion laughs attack, NIST has opened their Zero Trust Architecture guidelines for commenting, and VS Code OpenAPI extension got an update with API Contract Security Audit built-in.
This week, we take a look at Harbor’s API vulnerability, the flawed architecture of CRUD-based apps, PSD2 effect on API security, and API security tooling.
GraphQL and REST are two specifications used when building APIs for websites to use. REST defines a series of unique identifiers (URLs) that applications use to request and send data. GraphQL defines a query language that allows client applications to specify precisely the data they need from a single endpoint. They are related technologies and used for largely the same things (in fact, they can and often do co-exist), but they are also very different.
That’s a little dry, eh? Let’s explain it a much more entertaining way that might help you understand better, and maybe just get you a little excited about GraphQL!
🍹 You’re at a cocktail mixer
You’re attending this mixer to help build your professional network, so naturally, you want to collect some data about the people around you. Close by, there are five other attendees.
Their name tags read:
Richy REST
Friend of Richy REST
Employer of Richy REST
Georgia GraphQL
Being the dynamic, social, outgoing animal that you are, you walk right up to Richy REST and say, "Hi, I’m Adam Application, who are you?" Richy REST responds:
{
name: "Richy REST",
age: 33,
married: false,
hometown: "Circuits-ville",
employed: true
// ... 20 other things about Richy REST
}
"Whoa, that was a lot to take in," you think to yourself. In an attempt to avoid any awkward silence, you remember Richy REST specifying that he was employed and ask, "Where do you work?"
Strangely, Richy REST has no idea where he works. Maybe the Employer of Richy Rest does?
You ask the same question to the Employer of Richy REST, who is delighted to answer your inquiry! He responds like so:
{
company: "Mega Corp",
employee_count: 11230,
head_quarters: "1 Main Avenue, Big City, 10001, PL"
year_founded: 2005,
revenue: 100000000,
// ... 20 other things about Richy REST Employer
}
At this point, you’re exhausted. You don’t even want to meet the Friend of Richy Rest! That might take forever, use up all your energy and, you don’t have the time.
However, Georgia GraphQL has been standing there politely, so you decide to engage her.
"Hi, what’s your name?"
{
name: "Georgia GraphQL"
}
"Where are you from, and how old are you?"*
{
hometown: "Pleasant-Ville",
age: 28
}
"How many hobbies and friends do you have and what are your friends' names?"
Georgia GraphQL is incredible, articulate, concise, and to the point. You 100% want to swap business cards and work together on future projects with Georgia.
This anecdote encapsulates the developer's experience of working with GraphQL over REST. GraphQL allows developers to articulate what they want with a tidy query and, in response, only receive what they specified. Those queries are fully dynamic, so only a single endpoint is required. REST, on the other hand, has predefined responses and often requires applications to utilize multiple endpoints to satisfy a full data requirement.
Metaphor over! Let’s talk brass tacks.
To expand further upon essential concepts presented in the cocktail mixer metaphor let’s specifically address two limitations that often surface when using REST.
1. Several trips when fetching related resources
Data-driven mobile and web applications often require related resources and data sets. Thus, retrieving data using a REST API can entail multiple requests to numerous endpoints. For instance, requesting a Post entity and related Author might be completed by two requests to different endpoints:
Multiple trips to an API impacts the performance and readiness of an application. It is also a more significant issue for low bandwidth devices (e.g. smart-watches, IoT, older mobile devices, and others).
2. Over-fetching and under-fetching
Over/under-fetching is inevitable with RESTful APIs. Using the example above, the endpoint domainName.com/posts/:id fetches data for a specific Post. Every Post is made up of attributes, such as id, body, title, publishingDate, authorId, and others. In REST, the same data object always gets returned; the response is predefined.
In situations where only a Post title and body are needed, over-fetching happens — as more data gets sent over the network than data that is actually utilized. When an entire Post is required, along with related data about its Author, under-fetching gets experienced — as less data gets sent over the network than is actually utilized. Under-fetching leads to bandwidth overuse from multiple requests to the API.
Client-side querying with GraphQL
GraphQL introduces a genuinely unique approach that provides a tremendous amount of flexibility to client-apps. With GraphQL, a query gets sent to your API and precisely what you need is returned — nothing more and nothing less — in a single request. Query results are returned in the same shape as your query, ensuring that response structures are always predictable. These factors allow apps to run faster and be more stable because they are in control of the data they get, and not the server.
"Results are returned in the same shape as queries."
/* Query */
{
myFriends(first: 2) {
items {
name
age
}
}
}
Now, at this point, you probably think GraphQL is as easy as slicing warm butter with a samurai sword. That might be the reality for front-end developers — specifically developers consuming GraphQL APIs. However, when it comes to server-side setup, someone has to make the sausage. Our friend Georgia GraphQL put in some hard work to become the fantastic professional she is!
