The Unsung Hero of the DevOps Revolution



Vance [00:00]And the Enterprise Integration Summit rolls on, welcome to the session for Development Micro. Let me introduce our speaker, Rob Maynard, World Options architect. Rob, welcome.
Vance [00:32], we’re actually glad to have Rob with us this morning. He focuses on DevOps, container architectures, and cloud and hybrid computing and notably APIs. And previous to Development Micro, Rob drove API and DevOps success at Ford Motor Firm and Volkswagen. So, we will get an ideal technical overview in addition to some nice consumer ideas in his session. APIs, the unsung hero of the dev ops revolution. , we all know lots of you have been simply beginning or are fighting DevOps. Rob is right here to point out us how API are proving to be a spine for DevOps success. He’ll present us how APIs present the ability to attach determined silos or companies into one well-oiled machine. He is additionally going to disclose how corporations leverage API connectivity to energy and clear up DevOps issues, in addition to add safety to worth streams. So, an ideal session. Earlier than I hand it to Rob, only a fast word. You possibly can obtain the slides. Simply hit that huge pink button you see there. We have additionally assembled some nice white papers and different downloads for you. So, click on away on these if you would like. And any questions, simply sort within the submit a query field. So, with that proper. Let me flip again to you and inform us about APIs, the unsung hero of dev ops revolution.
Rob Maynard [01:16]Yeah, thanks, Vance. Hello, everybody. I am Rob Maynard, World Options architect, as Vance talked about, I am within the analysis and Improvement Division at Development Micro. I have been working within the IT subject for about 12 years in numerous capacities. Previous to residing my life in entrance of a pc display screen, I used to be an infantry man in the US Military from 2002 to 2006. Most just lately, I have been working within the DevOps world, each on the dev and ops facet of the spectrum. In the present day we will talk about the idea of programs pondering and extra particularly APIs and the way they assist organizations obtain the mentality of programs pondering. We’ll additionally talk about about how APIs might help allow safety to not be a barrier to innovation, in addition to some safety dangers that have an effect on APIs. The DevOps motion has induced a paradigm shift in the best way that organizations construction their data expertise technique. Organizations who’ve embraced this shift and adopted the practices that the DevOps motion has to supply have been capable of enhance productiveness, decrease downtime and enhance experimentation and enhance morale among the many IT employees. These practices boil down to a few philosophies, or the 3 ways programs pondering, amplifying suggestions loops and making a tradition of experimentation and studying. In the present day, we’ll focus somewhat bit on the technological facet of the primary means and tips on how to take what was once particular person silos or programs or groups and switch them into one worth stream.
Rob Maynard [02:43]In conventional I.T. departments, if one thing inside a price stream or utility goes fallacious, it is usually as much as one crew or one division or within the case of some poor suckers, one engineer that has to principally rise up and begin troubleshooting that situation. Usually, these groups or silos, as we consult with it, are solely liable for that one part. And attributable to both lack of collaboration time or regardless of the case could also be, actually have time for proactive upkeep. I’ve seen the scenario firsthand many instances, and it makes for a tough work surroundings. The idea of programs pondering states {that a} part of a system will act in a different way when remoted from the programs, surroundings or different elements of the system. Because of this if you happen to have a look at only one piece of the puzzle, we missed the massive image and may subsequently add technical debt or just delay a bigger downside within the system. The phrase placing a Band-Assist on a gunshot wound involves thoughts. This idea would not apply to simply troubleshooting, but in addition system design. It is essential when architecting a price stream system or utility to additionally take into consideration all the system, not simply the person parts. Safety, for instance, is one thing that previously has often been an afterthought, a system or worth stream is designed, constructed and deployed, after which safety is added by a crew who had little or no to do with the structure of the entire system. Typically, the safety goes again and provides a safety mechanism and most of the time, some a part of the general system fails or breaks down.
