World Tour Featured Speaker: Travis Spencer

The Nordic APIs World Tour is right around the corner! To peak into what insights will be shared at our conferences, we’re interviewing some of our key presenters. Stay tuned for these rapid fish bowl Q&A style blog posts with featured API experts, and try to make it out to a Nordic APIs conference this month!

Travis Spencer World Tour Feature_API tour 15

Twobo Founder and CEO and Nordic APIs Co-Founder Travis Spencer has got your digital identity and access management under control. He’s worked extensively in the field, helping various industries throughout US and Europe embrace cloud and mobile computing.

Spencer’s broad market exposure coupled with a background in application development allows him to help organizations with low-level technical issues as well high-level questions. With a deep knowledge of established standards like SAML, WS-* and XACML coupled with emerging ones like REST, SCIM, OpenID and OAuth, Spencer has unique and cutting edge perspectives to share with us.

Spencer, speaking at all four destinations on our World Tour, was asked to answer 5 questions to share his thoughts prior to giving his talks:

1. Tell us about your background. How did you get interested in APIs?

I’ve worked on large, distributed systems my entire career. I did a lot of work with SOA and SOAP back in the day, and my current work with RESTful APIs has been a natural progression from that. In all of these experiences, the associated security challenges are what I’ve gravitated toward. This is a really hard problem, and I enjoy the challenge posed by the large scale deployments and the continual bombardment from attackers who are trying to exploit the vector that APIs open up.

2. What is the BEST API you have ever heard of or used?

I think that Google’s focus on identity and their leadership in the OAuth space has resulted in a great suite of APIs that get user identity right. Enterprise identity for APIs is quite a bit different than B2C APIs like Google’s though. Examples of companies that are on the right track are ones like LEGO, Skandia, Comviq, and EON. From a development perspective, I really like the Twilio API. You can go from soup to nuts with their API in a few hours.

3. What is the most important thing for corporations or organizations to consider when creating their own API?

If the data you’re serving is of any value, then security should be your top concern. It’s only a matter of time before attackers will attempt to exploit it. There haven’t always been good standards for securing RESTful APIs; that’s changed now, and we have great protocols to protect our APIs. Other things to think about are design, operations, documentation and non-technical things like developer adoption, business models, etc. There’s a lot that goes into an API, and it can be overwhelming. It can’t be ignored though. APIs are the thing that enables mobile, cloud and of primary importance for IoT apps. So there’s a lot to think about, but also a lot of motivation to do so.

4. What do you think is the future of APIs?

I believe that API security and business modeling are the two biggest impediments to wider-scale adoption. If APIs can’t be secured and kept safe, adoption will decline. If organizations can’t find sustainable ways of making money from APIs, their adoption will also be restricted — as in the SOA days. If these challenges can be overcome — which I think they can and will be — the next challenge will be to find them all! Discoverability will ultimately take an automated solution. In regards to APIs, it’s kinda like we’re in the Yahoo! and Altavista days of the Web when we were manually creating directories to hierarchically arrange all the Web sites in the world. That’s not gonna work long-term. So, we need a Google for APIs that can crawl around, find everything for us, and make it searchable.

5. You are one of the rockstar speakers at the API World Tour. Tell us why the readers should listen to your session.

In my talk, I’ll cram as much API security fundamentals into the time I have. This will be a great chance to learn more about OAuth, OpenID Connect, and how they can be used to secure your API platform. This is really important to think about at the beginning of the API lifecycle, so it’s critical to have this info on the outset of your API journey.