days
0
-79
-4
hours
-1
-5
minutes
-2
-8
seconds
-3
-7
search
Make the transformation happen

How to Build Confidence in Your APIs

Brian Downey
© Shutterstock / Iurii Motov

Your company’s approach to APIs should be central to any vision of best practices. However, the emergence of multiple protocols and tools has brought challenges to maintaining API quality and consistency. Many teams lack confidence in developing consistent, secure, and high-quality APIs.

APIs are no longer a hobby or a way for two developers within the same organization to communicate. APIs are the fundamental support system for the most critical conversion products CIOs have on their minds today. Your company’s approach to APIs should be central to any vision of best practices.

However, the emergence of multiple protocols and tools has brought challenges to maintaining API quality and consistency. Many teams lack confidence in developing consistent, secure, and high-quality APIs. Here’s how to change that.

Get an overview of your APIs

The API economy has been around for a decade and is the foundation of digital transformation and the way businesses interact with their customers. CIOs understand this, and companies understand they’re interacting with customers differently than they used to. But have behaviors changed?

Based on the data from our recent State of the API survey, it’s clear practitioners don’t have much confidence in their ability to create and maintain quality APIs. CIOs need to be aware of this. Because APIs are the foundations for many key imperatives, you need to build a solid program around them.

This is easier than it sounds. Over half of our survey respondents don’t have formal processes, or say it’s not a company priority to implement quality and design and style guides around their APIs. This shows a lack of governance at a foundational level, and it’s risky. When major companies like Equifax are attacked through their APIs, it shows they’re an exposure point, yet over half of the organizations we surveyed feel they have no processes in place to secure their APIs.

Every CIO should think about their API programs along these lines:

  • Do we have an API program overall?
  • Do we have an approach to APIs?
  • How are we driving quality and consistency into our APIs?

SEE ALSO: PostgreSQL 14 is here – what should you look out for?

Identifying the assets verses the liabilities

It’s difficult to achieve a consistent approach to API delivery. For a long time, APIs were how developers connected tools behind the curtain. Now APIs are the way you communicate upfront with your customers. APIs need to become a practice – something you get good at and something you do in a way that’s consistent, secure, and high quality across the board.

Years ago, an arborist walked around my yard and said, “Every tree I look at, I look at it as an asset or a liability.” Similarly, a CIO needs to understand what’s an asset and what’s a liability. What are all the trees on your ground? Which of them have an inherent weakness that might take your entire house down?

Start with an overview of your APIs. Many CIOs don’t have a good idea of what APIs they have out in the world. Look at your inventory and understand which APIs are being leveraged, which provide value to your customers and to your company, which ones you want the world to see versus the ones that have never had security scans run against them. To drive this holistic understanding, CIOs need to have their teams define the central source of truth for their APIs. Without this definition, teams will rely on multiple places for their design tools, their documentation tools, and their exploration tools, so they’ll never know the true state of APIs in their organization.

Many organizations have looked to their API gateway as a point of convergence where they can define this single source of truth. This makes sense when an organization has one or maybe two API gateways, but that just isn’t a reality for most organizations anymore. Companies need to consider if their exploration or design and documentation tools are a better point of convergence to establish their source of truth based on how they operate today.

With this single source of truth, organizations need to ensure they can understand and answer fundamental questions about their APIs:

  • Do you know all the different stages of your APIs?
  • Do you know how often they’re being used?
  • Do you know how often they’re failing?

Introducing consistency into your API development process

CIOs should also think about where they want to start driving consistency. With APIs, it’s not just consistency around how you do an operation or create the design, but across the lifecycle. If you aren’t consistent, randomness will create variability that may suddenly emerge as a quality issue, a performance issue, or even a security issue.

Everyone involved in the API lifecycle needs to drive that consistency. It’s particularly challenging because of the emergence of multiple protocols and multiple tools. CIOs have to be aware of different teams using different tools and ensure they’re comfortable with the differences in those processes. Then they need to be happy with the outcomes from a quality standpoint. As CIOs consider their single source of truth, they should take into account the reality of multiple protocols to ensure consistency. If every protocol they use lives in a different tool, it becomes challenging to ensure those APIs go through the same processes for monitoring, quality, and performance.

Another level of looking at APIs as assets and liabilities is to think about how they can become a competitive advantage. How can you more efficiently develop APIs and leverage their capabilities? You want to embrace concepts like contract testing and service virtualization, have well-defined contracts to allow development teams to drive more parallelization, and allow teams to work on APIs while they’re still in development. When you start doing this, you can allow APIs to do what they’re capable of: stack containing work into smaller packages, increase the agility of your teams, and reduce the chances of failure to a much smaller component in your larger processes.

SEE ALSO: “It’s never been a more exciting time to jump into the cybersecurity conversation”

Stabilizing API Development with Governance and Regulation

Governance is a loaded word, because people feel it’s going to constrain them. It can, if you have too much. You need to maintain autonomy, but also find the right points of governance. This is not unique to development – if the accounting team allowed everyone to use their own expense software, it would never work. No one would be surprised by that, because everyone understands the need for governance and structure around company policy.

Organizations need to define how APIs can be designed in a way that allows flexibility, but also provides increased consistency and reliability. This can range from simple style guides to rules about how APIs should operate. Organizations that establish a single version of truth can build these rules, and then leverage technologies like Linting (analyzing your source code) to ensure their APIs conform to these policies.

As organizations implement these policies, they must decide who owns those rules across the organization. Organizational structures such as an API architect or API centers of excellence can provide ownership over these constructs. These overlay resources can find the places which will drive consistency, but also provide flexibility for the development teams, which allows them to move fast and leverage the process.

Ask the right questions to build confidence

Understanding what you’re trying to do with APIs will determine how you want to organize around them. They’re the foundational pieces that allow organizations to deliver quality at speed. Ultimately, APIs have the power to transform your business, and it’s up to you to make that transformation happen.

Author

Brian Downey

Brian Downey is Senior Vice President, API Products at SmartBear. He has led product management and technical marketing teams for businesses in security, cloud, and infrastructure management markets, including ConnectWise, EMC, and others.


guest
0 Comments
Inline Feedbacks
View all comments