Categories
Tips

Working in corporate to founding a developer first company

Last month I got a chance to sit and talk with Darshan Shivashankar, founder and CEO of APIWiz on our brand new podcast. We two have collaborated in the past on API lifecycle management workshop and Darshan being a technical founder, whenever we talk our conversations tend to go in all places technical. So catch up on everything we discussed in this 50 minutes episode but here’s a quick summary or gist if you will for someone who needs more buy in before lending the episode their ears.

Darshan has 15+ years of experience in industry building technical solutions especially when it comes to designing API programs for companies looking for Digital transformation. In the past Darshan has worked with various industries from telecom to healthcare, FinTech to Neo banks. Though now a founder of developer first company, Darshan shared he never envisioned or planned his career to follow a fixed trajectory. Opportunities started coming in as he worked on more advanced projects and with right problem solving mindset and experience, he was acing the digital transformation process of the industries he worked in, sometimes leading and even starting their API first journey. 

Darshan figured out the technical debt associated with APIs journey of organisations wherein teams work in Silos, leading to a lack in collaboration, reliability and consistency in governance. If you’ve worked in APIs development for a big project or digital transformation mission, then you could easily relate to it. This is where Darshan felt a need for a solution that could help in API lifecycle management. After validating this idea within his network he realised that indeed there is a requirement for such a solution but not an immediate urgency to have that in place. This gave Darshan and team the opportunity to bootstrap their journey building APIWiz, focusing on addressing Developer centric problems.

I asked Darshan if he’s still involved in the development of the product and he mentioned he was actually writing code till very recently but now he’s more involved in hiring, planning and giving direction to the product, though he still knows the codebase in and out and is always ready to pull up his sleeve and get down to programming and tracking bugs whenever required, which for me was really inspiring to listen. The team at APIWiz is now scaled up after they raised funds from their investors and that’s where Darshan focused on hiring the candidate with right vision and mindset, as he believes tools and skills can be learned at job but problem solving attitude can’t be taught. Darshan also mentioned motivating team members to fill the job roles needed within the organisation enabling them to explore more arenas to work and fit in. 

I also asked Darshan where he sees industry heading and things he’s most excited about but I’m gonna tease, as he really has a deep and interesting perspective on this one which I feel you should listen straight from the Podcast to better understand it. 

P.S : eBPF and Raspberry Pis were mentioned 😛

Darshan also shared the struggles associated with starting a company from scratch, the role of support from family members, friends and people within your network and great tips for anyone just starting out fresh in tech and wanna make big, making this one of my favourite episodes.

If you listen to it don’t forget to share it with your friends who might learn a thing or two from this podcast. As always I’m always looking forward to your feedback to make this podcast better and if you have any guest suggestions feel free to share it via the comment section below.

Categories
Community

Taking a Proactive, Governance-Based Approach to API Security

Security breaches are among the greatest threats confronting enterprises today, and application programming interface (API) abuse is typically central to the attacks. For that reason, API governance is critical to the success of any digital business.

Ensuring that governance results in a long-term stabilizing strategy requires following strategic API security, monitoring, and open cultural practices.

Common Errors

Just knowing when something is not right with a system or that a bug requires fixing isn’t enough knowledge to make informed decisions about security. What is required is a keen understanding of the health of a specific project throughout its entire life cycle. This includes knowing its current state, having proper visibility into the traffic running through apps and infrastructure, and recognizing error patterns – and being able to act upon any issues before they impact the customer experience.

When it comes to APIs Lifecycle and management, we’ve discussed it in great detail in this workshop recording that can be found here.

The problem with most enterprises in this regard is that they tend to be project- instead of product-driven; budgets and deadlines are tied to delivering features rather than holistically examining a product and its capabilities. This, coupled with the failure to see APIs as adding value, are why many brands have failed in their API journeys and digital transformation. They’ve simply lost sight of the return on investment (ROI) properly governed APIs can deliver.

As a result, these enterprises leave API security to the end of its life cycle when regression tests are run to determine whether it is working properly, declaring it “secure” if it passes a confined set of tests. It is a last-mile mindset that is behind the daily reports of personal healthcare data, payment information, and billing address breaches – and why API security must be everyone’s responsibility at every stage of the life cycle and built into the product design itself. 

Governance can work only when API security is considered at the outset and supported with the proper tools to ensure the team is prepared to stave off attacks from every angle.

Creating a Governance Mindset

The first step toward effective API governance is to create an organization-wide mindset rather than having it rest solely with those who develop processes. Governance must go beyond ensuring that a specific set of projects functions in a certain way and adds value. Transformational success requires continuous feedback that bridges the gap between the consumer and provider.

Adopting a dedicated API management platform to automate API security best practices throughout the API life cycle is a smart way to automate many aspects of governance. Doing so provides a top-down approach that leverages a powerful security toolkit and knows what questions to ask and when. 

Among the questions required for governance in the API are:

  • Why do I need this API?
  • Who are my API’s consumers?
  • What are consumer’s usage patterns?
  • Do they need this API?
  • What is the behavioral design for this API?
  • What is my ROI?
  • Does this API add value to my consumers?
  • How is this API being integrated with my partners?
  • Which devices are calling this API
  • What barriers are there for people to access this API?
  • How could my APIs be compromised?
  • What is being cached on local browsers?
  • How many retries are permitted when trying to access your API?

When and How to Pose Questions

When a company is scaling, taking a manual approach to continually asking and answering these critical questions becomes far too error-prone to be effective. It becomes too easy to lose track of data and too tempting to cut corners to meet deadlines. Thus, API security needs to be built into API modeling – in both test-driven design and communications with every aspect of the business.

For example, information must be continuously evaluated to determine if it is sensitive, as API governance has different security policies for internal APIs, external APIs, open-source APIs, and partner APIs.

Leaving monitoring of sensitive information in the hands of API analysts, who are tasked with building an API specification under OpenAPI, is a mistake as their focus is solely on the user interface (UI), necessary data models, and consumer demands. Too often this dedicated focus causes them to overlook essential vulnerabilities, resulting in sensitive data being built into API headers and query patterns.

Rather, everyone should be responsible for asking if a user ID is needed as part of the API and, if so, if it should be part of an encrypted payload. The API and the user ID passing through it should be considered part of the query parameter pass-through browsers with sufficient caches and cookies. 

Finally, where requests are coming from must be understood. APIs need to be designed based on the systems and devices they with integrate with as they are a growing threat from hacks – putting sensitive information at risk.

Arming a “Security First” Culture

To create a “security first” culture, proactive companies adopt self-learning systems as part of their API security toolkit that leverage the power of artificial intelligence (AI) to gather information about plan behaviors. These solutions reveal patterns and trigger appropriate actions, for example shutting down vulnerable systems before the clients risk them.

Because a team is only as successful as the tools at its disposal, every API security toolkit should include the following:

  • AI-powered API security, which self learns and self creates rules to recognize and proactively respond to attacks.
  • Straight sets of issue alerts to inform the right people as things go awry.
  • Dashboards, which enable teams to see patterns that contribute to a security-first mindset.
  • Data governance, to ensure data is being securely exchanged and being exposed only in ways that align with security policies.
  • API gateways, which are vital to API orchestration and integration.
  • Firewalls, to protect against threats like SQL injection attacks.

Security must be incorporated into a 360-degree view of the API life cycle from the outset and run through planning, designing, developing, testing, and release management. New threats emerge every day, so it’s imperative that learning be continuous.

Security must also be part of the user story and not just a box to check off in the release plan. As tooling – which should be accessible to everyone within the organization – is used to recognize user patterns, it contributes to that user story and develops a sequence of use cases from API keys to tokens to audit logs and more. This does more than give an enterprise empathy with its users; it provides valuable insight into potential system risks.

Retroactive Governance Repairs

For those organizations that did not build security into the API life cycle from the outset, it is not too late to revisit and rectify the situation. 

One common challenge for these organizations is when the CIO or other key players don’t realize an API exists until it’s already been hacked. This can be overcome with use of proper enterprise-grade API tooling that provides a complete overview of connecting APIs and the resources and information they expose. Tooling can also enable continuous API discovery, so while developers are given DevOps autonomy, others are still aware of every open-source or subscription API to which they connect.

It is also critical for these APIs to be monitored, which is where self-learning security systems play an important role. These powerful solutions detect current anomalies and feed this intelligence back into the system’s coverage and into the company’s new “security first” culture – saving it from public humiliation down the road. 

Getting Proactive with API Security

Enterprises caught up in data leaks tend to be reactive when it comes to API security. As such, they don’t have in place the right systems between consumer and provider. It’s a recipe for certain disaster that leaves the organization searching for the source of the service denial attack and creates distrust among consumers who will think twice about sharing their personal information.

Success requires a proactive approach, one that integrates security into governance at every stage of the agile process. This enables the continuous learning mindset around API security that is the only way to succeed. 

About APIWiz: APIwiz is a low-code, API automation platform allowing developers to build and release reliable APIs quickly. With APIwiz, API teams have complete control, visibility, and predictability over their entire API program, allowing organizations to stay open and connected.