Rob Maynard [04:17]By utilizing the idea of system pondering this may be averted as a result of there is not any longer one silo the place safety lives, it is thought-about part of the entire system. Now, up to now, we have been speaking loads about programs, however what does that seem like within the fashionable enterprise. Now, usually, it is a combination of technological programs like servers, functions, databases. However there’s additionally issues like processes and those who make up the worth stream as properly. Typically there’s approvals that have to be made and people are completed by individuals fairly often in a totally completely different system than the unique system that we’re speaking about. Technological means, we are able to join these programs by means of automation by means of APIs. An API, or utility programming interface, is an interface that permits two functions or programs to speak to one another. This may be completed programmatically utilizing HTTP calls written in a programming language, and there are various kinds of APIs on the market. In the present day, we’re primarily going to have a look at REST and RESTful, which generally function over HTTP and HTTPS. HTTPS ought to be actually the one reply there. However, , no person’s good. Now, there’s one other side of recent programs that comes into play these days, and that is the cloud, the enterprise immediately you might need a database IN Azure, you might need some lambdas in us and maybe you’ve gotten some parts in GCP, all working collectively to kind one utility or one system.
Rob Maynard [05:45]Now, for these of you who’ve any expertise with cloud computing, that cloud suppliers reminiscent of Amazon Internet Providers rely closely on APIs to ship their companies. And likewise, the shoppers of these companies use those self same APIs for configuration and administration. That very same idea can be utilized for an inside system as properly. So, I labored at a company just a few years again that was implementing an on-premise self-service surroundings deployment system for the event groups to have the ability to spin up assets they should do testing previous to deploying their functions. So, the group they leveraged VMware vRealize Automation for the entrance finish. Nonetheless, there’s lots of different parts that wanted to be taken into consideration, even to simply construct one easy server. Certainly one of these was subnet and IP project, which was dealt with by one other piece of software program all collectively by utilizing the API of that system. When a system was being deployed by vRealize automation, it was capable of make a name to that API, retrieve the networking parts it wanted, after which the group was capable of join these two disparate items of software program into one worth stream. And that being the self-service deployment is a quite simple instance and actually only a snapshot of 1 piece of a way more advanced system. One other basic instance touches on the concepts of steady integration and steady deployment. A few buzzwords within the DevOps revolution.
Rob Maynard [07:07]A CI/CD pipeline is a option to automate a software program supply course of. And chances are you’ll hear of the CI/CD pipeline because the spine of a DevOps group. Nonetheless, these are usually constructed utilizing the API of the person parts of the pipeline. So, I would argue the API is the precise spine. Every thing from the constructing, testing and supply, whether or not that be making the software program accessible or deploying mechanically, that complete course of is automated. This implies connecting code repositories to testing programs and every other programs that have to be within the circulation. And that is all completed by means of API. I will decide on Jenkins’, which is a well-liked C.I server used to handle CI/CD Pipeline out of the field, Jenkins’ would not do very a lot, it requires plug ins to connect with issues like GitHub, the place the code is perhaps saved, or AWS the place the software program is perhaps deployed finally. And the best way these plug ins are designed is that they faucet into the API of no matter system they’re trying to connect with. So, within the case AWS, it really reaches out to the AWS API to have the ability to do what it must do. Likewise, with GitHub, it ties into the GitHub API and makes use of the capabilities inside that API to finish the duty of knocking down code. Now, for these of you who’re new to the CI/CD pipelines. Only a fast overview of what that’s. It begins when a developer merges a code department, so some developer desires a brand new characteristic for his utility and emerges that right into a GitHub code department. And that characteristic is now accessible within the utility. However first, it must be constructed out. In order that triggers a Jenkins’ job and it makes a name to the GitHub API. It’ll pull that code down.
