The OpenAPI Specifications Conference for 2021 was held on September 28 and 29. The conference, sponsored by the OpenAPI Initiative, featured speakers from companies and organizations who offered insight into the problems inherent in creating APIs, publishing them in a manner that makes them findable by developers, describing the rules that govern the API, and the history and current direction of API specification.
The opening keynote by Mandy Whaley and Yina Arenas cited the need for change in API specification. Older types of specification involving XML or even YAML present difficulties with respect to comprehensibility by the external community (for example, the fairly complex Conceptual Schema Definition Language (CSDL)).
An advantage of OpenAPI is that it is an API description language that can be applied to virtually any type of API. By having a single language that defines the inputs to calls to the API and the outputs that are to be expected, developers can search for APIs that may be of use for their applications, without needing to know the underlying structure of the API (for example, REST, XML, SOAP). The OpenAPI description of the API focuses on the details of the data requirements for using the API.
API terminology was a major topic of discussion. For example, Liam Montgomery of ADP pointed out that as ADP acquired new companies, each of those companies came with their own APIs using different terminology. Yet, in many cases the exact same type of data was being described, just using the unique keywords that had grown into use as the separate companies developed their APIs.
Arnaud Lauret of Nataxis described the difficulty faced by people whose native language is not English. When it comes to designing an API, a developer might select a keyword that is based on their native language, rather than English. For example, an API designer might use the French word “nom” as a keyword rather than its English equivalent “name.” This creates a problem when developers who want to use a selection of APIs must use two different terms for what is actually the same data field.
Thomas Perniciaro of Noname Security discussed security issues in his session “Using Data Science to Help Secure Your API Estate.” A major problem with API security is that a company that must rely on human interaction in investigating security problems is not going to find that solution scalable. Rather, to the greatest extent possible, identification of security threats and addressing them must be automated. This will not be possible 100% of the time, but security threats tend to have a signature, a pattern that can be detected as an anomaly compared with the normal operation of the system.
There were many more very interesting sessions during Day 1 of the API Specifications Conference. This is just a selection of sessions that exemplifies the breadth and scope of the conference. Videos of many of the sessions are available on the OpenAPI YouTube page.
I’ll cover highlights from Day 2 of the conference in my next post.