Post on 10-Jan-2017
World®’16
CaseStudy:Aaramshop—TopFiveLessonsLearnedAboutAcceleratingE-CommerceWithDataandAPIsJin Zhang- Founder- Forty2.ioScottMorrison- DistinguishedEngineer- CATechnologies
DO3X15S
DEVOPS
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
Aaramshop isanonlinestorethatpromoteslocalandorganicsupplies.Intheone-yearjourneysinceCAWorld2015,Forty2.io,aCAAccelerator,hasworkedcloselywithAaramshop toidentifybusinessgrowthopportunities.Thetwoalsocollaboratedtoalertwebapplicationbottlenecksandtoprotectwebresources,includingAPIs.Allofthesearefueledbydata-drivenpredictionandprescription,includingpatternrecognition,anomalydetection,automaticshieldagainstAPIhijacking,scalingandabuse.Inthissession,wesharelessonslearnedabouthowyourbusinesscantrulybenefitfromdataandAPIs.
ScottMorrisonCATechnologiesDistinguishedEngineer
JinZhangForty2.ioFounder
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
AARAMSHOPANDFORTY2.IO
5LESSONSLEARNED
WHATWEAREEXPLORINGNEXT
1
2
3
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AboutCAAccelerator
“Enterprisestartups”
CA’sinnovationengine
Visitca.com/accelerator
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
FocusonOrganicProductInnovation
§ Listentocustomers
§ USEastandWestincubation
§ Failfast– andsafe
§ Freshblood
§ Reviewprocess,justlikeventurecapitalistsJ
§ Forty2.ioisoneoftheincubationprojects
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DigitalTransformation
Creatingsomethingnew—newmarkets,newproductsandnewareasofgrowthandrevenues.
=OpportunitiesforCompaniesThatEmbraceIt
Companieswhoarenotembracing thischangearequicklybecomingirrelevantandwilllikelynolongerplayasignificantroleinthenext5–10years.
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Protectionofrevenue,brandanddata
MaximizationofITutilization:costsavings,abilitytoservemoretocustomers
Increaseofproductivity:abilitytoidentifyrisksandtheftsquicker
ASolution:forty2.io
forty2.io isananalyticsdrivenappwhichprotectsdigitalbusinesseswithoneclickresolution:
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Aaramshop
§ AimingtobetheUberforgrocers
§ Aplatformconnectinglocalgrocersandconsumers
§ Fresh,easy,local,relationship-based
§ MobileappcampaignfollowingDiwaliseason
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OurLearningandDiscovery
GrowthOpportunity CustomerExperience GTMChannel
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ThreeInitialDiscoveries– GrowthOpportunity
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ThreeInitialDiscoveries– CustomerExperience
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ThreeInitialDiscoveries– GTMChannel
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhatWeAreExploringNext
§ Singlepaneofglass
§ Moregrowthopportunity
§ APIProtection– APIHijacking– ScriptInsertion– SQLInjection
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
APIsAreBasedontheArchitectureoftheWebSocanwejustre-useourwebsecuritystrategies?
Weneedtobewaryofbadwebdevelopmentpracticesmigratingto
APIs…
APIDevelopment!=WebDevelopment
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TraditionalWebAppsConstrainInteraction
HTTPServer
UsersBrowser App
ServerDatabase
Pages Objects RecordsRenderedView
ConstraintSpace
Firewall1 Firewall2
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
APIsinContrastOfferaMoreDirectConduittoData
HTTPServer
AttackerBrowser App
ServerDatabase
Objects RecordsRenderedWebView
Often:• Self-documenting• Closelymappedtoobject
space,datastructure,etcAPIscanleakinformation
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
APIsIncreaseAttackSurfaceHTTPServer
AttackerBrowser
AppServer Database
UsersBrowser
TraditionalWeb
APIs
GranularityBoundary
GranularityBoundary
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
InsertionAttacksAreACommonAttackVector
Source:https://xkcd.com/327/
ExploitsofaMom
Insertionattacksarereallyaboutusingleveragingunconstrainedparameterstoexploitremoteprocessing
engines(bothserverorotherclients)
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SoAreMan-In-The-MiddleAttacks
HTTPServer
UsersApp App
ServerDatabase
Breechesin:• Integrity• Confidentiality
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheBestPracticeIsToUseAPIGatewaysForSecurity
APIGateway
UsersApps
TakesCareof:• Authentication• Authorization• Integrity• Confidentiality• Audit
• KeyManagement• IAMintegration• Parameterhygiene• Filtering• etc…
Directory
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
APIMBringsAboutaPositive ShiftinResponsibility
Developers SecurityPros
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Summary
CAAcceleratorsLeanStartup
AaramshopLearning
APIProtectionMitigationtipsSolverealproblem,fast
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
SCX71STheanswerisForty2- HowAnalytics-backedBotMitigationHelpedInsillicum
11/16/2016at03:00pm
DO3T05S
CaseStudy:LG&E/KU—HowMobileApps,APIsWithMicroservices andCAAPIManagementareHelpingtoShapetheCompany’sFuture
11/16/2016at03:45pm
IET02TLeveragingMachineLearningtoProtectwebAppsfromCyber-attacks
11/17/2016at03:00pm
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MustSeeDemos
APIInsightsCAAPIManagementDevOps– APIManagement
ProtectAPIs IntegrateIoTCAAPIManagementDevOps– APIManagement
LaunchFasterCAAPIManagementDevOps– APIManagement
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Questions?
27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Thankyou.
Stayconnectedatcommunities.ca.com
28 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DevOps– APIManagementandApplicationDevelopment
FormoreinformationonDevOps– APIManagementandApplicationDevelopment,pleasevisit:http://cainc.to/DL8ozQ