Rob Maynard [08:47]It’ll construct that code. Through the construct part, I would wish to embody some type of safety mechanism, like a runtime utility self-protection module. From there, it will get subjected to testing like hyperlink testing, unit testing and no matter else builders are into these days. It is also a great level so as to add some safety testing. For instance, within the case of containerization, which lots of builders are utilizing to ship their software program, I’ll wish to attain out and use a pre-runtime scanner to guarantee that that container picture I’ve simply constructed, it would not include any vulnerabilities, malware or any arduous coded secrets and techniques {that a} developer might have embedded into the software program on accident. Testing is profitable, the ultimate product could be made accessible for consumption or it may be mechanically deployed. Along with using the APIs and the person parts of the system, organizations even have the flexibility to design their very own APIs, after which that could be a layer to the system as a complete. This enables different worth streams, whether or not that be inside or exterior, reminiscent of a accomplice group, to connect with that system when wanted, which helps additional streamline enterprise processes.
Rob Maynard [09:53]An overarching API layer additionally permits shoppers to reap the benefits of all of the backend companies inside that system. As an alternative of getting to achieve out to the parts on a person foundation. An business that is absolutely embraced the usage of APIs is retail. They make a extremely good instance of how APIs can tie disparate programs collectively into one worth stream. So, for instance, many organizations within the retail house are creating cell functions and that permits prospects to buy gadgets and have them delivered proper to their dwelling or simply be taught extra concerning the group. Now these cell functions are utilizing APIs to connect with stock programs, provide chain administration programs and companions of that retail group. Typically, these functions may even let you know the place a retailer is positioned, provides you with a pleasant map to comply with. Hundreds of apps and web sites make the most of Google Maps API for simply that performance. Whereas these particular person parts make the most of APIs internally, say, to replace the stock system or go to the order administration system. Fairly often there’s an exterior API permitting for different functions or web sites to tie into that retail group and make purchases. Amazon is a superb instance of this. As oftentimes you are capable of buy through Amazon from non-Amazon web sites. So, one other instance of this comes from one of many largest producers of cars and one in all my outdated employers, Ford Motor Firm. Their app-link API suite, permits builders to attach their cell functions to the car infotainment system. Sync. With this, the appliance itself runs solely on the cell system, so your iPhone, or Android cellphone, or no matter you are into. After which it makes use of the API calls to change this system information or command data with the precise Sync infotainment system in your automotive. This helps builders so that they not must develop an utility UI particularly for Sync, and it permits Ford Motor Firm to assist extra functions of their in-vehicle infotainment programs.
Rob Maynard [11:57]And we contact somewhat bit on this already, however what we sometimes get requested by our prospects at Development Micro who’re taking place the highway of automation, is how they’ll combine safety into their programs with out slowing down the pipelines that they are constructing. The reply right here, after all, is similar as with every different part through APIs. One of many newer use circumstances we have been seeing over the previous couple of years revolves round Serverless. Serverless, as in AWS Lambda or Azure features, permits prospects to run code within the cloud on a consumption foundation, however with out entry to the underlying host, as a result of though it serverless, it’s operating on any individual’s server. So, with out entry to that server, it turns into very tough to safe that piece of software program. And that is the place one thing like a RASP, or runtime utility self-protection unit is useful. A RASP will get embedded into the software program by the use of import statements the developer can add it on their very own with out involving the safety crew. At Development Micro, we now have Cloud One Software Safety. Utilizing one thing like Cloud Formation to deploy that serverless app, the API calls wanted to activate utility safety with the managers in addition to configure settings and coverage could be included, so the appliance is protected proper at launch. What we sometimes see is a system that’s made up of a number of serverless scripts and a quantity goes up when speaking a number of programs. Utilizing the API to configure the raft does two issues. One, it permits builders to proceed innovating with out worrying about being slowed down by safety and, two, it ensures that that utility or piece of that system is protected proper out of the gate.
