Upgrade to Pro — share decks privately, control downloads, hide ads and more …

APIsecure 2023 - For flex(ibility) sake, modern...

apidays
PRO
March 21, 2023
Programming
0
46

APIsecure 2023 - For flex(ibility) sake, modernize your legacy APIs!, Topher Marie (Strata Identity)

APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023

For flex(ibility) sake, modernize your legacy APIs!
Topher Marie, CTO and Cofounder at Strata Identity

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays
PRO

March 21, 2023
Tweet

More Decks by apidays

See All by apidays
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security Challenges by Eli Arkush, Akamai
apidays
PRO
0
26
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finnlines and Grimaldi Lines by Vesa Vähämaa, Finnlines
apidays
PRO
0
24
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hanna Sillanpaa, Abloy
apidays
PRO
0
17
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
apidays
PRO
0
27
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Testing with K6 by Ayush Goyal, Grafana Labs
apidays
PRO
0
16
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli Kilpeläinen, Betolar
apidays
PRO
0
13
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovský, Thermo Fisher Scientific
apidays
PRO
0
28
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giraldo, ING
apidays
PRO
0
25
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring Them Together by Merja Kajava, Aavista Oy
apidays
PRO
0
13

Other Decks in Programming

See All in Programming
LangChainの現在とv0.3にむけて
os1ma
4
930
Hono・Prisma・AWSでGeoなAPI開発
nokonoko1203
5
680
Jakarta EE meets AI
ivargrimstad
0
390
Boost Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
500
GraphQLの魅力を引き出すAndroidクライアント実装
morux2
3
770
今インフラ技術をイチから学び直すなら
yuhta28
1
140
『ドメイン駆動設計をはじめよう』中核の業務領域
masuda220
PRO
5
1k
watsonx.ai Dojo #2 生成AIを使ったアプリ開発入門編
oniak3ibm
PRO
0
230
エラーレスポンス設計から考える、0→1開発におけるGraphQLへの向き合い方
bicstone
5
1.5k
Patched fetch did not work
quramy
4
400
Some more adventure of Happy Eyeballs
coe401_
2
190
KSPの導入・移行を前向きに検討しよう!
shxun6934
PRO
0
280

Featured

See All Featured
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
36
1.7k
Typedesign – Prime Four
hannesfritz
39
2.3k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
354
29k
Producing Creativity
orderedlist
PRO
340
39k
Atom: Resistance is Futile
akmur
261
25k
From Idea to $5000 a Month in 5 Months
shpigford
379
46k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.1k
Code Review Best Practice
trishagee
62
16k
Docker and Python
trallard
39
3k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
45
4.8k
Fashionably flexible responsive web design (full day workshop)
malarkey
401
65k
The Cost Of JavaScript in 2023
addyosmani
42
5.7k

Transcript

  1. For flex(ibility)'s sake, modernize your legacy APIs! APISecure March 15,

    2023

  2. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Topher Marie 2 • CTO and Cofounder of Strata Identity • Lead Identity Architect at Oracle • Product Owner at Auth0 • CTO and Cofounder of JumpCloud • Engineer at Ping Identity and Symplified

  3. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    What do we mean by "Legacy?" • Contrast new development and "Legacy" software • Legacy software is currently and actively used by its intended audience • Can be from many different sources • COTS • Enterprise platforms • Bespoke 3

  4. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    "Legacy" software is important too! • We discuss new development a lot! • A lot of effort is actually on existing software • Maintenance and enhancements • The business use case continues to be important, but the underlying software may be beginning to age out. • Vulnerabilities accrue • Paradigms have changed 4

  5. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    What do we mean by "Modernization" • No need/desire to update business functionality • At least, this isn't the focus • Security and Access Control fixes • Enhanced useability is often a side effect • Latest API frameworks/behaviors 5

  6. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Typical trigger scenarios • Legacy system reaches EOL • Price increases for a legacy platform. • Centralizing responsibility for security/access management into a single team • Adding security to an existing app via second-factor auth. • Improving overall security posture, moving to zero-trust • Difficult to maintain because of talent availability 6

  7. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Some goals of modernization • Fix vulnerabilities, enhance security • Take advantage of popular/modern frameworks ◦ Don't undervalue the power of community • Follow current best practices 7

  8. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Tactics for Modernization Not every modernization journey is the same 8

  9. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Default Tactic: Do a rewrite • This is what most engineers think about first • Lots of professional services companies and consultants like to do this too 9

  10. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Some downsides to rewrites • Budget • Time • Complexity • Lack of expertise • Risk of breakage • Security • Business use cases • Can you stop developing in the existing codebase? Or is it a moving target. • Rewrite of Netscape killed the company 10

  11. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    The rewrite treadmill • Constant evolution of security • OAuth best practices, but now SSE / CAEP • Basic API paradigms: REST -> RPC -> GraphQL 11

  12. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Tactic: facade • Wrap the existing software with enhanced functionality • Facade acts as a proxy to the existing API • Similar to the Mediator pattern in some ways • API or application itself is not changed • Current best practices are applied at the facade • Security • Access Control • API Paradigm 12

  13. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Tactic: facade 13

  14. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Benefits of the facade • API doesn't know anything has changed • Old functionality is always still available • Less risk to business logic • Can be incrementally deployed / developed • Security, access control, even API paradigm can be decoupled from the business logic 14

  15. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Why decouple? • If we don't decouple here, we're basically rewriting the app • Software and security are constantly evolving. • Without decoupling, we have a new legacy product on our hands immediately. • Maintains flexibility for similar changes in the future 15

  16. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Creating your facade Get a bite at the traffic by routing through a proxy point 16

  17. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Iron out the networking By not doing much other than proxying traffic, you can make sure you can route traffic appropriately 17

  18. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Prepare traffic filtering 18

  19. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Allows an incremental approach • We don't want a big bang cutover • We're able to make incremental changes via the facade / abstraction layer and show immediate value. 19

  20. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Aside: the Big-Bang Antipattern • Significant project risk and investment. 20

  21. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Modernize the protocol • If needed, this is also a good time to modernize the API protocols themselves • Could also just be adding additional options • From legacy to REST • Add json, jwts, etc. 21

  22. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Decouple the identity • Target App/API receives identity from the proxy/abstraction layer in the expected format • Proxy receives the identity from the existing identity provider • Each application / identity provider can be migrated separately. 22

  23. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Harden the identity • With this abstraction layer, we can now layer in additional factors • Add in step-up authentication for incoming identity • Add mutual TLS for outbound identity • Continuous Access Evaluation Protocol • Risk Incident Sharing and Coordination 23

  24. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Externalize Authorization • For resources that aren't focused on authorization, the facade layer becomes a point where authorization can be implemented 24

  25. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Improve practices • Continuous Integration • Regression testing • Documentation 25

  26. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Companies that work in this space • Apigee, Amazon • Tyk, Mulesoft, Kong • Strata Identity 26

  27. Thank You!