Upload
ca-api-management
View
851
Download
0
Tags:
Embed Size (px)
Citation preview
On The Shoulders of GiantsLearning About API Design by Looking Backwards
Ronnie MitraPrincipal API Architect - EMEALayer 7 API Academy
Web APIs: New and Exciting!
http://www.flickr.com/photos/every1knows/4191971139
“Web APIs? I’ve been doing that for years.”
Image courtesy of http://www.flickr.com/photos/en321/3902138429/
Web APIs offer us a new perspective
http://www.flickr.com/photos/mugley/4407790613
What can we learn by looking back?
http://www.flickr.com/photos/dcassaa/483162086/
user-centered design makes things better
User-Centered Design:Design products for the users who will use them.
User InterviewsRapid PrototypingIterations
UCD helped drive websites into the world of web 2.0
Simpler look and feelIntuitive controlsFamiliar interfaces
UCD is all around us…and usually in our favourite products.
Can we apply a user centered design approach to web API design?
The challenge:Developers are a different breed of users.
We need to work on a developer-centered design approach for APIs
Identify audienceMake appropriate design decisionsPrototype and testIterate
Developer Centered Design
removing barriers will
increase adoption
We can learn a lot about registration from website design
Objective:Turn guest accounts into registered accounts
1. Communicate the value of registering2. Make it easy to signup3. Provide instant feedback4. Make policies clear5. Use “lazy registration”
Principles of Registration:
frictionless processes are good for API management.
security is war
Perfect security is not possible
Practical security = Make attacks inconvenient and too costly to execute
Protecting Websites:
1. TLS/SSL for data privacy and server AU2. User/password for authentication
Protecting SOA Services:
1. TLS/SSL for data privacy on the wire2. WS-* for message security
A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer ProtectionA10: Unvalidated Redirects and Forwards
OWASP Top 10:
Is TLS/SSL Good Enough?
You need to configure it properly.You need to use a secure implementation
Website design: password policies
Don’t drive users away
The Lesson:Balance control with usability
hypermedia can make life
easier
Links allow us to navigate the web
Forms provide a template for input
Links and templates can make an API easier to use
documentation is a craft
APIs aren’t just for the web
What type of instructions do these APIs provide?
Think like a developer:
Information must be accessibleProvide information in small portionsThink task based
Good documentation improves usability
Examples are like illustrations.Use a LOT of them.
effective management
is critical
SOA Governance
Enforce access controlPromote service usageProvide service discovery documentsProvide service usage visibility
API Management
Enforce access controlPromote API usageProvide API documentationProvide API usage visibility
SOA Governance
How do we make sure that these services are used properly?
API Management
How do we get people to use our API without falling over?
Controlled versus Organic
Representing organizations is usefulComplexity sucksFocus on the user
What can we learn from SOA Governance?
abstraction saves time and
effort
In SOA, Enterprise Service Busses were useful
(but complicated)
TransformationContent-Based RoutingLoggingSecurity Enforcement
Off-loading security functionality makes sense
Provide consistent interfaces with a proxy
Summary
There is gold to be found when looking back
Don’t blindly lift and drop – adapt instead
Always make your design relevant to your developers
On The Shoulders of GiantsLearning About API Design by Looking Backwards
Ronnie MitraPrincipal API Architect - EMEALayer 7 API Academy