Rob Maynard [13:55]Now, one other in style use case that we have been seeing, at Development Micro has to do with containerization. Many growth groups are delivering their merchandise containerized these days, as mentioned above, and that is often completed through automated pipelines just like the CI/CD pipeline. Subsequently, builders as soon as once more don’t want safety to be a barrier to innovation. So what we recommend at Development Micro is on the safety into the pipeline. And as soon as once more, this may be completed through the API. The primary means to do that is as soon as once more together with a rasp inside that containerized utility, like we mentioned with serverless. That means the builders can import the rasp library on their very own, after which in the course of the construct course of, the API could be leveraged to activate and configure the safety throughout the rasp. Second technique is by utilizing pre runtime scanner. In order a part of that testing piece throughout the CI/CD pipeline, we merely make an API name to a pre runtime scanner. For instance, Development Micro, we now have Cloud One container scanning and we use an API name simply to provoke the scan. And maybe if a sure threshold is met like a sure variety of vulnerabilities or if it accommodates any malware, we are able to cease that pipeline and report the findings again to individuals who can repair regardless of the situation is. The extra superior situations are at the side of cloud service supplier APIs additional motion may even be taken by means of the usage of server applied sciences. For example, we are able to ship that dangerous picture to a locked down repository the place it may’t be launched, or, within the case of one in all our companions, may even launch a pull request and GitHub to replace susceptible libraries.
Rob Maynard [15:11]Another circumstances embody leveraging Kubernetes and their admission controllers, through which case you’ll be able to merely hit the Kubernetes’ API and forestall a type of containers from operating. So, we now have some prospects that use our Cloud One Workload Safety product, and that is our server safety toolset. They usually use it solely through the API. They completely by no means log into the console. They by no means wish to log into the console. They merely use the API and so they accomplish the whole lot from knocking down the agent set up script to adjusting coverage by means of automation. And when a brand new occasion of a server spins up, it is mechanically protected. And if any adjustments to the safety coverage are wanted, it may be made through a sweeping change by making a name as much as the API. Now, for these fascinated about introducing a customized API layer to their system, there may be some greatest practices to remember. And at the beginning is your API ought to solely talk over https. That is nothing new. This is similar as every other net site visitors. We wish to be certain that that net site visitors is encrypted. By doing this, you not solely encrypt the site visitors finish to finish, however it’s also possible to simplify the authentication credentials to a randomly generated token. Additional, with reference to authentication, it’s a must to guarantee that all finish factors are protected behind authentication if you happen to’re not utilizing an API gateway. We’ll talk about somewhat bit about API gateways in a minute. However if you happen to’re not utilizing it each endpoint that you’ve got, you’ll want to guarantee that it is getting authenticated.
Rob Maynard [16:43]It is also crucial to pay attention to how the URL on your API and factors are crafted, lots of data could be uncovered within the URL, issues like passwords, API tokens, API keys and session tokens. And for apparent causes, you do not need that to be uncovered. So, you wish to guarantee that the URLs that you just’re crafting on your API endpoints haven’t any data like that. Among the greatest practices to take into consideration are issues like including timestamps as a customized header in your API request, which you are able to do then is about up so your API solely accepts request whether it is inside a sure timeframe. This helps stop in opposition to replay assaults and brute pressure assaults. It is simply good apply to have in your API. If attainable, it is also good apply to make use of an API gateway, as we touched on prior, an API gateway entry, a reverse proxy to deal with the incoming API calls and direct them to the endpoints and again and companies. It additionally handles the authentication and fee limiting to assist stop malicious actors from doing dangerous issues. From a efficiency standpoint, it means that you can allow cashing as properly. It additionally simplifies the authentication course of as you solely must authenticate on the gateway and never at each finish level. So, it is a actual simple means to make sure that authentication is dealt with in entrance of all of your endpoints. You may also add monitoring and analytics instruments to grasp how persons are utilizing your API. That is amplifying the suggestions loop. In order that second means, this lets you make knowledgeable adjustments to your API. What’s additionally good concerning the API gateway is that if you happen to do make adjustments, you do not have to redo any you URLs or DNS since you’re nonetheless pointing to the API gateway and there is not any adjustments on your finish customers. So, I hope that this has helped you be taught somewhat bit about how you need to use APIs in your organizations to actually develop a mentality of programs pondering, actually our programs as a complete, issues as a complete will assist when issues go fallacious. We aren’t simply figuring out particular person issues and including technical debt that possibly or their ugly head down the highway. So, with that, thanks very a lot on your time. I would like to show it again over to Vance.
