Apidays Paris 2023 - API Observability: Improving Governance, Security and Operations, Jose Haro Peralta, microapis.io

Transcript

1. API Observability Improving Governance, Security and Operations José Haro Peralta

   Consultant, author, and instructor Founder of microapis.io APIDays Paris Dec 6-8, 2023

2. $ whoami • I’m Jose • Consultant, author, instructor •

   Author of Microservice APIs • Founder of microapis.io • Creator of fencer @JoseHaroPeralta @microapis http://mng.bz/ZRK5 ctwapidjp45

3. Relio https://getrelio.com/

4. Connect with me!  Twitter: @JoseHaroPeralta  GitHub: @abunuwas 

   Newsletter: https://microapis.substack.com  LinkedIn: https://www.linkedin.com/in/jose-haro-peralta/

5. Agenda  What is API observability?  How observability improves

   security  How observability improves API Governance  How observability improves operations

6. What is observability?  What is the typical user flow

   through your API?  How many unauthorized requests per second do you have?  What is the biggest source of errors?  What flows characterize non-buyers?  Can you detect abuse of your API?  Are customers using the API as intended?

7. No observability?  🙈 Getting hacked without knowing it 

   🙊 Losing customers without knowing it  🙉 Missing out on crucial feedback about the quality of your APIs

8. What is observability?  The ability to measure and describe

   the internal states of a system based on its outputs  Outputs are metrics, logs, and traces  Pillars of observability (Cindy Sridharan (2018), Distributed systems observability)  OpenTelemetry (OTEL)

9. Metrics, logs, traces  Logs are records of specific events

    Metrics are measures that capture system behaviour, like availability and performance  Traces allow us to trace the lifecycle of a request throughout our system (request-scoped events)
10. None

11. What is good API observability?  Serves different stakeholders 

    Helps us trace user flows, reproduce user interactions and errors  Gives insights into user behaviour  Fosters collaboration between teams (M. Skelton, “Practical, team-focused operability techniques for distributed systems”)  Is tailored to our business needs – can answer business questions
12. None
13. None

14. December 04, 2023 at 06:10 (UTC) ERROR [app.py:1819] [trace_id=4512abc34def5678 span_id=1234567890abcdef]

    - Exception on "PUT /project/712bacec-f61d-4ff5-b1e6- 8b5978958f4b/files" Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/sqlalchemy/engine/base.py", line 1706, in _execute_context December 04, 2023 at 06:10 (UTC) ERROR [app.py:1819] [trace_id=4512abc34def5678 span_id=1234567890abcdef context=SOW_SUBMISSION] - Exception on "PUT /project/712bacec-f61d- 4ff5-b1e6-8b5978958f4b/files" Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/sqlalchemy/engine/base.py", line 1706, in _execute_context December 04, 2023 at 06:10 (UTC) ERROR [app.py:1819] - Exception on "PUT /project/712bacec-f61d- 4ff5-b1e6-8b5978958f4b/files" Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/sqlalchemy/engine/base.py", line 1706, in _execute_context

15. API observability is hard  Often, we lack control over

    API client  Difficult to trace user journeys  Unexpected uses of the API  Stateless APIs  Tracing in distributed systems

16. Observability for API security  It takes organizations an average

    277 days to identify and contain a security breach (IBM’s Cost of Data Breach Report 2023)  OWASP API10:2019 – Insufficient logging and monitoring  Lack of observability means we can’t detect and remediate security breaches (lack of readiness for API security posture)
17. None

18. API security landscape is evolving  Traditional security measures aren’t

    sufficient for APIs  APIs expose attack vectors in unexpected ways (esp. vulnerable designs)  OWASP API6:2023: Unrestricted Access to Sensitive Business Flows

19. PS5 scalping

20. UK’s DVSA driving tests reselling scandal

21. API6:2023 – Unrestricted access to sensitive business flows  Scalper

    / grinch bots  Denial of inventory  Abuse of referral programs  Skewing reviews, scores, measures, etc.  Brute force attacks

22. How observability helps API security  Monitor user behaviour 

    Watch for unusual behaviour and unexpected flows  Track unauthorized requests  Watch closely data transfers from sensitive data endpoints
23. None

24. Observability for API Governance  Trace user flows, user experience

     Is our API being used as intended?  Are customers abandoning the API at a specific point in their journey  Is our API meeting usage KPIs?  Are our APIs correctly documented? Do we have drift?

25. VS

26. Observability for API operations  Do we have shadow APIs?

    What about zombie APIs? Are deprecated APIs still available?  Tracing problems across distributed applications  Diagnosing problems when they occur  Reproducing user flows  Understand service topology and dependencies
27. None

28. Takeaways  API observability is hard but necessary  API

    observability is a pre-requisite for API security readiness  Tailor observability to your business requirements  Good observability serves different stakeholders  Good observability helps us ask questions about the state of the system and gives us actionable insight

29. Thanks for listening! Twitter: @JoseHaroPeralta GitHub: @abunuwas Newsletter: https://microapis.substack.com LinkedIn:

    https://www.linkedin.com/in/jose-haro-peralta/