Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apidays Paris 2023 - API Observability: Improvi...

apidays
December 29, 2023

Apidays Paris 2023 - API Observability: Improving Governance, Security and Operations, Jose Haro Peralta, microapis.io

Apidays Paris 2023 - Software and APIs for Smart, Sustainable and Sovereign Societies
December 6, 7 & 8, 2023

API Observability: Improving Governance, Security and Operations
Jose Haro Peralta, Founder, Author, Instructor at microapis.io

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

December 29, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. API Observability Improving Governance, Security and Operations José Haro Peralta

    Consultant, author, and instructor Founder of microapis.io APIDays Paris Dec 6-8, 2023
  2. $ whoami • I’m Jose • Consultant, author, instructor •

    Author of Microservice APIs • Founder of microapis.io • Creator of fencer @JoseHaroPeralta @microapis http://mng.bz/ZRK5 ctwapidjp45
  3. Connect with me!  Twitter: @JoseHaroPeralta  GitHub: @abunuwas 

    Newsletter: https://microapis.substack.com  LinkedIn: https://www.linkedin.com/in/jose-haro-peralta/
  4. Agenda  What is API observability?  How observability improves

    security  How observability improves API Governance  How observability improves operations
  5. What is observability?  What is the typical user flow

    through your API?  How many unauthorized requests per second do you have?  What is the biggest source of errors?  What flows characterize non-buyers?  Can you detect abuse of your API?  Are customers using the API as intended?
  6. No observability?  🙈 Getting hacked without knowing it 

    🙊 Losing customers without knowing it  🙉 Missing out on crucial feedback about the quality of your APIs
  7. What is observability?  The ability to measure and describe

    the internal states of a system based on its outputs  Outputs are metrics, logs, and traces  Pillars of observability (Cindy Sridharan (2018), Distributed systems observability)  OpenTelemetry (OTEL)
  8. Metrics, logs, traces  Logs are records of specific events

     Metrics are measures that capture system behaviour, like availability and performance  Traces allow us to trace the lifecycle of a request throughout our system (request-scoped events)
  9. What is good API observability?  Serves different stakeholders 

    Helps us trace user flows, reproduce user interactions and errors  Gives insights into user behaviour  Fosters collaboration between teams (M. Skelton, “Practical, team-focused operability techniques for distributed systems”)  Is tailored to our business needs – can answer business questions
  10. December 04, 2023 at 06:10 (UTC) ERROR [app.py:1819] [trace_id=4512abc34def5678 span_id=1234567890abcdef]

    - Exception on "PUT /project/712bacec-f61d-4ff5-b1e6- 8b5978958f4b/files" Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/sqlalchemy/engine/base.py", line 1706, in _execute_context December 04, 2023 at 06:10 (UTC) ERROR [app.py:1819] [trace_id=4512abc34def5678 span_id=1234567890abcdef context=SOW_SUBMISSION] - Exception on "PUT /project/712bacec-f61d- 4ff5-b1e6-8b5978958f4b/files" Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/sqlalchemy/engine/base.py", line 1706, in _execute_context December 04, 2023 at 06:10 (UTC) ERROR [app.py:1819] - Exception on "PUT /project/712bacec-f61d- 4ff5-b1e6-8b5978958f4b/files" Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/sqlalchemy/engine/base.py", line 1706, in _execute_context
  11. API observability is hard  Often, we lack control over

    API client  Difficult to trace user journeys  Unexpected uses of the API  Stateless APIs  Tracing in distributed systems
  12. Observability for API security  It takes organizations an average

    277 days to identify and contain a security breach (IBM’s Cost of Data Breach Report 2023)  OWASP API10:2019 – Insufficient logging and monitoring  Lack of observability means we can’t detect and remediate security breaches (lack of readiness for API security posture)
  13. API security landscape is evolving  Traditional security measures aren’t

    sufficient for APIs  APIs expose attack vectors in unexpected ways (esp. vulnerable designs)  OWASP API6:2023: Unrestricted Access to Sensitive Business Flows
  14. API6:2023 – Unrestricted access to sensitive business flows  Scalper

    / grinch bots  Denial of inventory  Abuse of referral programs  Skewing reviews, scores, measures, etc.  Brute force attacks
  15. How observability helps API security  Monitor user behaviour 

    Watch for unusual behaviour and unexpected flows  Track unauthorized requests  Watch closely data transfers from sensitive data endpoints
  16. Observability for API Governance  Trace user flows, user experience

     Is our API being used as intended?  Are customers abandoning the API at a specific point in their journey  Is our API meeting usage KPIs?  Are our APIs correctly documented? Do we have drift?
  17. VS

  18. Observability for API operations  Do we have shadow APIs?

    What about zombie APIs? Are deprecated APIs still available?  Tracing problems across distributed applications  Diagnosing problems when they occur  Reproducing user flows  Understand service topology and dependencies
  19. Takeaways  API observability is hard but necessary  API

    observability is a pre-requisite for API security readiness  Tailor observability to your business requirements  Good observability serves different stakeholders  Good observability helps us ask questions about the state of the system and gives us actionable insight