how to build a successful api program: best practices for the carrier
DESCRIPTION
More and more carriers are looking to API publishing as a way of offering new services to developers building mobile apps and cloud services. But launching an API publishing program inevitably raises questions about: • How to maintain security when exposing internal systems and processes to external developers • How to manage developers, weeding out the bad and rewarding the good • How carriers can monetize their APIs • How existing IT investments can be leveraged to maximize performance and ROI • How building community among developers can drive revenue and minimize operating costs This talk will give carriers the critical guidance they need to build a successful API strategy.TRANSCRIPT
How To Build A Successful API Program -
Best Practices For The CarrierK Scott Morrison
CTO
Sept 11, 2012
Researchers have discovered
that the US national divorce
rate has been falling since
2006…
2007: 3.6 divorces per 1000 people
2008: 3.5 divorces per 1000 people
2009: 3.4 divorces per 1000 people
Source: Slate http://slate.me/wGf9et
So, does this mean people are getting better at relationships?
No.
It’s because of the recession.
APIs are like a
relationship
They require
maintenance. high^
very high
This talk is about how to
have a successful
relationship.API
Carriers already know how to monetize relationships
Now Apply This To APIs
Piece of Advice #1
Best Practice #1
It takes two to tango.
The Web wasn’t a
relationship
Successful
relationships
are built on
trust and
equality
Equal, but different
BP #2
Understand and respect the cultural
differences.
Client Server
Inside Outside
Contractor Regular
Contractor RegularPartner
Partner RegularNo Affiliation
Us Them
The New Identity Management
API Users API DevelopersExternal Internal
APIs change composition
of internal teams
CFOAPI
Developer
Security
Officer
Business
Manager
Product
Manager
BP #3
Memorize this simple equation.
API Development !=
Web Development
Beware of habits
BP #4
Take security away from developers.
API
Server
API
Proxy
Security
Expert
API
Expert
Separation of
Concerns
BP #5
Trust, but verify.
Source: https://xkcd.com/327/
SQL Injection (courtesy
XKCD)
Exploits of a Mom
BP #6
SSL everywhere.
It’s Cheap
BP #7
It’s still all about access control.
But think hard about tokens
BP #8
Don’t roll your own.
Security is hard
to get right
BP #9
Manage misconfiguration risk
with appliances.
Secure
Zone
API
Server
Firewall
DMZ
API
Client
Protect the
Servers
Enterprise
Network
API Proxy
BP #10
Engage the developers.
The New Governance
Documentation
Discovery
Approval
Enforcement
User Provisioning
Community
WSDL
Reg/Rep
G10 Platform
Gateway
IAM
What’s that?
Wiki/Blog
Search
Gateway
Portal
Forum
Old New
What’s that?
The Layer 7 API
Developer Portal
Firewall
Enterprise
Network
API
Server
API
Client
iPhone
Developer
API Portal
API Proxy
To Summarize:
The game has changedClients need attention
The security problems are the sameBut the names have changed
Don’t just build APIsBuild secure and managed APIs
Picture Credits
Antelope Canyon 4 by klsmith– stock.exchg
Band silhouettes by mr_basmt– stock.exchg
Check and Statement by kgdsgn– stock.exchg
September 2012
K. Scott Morrison
Chief Technology Officer
Layer 7 Technologies
1100 Melville St, Suite 405
Vancouver, B.C. V6E 4A6
Canada
(800) 681-9377
http://www.layer7tech.com
For further information: