API Security

Tags

, , , , , ,

I’ve started to subscribe to the APISecurity.io news letter. The news letter includes the analysis of recent API based security breaches along with other useful API related news. Some of the details of the breaches make for interesting reading and provide some good examples of what not to do. It is rather surprising how regularly the lack of the application of good practises is, including:

  • Checking the payload is valid to the definition,
  • Checking the payload size to ensure it is in the expected bounds,
  • Use strong typing on the content received it will help validate content and limit the chances of poisonous content like injected SQL,
  • owaspEnsuring the API has mitigation’s against the classic OWASP Top 10 – SQL Injection, poor authentication implementation.

More broadly, we see that people will recognise the need for applying penetration testing, and look to external organisations to perform the testing, when such work is commissioned the understanding of what the pen tester does is not understood by those logocommissioning the tests (SANS paper of security scoping), therefore know whether all the risks are checked. When you add to that, the temptation to keep such costs down resulting in the service provider not necessarily probing your APIs to the fullest extent. Not all penetration test services are equal, so simply working to a budget isn’t wise, yes there is a need for pragmatism, but only when you understand the cost/risk trade off.

But also remember application logic and API definitions and the security controls in place change over time as do the discovery of new vulnerabilities on the stack you’re using, along with evolving compliance requirements. All meaning that a penetration test at the initial go live is not enough and should be an inherent part of an APIs lifecycle.

cloudgs_apimgrWhen it comes to payload checks etc, products like Oracle’s API Platform make it easy to realise or provide out of the box checks for factors such as size limits, implementing payload checks, so better to use them.

If you ever need to be reminded that of why best practises are needed and should be implemented; a mindset of when not if a breach will happen will ensure you’re prepared and the teams are motivated to put the good practises in.

Integrating API Management with the rest of your Development Pipeline

Tags

, , , , ,

Oracle API Management keeps API policy configuration and management internalized for a number of reasons including security (after all you don’t want your security rules for APIs out in the open).  The Platform does provide simple versioning.  But you need to able to link the policies to the back end implementations – so the policy configuration is aligned to what is implemented. For example you don’t want the policy to accept parameters that your back end can’t handle in version 1, but does in version 2 of your solution. I have blogged about some of these considerations in the past here.

We have had the good fortune to sit and discuss the challenges of how API configurations could be managed with Flexagon. As a result of our input and from others Flexdeploy has a number of new features making the configuration management of APIs very easy. In addition to this is further simplifying gateway deployment processes. When combined with a very powerful CI/CD that can handle traditional development, microservices and development with integration products such as like SOA Suite and OIC a huge amount of flexibility is made available enabling configuration management, multi environment deployments.

cropped-flexagon_diagram_81816-01-1024x343

Flexagon have started a series of blogs on the subject – recommend checking them out – here.

API Platform – Plans & Subscriptions

Tags

, , , ,

When it comes to Plans and Subscriptions on the Oracle API Platform we have a very flexible set of relationships. When it comes to checking the relationships to ensure a configuration is correct and that the impact of changing a plan or subscription is clear.  I end up having to draw a little diagram, which always leaves me second guessing myself about which way the linkages are. So I created a quick aide memoir, particularly given the unfortunate fact that Oracle’s online documentation isn’t great for diagrams.

If the diagram helps me, then perhaps it can help others, so here it is:

API-Plan - Entitlement

I’ve also attached the original PowerPoint document so it can be modified, enhanced if you want to – API-Plan – Entitlement.

Everything As Code – Article for PTK

Tags

, , , , ,

PTK 2019-04-30.pngPTK (Pass The Knowledge) is the new name for the Independent UK Oracle User Group‘s journal, previously known as Oracle Scene.  Yesterday saw the 1st release under its new name, and I’m proud to say that I have an article included called Everything as Code.

Not only that,  it is great to see the journal includes the appearance of one of my Oracle Team colleagues at CapgeminiAmy Simpson-Grange (here).

The magazine features the approach trialled in the last issue of Oracle Scene where the Journal was split in two – one half focusing on Oracle Applications and Applications Technology and the other on Oracle core technologies i.e PaaS, IaaS, Database, Infrastructure etc.  it also just happens that Amy appears in one half, and I in the other.

One thing that hasn’t changed is the high quality of articles that reflect the diversity of Oracle’s portfolio and community – covering things like Women In IT, Conversational AI, Sanjeevan Bala from Channel 4 discussing the use of Data Science, Database Security and Table Scans.

Oracle Groundbreakers Podcast – Helidon

Tags

, , ,

One of the things I am fortunate enough to get involved with on occasion is the Oracle Groundbreakers Podcast (previously known as the Oracle Developer Podcast) and something I have written about in the past, even as Oracle Developer Community (ODC) Appreciation Day post.

As a result of the recent Meetups on the subject of Helidon that have been occurring recently, we made the suggestion that Helidon be the subject of a Groundbreaker’s Podcast, net result I was invited to be part of the panel.  The podcast was recorded a few weeks ago, and know available (here). Go check it out, as it includes the key contributors to the project Dmitry Kornilov and Tomas Langer.

GBPodcast-image-365

Unkle at Royal Festival Hall

Tags

, , , , ,

An Unkle performance is always going to be a little unusual given James Lavelle is very eclectic crossing many genres such as the ground breaking Psyence Fiction album.

The first half of the performance was very much DJ lead by James at a desk and decks, live drums, keyboard/guitarist and Cello. This instrumentation alone really shows the diversity of the musical styling.

No live locals as a result the staging certainly didn’t have a central focus, everyone was with their instruments. Even Moby who crosses genres, as a live artist is in front of the other musicians or moving around the stage when not using a singer. Like any rock concert the performance ebbed and flowed with raising and lowering of the tempo. With the slower pieces being the more cinematic pieces like Heaven.

Unlike a conventional performance the lighting didn’t pick out any of the performers, and like a club made more use of strobing light effects, but in contrast a lot of video was used as well including the amazing Spike Jonze directed skateboarders for Heaven.

Part 2 …

An intermission or perhaps a very long encore? Not what you’d expect half way through a performance of this nature. But the change gave emphasis to the use of 5 different vocalists.

This changed the dynamic but also gave the second half a bit of a stuttering feel as the different singers can on stage and left.

Added to the fact that the delivery of performances originally by the likes of Ian Brown and Richard Ashcroft had the timbre of a female voice. But things got going and and then just built to a thumping finale.

Interestingly even with the use of live vocalists they weren’t lit up.

All said and done, Unkle doesn’t perform live very often and it’s great hearing the music performed live. I would love to have caught James Lavelle working with the Orchestra as he did with the Heritage Orchestra.

More photos here.

Microservice & APIs Exploiting HTTP Response Codes

Tags

, , , ,

When it comes to the use of micro-services and APIs. It appears pretty common for a few key response codes to be used. However, if you look at the IANA Status Code Registry of defined codes, there a number of other very useful codes that can help convey issues clearly, without compromising  security.

The IANA list, references the relevant IETF RFCs, but I’ve taken this a step further and obtained the relevant deep hyperlinks to the code explanations. In addition to that, I’ve also highlighted some response codes, that perhaps benefit from a closer look, or considered with caution.

Continue reading

EMEA PaaS Forum 2019 in review

Tags

, , , , , , , , , ,

Image by @motivcx

Image by @motivcx

Another Spring means another excellent Oracle EMEA PaaS Forum for Oracle partners. Every Year Juergen Kress organizes the event, finding really nice venues to host several hundred people over four and half days.

The event is split into several parts,  Monday afternoon normally involves Oracle Ace’s presenting on best practices, insights on applying the various technologies etc.  For me this meant presenting on the London Developer Meetup, looking at how it worked, what has been successful, and what hasn’t.  For those know have read my blogs on the subject (here) will know about our Drone initiative.

Picture by @AmyGrangeX

Then Tuesday is a single stream day where Juergen has managed to pull in SVPs and Senior Product Managers from around the globe to provide a high level views of what has been going on with their products. For anyone consulting in the Oracle domain this is incredibly useful. For example there is a clear strategy coalescing around AI and Machine Learning both as a service proposition to users, but also how these technologies are being made available and used within other products.  Other areas such as OIC and SOA CS have stability and maturity, and the road map is about maximising connectivity with the newer products.

But before the sessions start, Juergen starts with opening remarks, and demos’ something engaging.  In previous years this has been things like Digital Assistants/Chatbots and so on.  This year, we have been fortunate to be an active contributor by demoing the drone through the use of APIs and talking about the ideas.  The dry runs of the demo on Monday went without problem, but when it came to the main show, the drone was a little uncooperative – we think because the air-con had really kicked in.  But importantly, even not achieving the desired result, the message of engagement made it home.

Wednesday is split into streams with in-depth sessions from the different Product Managers, he amount of insight gained from these sessions is tremendous, some of which is very much protected by safe harbour statements or not for public disclosure such is the honest and open discussions. The day closes with an Ace Director initiative which demonstrates the application of Oracle Cloud products to a plausible use case, and Luis Weir (Capgemini Oracle CTO) is part of. This session has become something of a tradition now.

The day’s business concludes awards, and for a second year the UK Capgemini team have taken home two awards for APIs and PaaS Contribution.

Luis Weir with his API award

The final two days are then a choice of Hackerthon or 1/2 day training sessions on different products with the relevant Product Managers, and an excellent opportunity to pick the brains of the presenters as well as get hands on experience with the different products.

The week isn’t without it’s social and networking activities of course …