Earlier this month, CA Layer 7 participated in yet another great conference – this time, it was QCon New York. As a three-time QCon attendee, I have always really appreciated the level of technical knowledge displayed by attendees. At this show, it’s rare that I have to explain the basics of APIs; most attendees are already using APIs in some form or another. And even though many of them are very hands-on developers, they are savvy enough to realize when it is and isn’t appropriate to “build it yourself.”
Many of my conversations began with, “We’re exposing APIs but we don’t have a good way to manage our developer community.” Even more interesting were the ones which began, “We built our own API Management layer but it doesn’t…” There was a wide array of endings to that sentence, including “scale well,” “provide any real security” and “help our developers build applications quickly.” Security was an especially common theme as these folks are smart enough to realize they are not primarily experts at implementing OAuth-based access control or protecting APIs against structural or content-based threats. They’d rather let Layer 7 worry about the implementation and simply configure which options are relevant to their applications. And, of course, many examples of app hacks, data breaches and identity theft are in the news these days; nobody wants their company to be the next victim.
Aside from being a common theme in discussions at the show, maintaining security and privacy in an increasingly interconnected world was the theme of my talk, titled Drones, Phones & Pwns: The Promise (& Dangers) of IoT & APIs. In the first half, I discussed the recent transition of drones from military/intelligence use cases to commercial/personal use and talked about some of the cool technologies already being enabled by these and other data-gathering “things”, such as our phones. I used personal examples to show how my life and the lives of many others are made more pleasant and efficient by this connectivity and data aggregation. After delving into the broad range of use cases made possible by the Internet of Things, it was time to take a look at the other side of the coin.
The second half of my presentation was about the darker side of all the personal data flowing around the Internet and the leaking/sharing/exposure that happens with or without our awareness. I tried not to mention obscure exploits that are unlikely to ever be used; instead, I used real-world examples of glaring privacy holes in devices and apps that we use every day. Rather than simply fear mongering, I tried to make a point about the trust that people – myself included – place in the companies and entities around them. And I followed up those bits with some advice about what we can do to make our future a little less frightening.
The reaction to my presentation was pretty surprising. Even amongst a very technical audience, I still had people approaching me all day afterward, explaining that I had scared them so much they weren’t ever going to look at their phone/car/gaming console/app the same way again. For those that were already familiar with some of the examples I had given, it provided a great conversation starter about security and what sort of cultural shifts will be required to alleviate some of the more pervasive issues.
These are the types of conversations we like to have with our customers – realistic assessments of the risks and challenges encountered by enterprises opening their data and applications to customers, partners and employees, followed by specific discussion of solutions. Considering the interest our customers are showing in these discussions, we’ve decided to do an encore presentation of my conference talk for a larger audience. I’m excited to announce the Layer 7 webinar Drones, Phones & Pwns: The Promise (& Dangers) of IoT & APIs will be held on July 23 at 9am Pacific Time. Registration is now open.