Building a GraphQL API, server-side, is something that takes time, energy, and expertise. That said, it's nothing that someone ready for a challenge is unable to handle! There are many different ways to hop in at all levels of abstraction. For example:
Un-assisted: If you really want to get your hands dirty, try building a GraphQL API with the help of packages. For instance, like Rails? Checkout graphql-ruby. Love Node.js? Try express-graphql.
Assisted: If fully maintaining your server/self-hosting is a priority, something like Graph.cool can help you get going on a GraphQL project.
Instant: Tired of writing CRUD boilerplate and want to get going fast? 8base provides an instant GraphQL API and serverless backend that's fully extensible.
Wrapping up
REST was a significant leap forward for web services in enabling highly available resource-specific APIs. That said, its design didn't account for today's proliferation of connected devices, all with differing data constraints and requirements. This oversight has quickly lead to the spread of GraphQL — open-sourced by Facebook in 2015 — for the tremendous flexibility that it gives front-end developers. Working with GraphQL is a fantastic developer experience, both for individual developers as well as teams.
This week, we check out the details of two API vulnerabilities at Uber and Get, the updated 42Crunch API security platform, and Red Hat’s vision of the future of API management.
Anand Prakash found a way to do full account takeover on Uber through a vulnerability in their APIs. The same approach worked with accounts for any Uber services, including drivers and Uber Eats:
Cloud Wallet is an API that covers asset and inventory accounting and enables closed-loop payments between connected devices. I have chosen inventory accounting for a coffee vending machine to present some examples.
Imagine you run a fleet of 1,000 coffee machines and you need to address the challenge of restocking in a timely fashion. To avoid lost sales and excessive delivery costs, we will take care of inventory accounting by linking each vending machine to a set of wallets that will record inventory balances and changes.
This week, we look at the recent vulnerabilities at Verizon and Shenzhen i365-Tech GPS trackers, leaking S3 bucket names, and Facebook cutting API access for some of its partners.
Vulnerability: Verizon
2 million Verizon Wireless Pay Monthly contracts were found open for anyone to access.
This week, we look into the recent API vulnerability in Cisco routers, how MuleSoft handled severe vulnerability in their API gateway, API security aspects of communication PaaS, and passes for upcoming API World conference in San Jose, CA.
Cisco has implemented its REST API as a virtual service container for IOS XE. This operating system is used on a variety of Cisco routers. It is not enabled by default but needs to be installed by administrators who need the REST API functionality.
The term API Platform has been used synonymously by some vendors with API Management, Full Lifecycle API Management, and even the term API Gateway. Everyone loves to spice up a subject with the word platform but being loose with the term is cutting the subject short. What is an API Platform? An API Platform is all these things and more.
An API Platform's purpose is to serve net new application development — building new capabilities, new experiences, nurturing ecosystems, and more. API Management, Full Lifecycle API Management, and API Gateways are tables stakes here of course. These bring life to API design and development, to lifecycle management, to policy and security enforcement, to analytics and to nurturing development communities as consumers of these APIs. All critical.
I know you believe your tools are the best. I mean, from your vantage point, they are. I also know that when you are building a new API tool, your investors want you to position your tooling as the best. The one solution to rule them all. They want you to work hard to make your tools the best but also make sure and demonize other tooling as being inferior, out of date, and something dinosaurs use.
I know this absolute belief in your tooling feels good and right, but you are actually creating friction for your users and potentially failure or at least conflict within their teams. Absolutism, along with divide and conquer strategies for evangelizing API tooling, works for great short term financial strategies but doesn't do much to help us on the ground actually developing, managing, and sustaining APIs.
This week, we look at API vulnerabilities in Kubernetes and 3Fun, upcoming API Specification Conference, and slides from EIN 2019 conference presentation.
We use API Autodiscovery to pair an API in API Manager to its deployed Mule application.
When autodiscovery is correctly configured in your Mule application, you can say that your application’s API is tracked by or paired to API Manager. Through the Autodiscovery scheme, the API Manager keeps track of the API throughout its lifecycle.
This week, we have a conference talk recording demonstrating API pen testing; see how the w3af web scanner can be used for APIs; look at SAP’s API security best practices; watch Cisco pay $8.6 million for not fixing vulnerabilities quickly.
Conference talks
The OWASP Global AppSec Tel Aviv conference has published a video recording of the “Testing and Hacking APIs” talk by Inon Shkedy.