Vance [19:00]Wow, Rob. Actually nice sense and actually love how you set collectively the concepts right here of the context of integration and API professionals on this complete new world of cloud native and DevOps and CI/CD. Actually, actually nice session.
Rob Maynard [19:12]Thanks. And thanks for having me.
Vance [19:15]Yeah, it was our pleasure for positive. You talked about questions. We definitely do have some. Let’s begin off with an enormous image query, as a result of there are a pair that feed into this fundamental theme that you just had. , lots of our attendees, as you would possibly count on, Enterprise Integration Summit, have been utilizing APIs and REST specifically to combine apps or get information to cell customers for a few years. They usually do not usually suppose that they’ll pivot their expertise to DevOps or CI/CD. So possibly give us some recommendation on how API consultants can play a job on this new cool world of CI/CD.
Rob Maynard [19:49]Yeah, completely, so, , as I acknowledged within the discuss with DevOps, all these connections to completely different programs, particularly throughout the CI/CD pipeline, lots of people suppose that is the spine of DevOps. However as a result of it’s a must to join them with APIs, APIs, I’d argue, actually are the spine there. And it is actually on the consultants to assist the remainder of the group perceive how they’ll leverage these APIs inside their dev ops group. , a part of the DevOps motion is cultivating an surroundings of studying. So, for all of the consultants who already know tips on how to leverage APIs, I’d say it is as much as them to actually unfold the excellent news to the opposite individuals on their crew and simply type of experiment and let the remainder of the group know that, hey, that is what we are able to do to make ourselves extra environment friendly. Something that may be automated ought to be automated and all that is completed by means of the API.
Vance [20:41]Yeah, actually nice level. And actually, you additionally introduced up the purpose about how API can energy DevOps decision, notably in safety and worth stream administration. So, a number of alternative for API individuals to play a job within the CI/CD, proper Rob. So, let’s drill into a few of the particular methods. We now have a few technical sort questions right here. Let’s go into these. First off, we talked somewhat bit about permissions and granting entry. Discuss somewhat bit extra concerning the sorts of ways in which you are seeing corporations have a look at use circumstances to grant entry to information by means of an API.
Rob Maynard [21:21]Yeah. So, , everytime you grant entry to something, whether or not or not it’s through the API and even only a Home windows file share, it ought to all the time be the philosophy of least privilege. Proper. You do not wish to give everyone the flexibility to put in writing. You actually simply wish to give individuals sufficient permission to do what they should do. In the event that they solely have to get the title of a pc by pinging the API to do this, then they need to solely get the pc title. That actually would not change from what all of us realized at school. It ought to simply be the least privilege, actually.
Vance [21:50]Yeah. And let’s go into the Development Micro means of the way you guys have a look at this complete concept of information switch by means of an API, discuss how and when encryption is perhaps crucial for that type of switch and the way Development Micro makes that a lot simpler.
Rob Maynard [22:04]Any time you are transferring information as soon as once more, whether or not or not it’s API or something, however anytime it is going throughout the wire, encryption ought to all the time be carried out. So, at Development Micro, that is one thing we actually preach, actually give that recommendation to our prospects who’re taking place this highway and simply want our recommendation in our personal APIs. We implement the encryption throughout our channels. So any time that there is information going throughout the wire, we want encryption there.
