Upgrade to Pro — share decks privately, control downloads, hide ads and more …

APIsecure 2023 - For flex(ibility) sake, modern...

APIsecure 2023 - For flex(ibility) sake, modernize your legacy APIs!, Topher Marie (Strata Identity)

APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023

For flex(ibility) sake, modernize your legacy APIs!
Topher Marie, CTO and Cofounder at Strata Identity

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

March 21, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Topher Marie 2 • CTO and Cofounder of Strata Identity • Lead Identity Architect at Oracle • Product Owner at Auth0 • CTO and Cofounder of JumpCloud • Engineer at Ping Identity and Symplified
  2. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    What do we mean by "Legacy?" • Contrast new development and "Legacy" software • Legacy software is currently and actively used by its intended audience • Can be from many different sources • COTS • Enterprise platforms • Bespoke 3
  3. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    "Legacy" software is important too! • We discuss new development a lot! • A lot of effort is actually on existing software • Maintenance and enhancements • The business use case continues to be important, but the underlying software may be beginning to age out. • Vulnerabilities accrue • Paradigms have changed 4
  4. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    What do we mean by "Modernization" • No need/desire to update business functionality • At least, this isn't the focus • Security and Access Control fixes • Enhanced useability is often a side effect • Latest API frameworks/behaviors 5
  5. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Typical trigger scenarios • Legacy system reaches EOL • Price increases for a legacy platform. • Centralizing responsibility for security/access management into a single team • Adding security to an existing app via second-factor auth. • Improving overall security posture, moving to zero-trust • Difficult to maintain because of talent availability 6
  6. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Some goals of modernization • Fix vulnerabilities, enhance security • Take advantage of popular/modern frameworks ◦ Don't undervalue the power of community • Follow current best practices 7
  7. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Tactics for Modernization Not every modernization journey is the same 8
  8. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Default Tactic: Do a rewrite • This is what most engineers think about first • Lots of professional services companies and consultants like to do this too 9
  9. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Some downsides to rewrites • Budget • Time • Complexity • Lack of expertise • Risk of breakage • Security • Business use cases • Can you stop developing in the existing codebase? Or is it a moving target. • Rewrite of Netscape killed the company 10
  10. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    The rewrite treadmill • Constant evolution of security • OAuth best practices, but now SSE / CAEP • Basic API paradigms: REST -> RPC -> GraphQL 11
  11. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Tactic: facade • Wrap the existing software with enhanced functionality • Facade acts as a proxy to the existing API • Similar to the Mediator pattern in some ways • API or application itself is not changed • Current best practices are applied at the facade • Security • Access Control • API Paradigm 12
  12. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Benefits of the facade • API doesn't know anything has changed • Old functionality is always still available • Less risk to business logic • Can be incrementally deployed / developed • Security, access control, even API paradigm can be decoupled from the business logic 14
  13. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Why decouple? • If we don't decouple here, we're basically rewriting the app • Software and security are constantly evolving. • Without decoupling, we have a new legacy product on our hands immediately. • Maintains flexibility for similar changes in the future 15
  14. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Creating your facade Get a bite at the traffic by routing through a proxy point 16
  15. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Iron out the networking By not doing much other than proxying traffic, you can make sure you can route traffic appropriately 17
  16. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Allows an incremental approach • We don't want a big bang cutover • We're able to make incremental changes via the facade / abstraction layer and show immediate value. 19
  17. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Aside: the Big-Bang Antipattern • Significant project risk and investment. 20
  18. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Modernize the protocol • If needed, this is also a good time to modernize the API protocols themselves • Could also just be adding additional options • From legacy to REST • Add json, jwts, etc. 21
  19. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Decouple the identity • Target App/API receives identity from the proxy/abstraction layer in the expected format • Proxy receives the identity from the existing identity provider • Each application / identity provider can be migrated separately. 22
  20. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Harden the identity • With this abstraction layer, we can now layer in additional factors • Add in step-up authentication for incoming identity • Add mutual TLS for outbound identity • Continuous Access Evaluation Protocol • Risk Incident Sharing and Coordination 23
  21. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Externalize Authorization • For resources that aren't focused on authorization, the facade layer becomes a point where authorization can be implemented 24
  22. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Improve practices • Continuous Integration • Regression testing • Documentation 25
  23. © Strata Identity Inc. 2022. All Rights Reserved. Patents Pending.

    Companies that work in this space • Apigee, Amazon • Tyk, Mulesoft, Kong • Strata Identity 26