I can't get API discovery out of my mind. Partly because I am investing significant cycles in this area at work, but it is also something I have been thinking about for so long that it is difficult to move on. It remains one of the most complex, challenging, and un-addressed aspects of the way the web is working (or not working) online today. I feel pretty strongly that there hasn't been an investment in the area of API discovery because most technology companies providing and consuming APIs prefer things to be un-discoverable, for a variety of conscious and unconscious reasons behind these belief systems.
What Does API Discovery Mean? Depends on Who You Are...
One of the reasons that API discovery does not evolve in any significant way is because there is not any real clarity on what API discovery is. Depending on who you are and what your role in the technology sector is, you'll define API discovery in a variety of ways. There are a handful of key actors that contribute to the complexity of defining and optimizing in the area of API discovery.
API design is a fascinating topic. One important aspect of API design is determining the right 'size' of an API in terms of its features and functionality. All architects must have grappled with this issue at some point or the other. In this article, I will try and give some insights into the various parameters that we need to think through before arriving at the 'right' grained API:
Maintainability: The first aspect that comes to mind is the maintainability of APIs. Coarse-grained APIs are difficult to maintain. As the API consumer needs grow, it will be difficult to add more implementation variations or parameters.
To gather insights on the current and future state of API management, we asked IT professionals from 18 companies to share their thoughts. We asked them, "What do developers need to keep in mind when managing APIs?" Here's what they told us:
UX
They need to think about the consumer of the API, what they are trying to get done with the API, why they would use the API, and details of their use cases. There have been a lot of APIs that were built, and nobody used the APIs for various reasons such as the API was too complex, did not easily (or at all) address their use case or were poorly documented. They need to remember that just like browser or desktop software with user interfaces, APIs have a user experience and that needs to fit the needs of the consumer and hopefully delight them.
Have a look at multiple APIs. There is no single right or wrong way to build APIs. Look at different implementations and put yourself in the shoes of using of consuming an API to understand what works and what doesn’t. It easy to take advantage of developer portals to discover APIs, see documentation, become familiar with a lot of APIs. That’s the best way to learn.
Respect the process and always look for a repeatable process. No matter what style you choose, GRPC, GraphQL, REST you need to maintain consistency across the board. Treat the developer experience of APIs with the same care, respect, effort, money as UX for your applications. Developers need to focus on creating the best possible developer experience for APIs. Every developer knows what a bad developer experience is. Make sure you don’t create a bad developer experience.
While APIs are built for machine-to-machine interaction, they are first manipulated by developers. Developers read them, try them, wrap their heads around them, before being able to efficiently leverage them. So APIs authors must do their best to balance between efficiency and human readability. We tackle the issue by providing our customers with high-quality API clients for most common programming languages — open-source API clients that we develop, document, support. On top of that, we also develop an open-source library leveraging these clients, providing customers with building blocks for the front-end that directly offers the best end-user experience and implements the best interaction patterns with our APIs.
1) APIs become a GA product once they are exposed outside of the company or even within the company. So API developers need to think in terms of a broad range of consumers and reusability when managing APIs. In doing so, best practices for development should be adopted, such as excellent documentation, understandable error messages, and predictable and consistent output and performance.
2) Since you could have a much broader set of developers using your APIs, it’s critical to think about the developers who will be using your API as consumers vs. technical users.
3) Because the API is reusable, backward compatibility becomes a critical consideration when updating that API. If you don’t know how, what, or when an API may be used, taking away capabilities or introducing breaking changes can create havoc for consumers. Some of the best APIs out there either enforce backward compatibility or give ample warning and time to make appropriate adjustments.
Decisions are easy to make and hard to reverse. The second someone other than you is consuming your API, you have a contract with that caller not to break their code. This means it can take literally years to unwind any mistakes you make in your interface definition.
So, measure twice and cut once. It’s also important to be mindful of the ecosystem in which you’re publishing your APIs. What are other teams doing? What do the existing APIs in your ecosystem look like? It’s important that everything you do feels consistent with the rest of your API ecosystem or customers will feel like they’re consuming a bunch of spare parts rather than a consistent collection of interfaces.
Developers need to acquire a client-first mindset. It’s easy to start gravitating away from the end-consumer if you don’t communicate with them, but it’s vital to put the customer’s convenience first. It’s frustrating when things get out of hand due to undocumented and unspoken changes on the API provider’s side.
Microservices
Developers need to consider API management of microservices. 86% of enterprises expect microservices to be the default application architecture in five years.
Security
Secure every API touchpoints which are usually an afterthought — they are not taken into consideration during the design phase. Security is a key element of API lifecycle management. Given that weak API security could result in exposure to critical vulnerabilities, API security must be built into the API architecture from the beginning – it cannot be relegated as that last design consideration.
The Complexity of API Discovery