Vance [22:29]Wow, Rob, so you’re taking the strategy this fairly than get granule into the weeds about what if situations and case research, that the Development Micro strategy is that default to encryption after which the API will make that a lot simpler to perform.
Rob Maynard [22:45]I imply, completely, I imply, on this day, with all of the breaches and issues that occur each day, completely, encryption ought to be the primary factor that you just put into place. It’s extremely simple. All programs provide the possibility if they do not implement it out of the field to make use of encryption. So completely. If it is there, use it. Undoubtedly.
Vance [23:04]It is that straightforward. That is nice. , we talked concerning the information within the pipe. Let’s discuss concerning the precise finish level of the pipe. One other query right here talks about what sorts of suspicious habits ought to we be looking out with regards to protecting our APIs secure and safe?
Rob Maynard [23:20]So definitely, frequent assaults. , replay assaults simply continuously attempting to ping a useful resource to principally provoke a denial of service, brute forcing. These are sorts of assaults. So what you’d see on the top consumer, and we’ll name it the endpoint finish, could be lots of site visitors, actually attempting to actually hammer a sure finish level. And you may think about if you happen to’re solely getting a small piece of information in JSON format of that API and also you see lots of site visitors coming in, you’ll be able to just about guess any individual’s attempting to do some grime or another issues to actually look out for is you’ve gotten the potential of seeing request logs. Are individuals attempting to poke round together with your URLs? Are they attempting to actually experiment and see what else they’ll get out of there? Or are they attempting to pressure URLs to do stuff that you just did not design inside your API? Issues like that.
Vance [24:10]Actually glorious. Actually glorious checklist. This has been a unbelievable session, Rob. I see time’s nearly up. However earlier than you go, give us a suggestion of the place of us can be taught extra about Development Micro and even get a demo or go extra fingers on with the expertise. Not solely do we now have guys which might be within the API safety house, however as you talked about, we have the DevOps of us. We additionally bought a really robust hybrid integration neighborhood right here that need to tie collectively their on-premise and cloud programs. So possibly give us a few highlights of the place we are able to ship these of us.
Rob Maynard [24:42]Yeah, completely. So, a few of the data that we supplied will hyperlink you to a few the merchandise that I discussed in my discuss, one in all which is the Cloud One Software Safety, which is our RASP product, can get embedded in actually any net utility. However for our cloud customers on the market, Lambdas, AWS features, that sort of factor, embed that in there. And one different factor, talking of the CI/CD, I additionally talked about this within the discuss is our Cloud One Container Scanning. In order that let out runtime container scanning mechanism and that matches proper into the CI/CD pipeline as a part of that automated testing piece. And all that may be managed through API. And for anyone else in that integration house, positively take a look at our Cloud One Workload Safety that’s actually our flagship cloud safety suite and that can assist you to defend to Ec2 workloads and get higher visibility into your cloud panorama.
Vance [25:35]Wow, nice checklist of property there. However what I actually like about it’s the Development Micro has taken this strategy very like the API professionals who lately this concept of an API lifecycle. You talked concerning the pre provisioning side in addition to as soon as it is out, up and operating. So actually nice checklist of property. We actually admire your time.
Rob Maynard [25:54]Thanks, man. That was lots of enjoyable, and pleased to be right here.
Vance [25:57]Yeah. And we’re pleased to have you ever right here. So only a fast reprieve for our attendees. Rob talked about many assets. We’re fortunate sufficient that he and his crew bought collectively. We have got a listing of hyperlinks there’ll take you to lots of them. And once more, let me suggest you check out the slides. That huge pink button will get you them immediately. For those who we weren’t capable of submit right here within the breakout room, we have excellent news on the finish of Rob’s deck. We have got a slide right here. We name for extra data slide. You can go on to the Development Micro web site and get most of the different property we weren’t capable of match right here. So, with that, let me thank Rob Maynard for an ideal session. And thanks all very a lot for attending.