API Observability: A framework for managing your applications in an API world

Sanjay Nagaraj
|
December 7, 2021

Introducing API Observability

Today’s modern organizations are powered through mission-critical applications deployed in the cloud to drive their businesses. The building blocks of these applications are microservices developed by small teams of developers that enable rapid release cycles to deliver features to market more quickly. The connective tissue that binds these microservices together to work in tandem is APIs. However, modern applications have become increasingly complex, distributed, and difficult to manage as the pressure to push out new features becomes a critical part of operating a modern business. The tools, methodologies, and processes that work well for monolithic applications simply do not meet the challenges of API-driven applications and today’s organizations are looking for new ways to take away the obstacles that slow down or hold back the success that comes with delivering features faster. API observability is a new framework that enables development, operations, and security teams to work together to manage the very applications that drive their business in a more cohesive manner that helps to identify and rectify critical issues before they impact the operation of the application and your business.

APIs power the world

The emergence of cloud-native and SaaS applications in the last decade was primarily driven by agile development practices and the use of open-source software that avoided the development of software code from scratch, enabling the rapid release of new software features. But more critically they enable a development environment where small teams can work dynamically and independently to continuously roll out new features in a CI/CD pipeline.

In this new world, APIs are the lifeblood of modern applications that enable users to interact with API-driven applications and to facilitate critical communication between internal microservices that can range into the thousands to ensure they work in lockstep. Simply put, APIs are vital and their proper functioning is critical to ensuring that entire applications can operate at scale and deliver services to end-users and 3rd party business partners.

Looking Deeper into your API Application

In a world where APIs have become so critical to the proper functioning of mission-critical applications, how do organizations ensure that their APIs are constantly evaluated for their health, ensuring that errors, performance bottlenecks within micro-services, or security vulnerabilities do not slow down or impair an API and the application overall?

Looking more closely, APIs can generally be classified into two categories: External APIs and Internal APIs.

External APIs are meant for general use by the public, or anyone external to the organization, assuming they are authenticated and authorized properly. External APIs have external URLs that are callable by anyone who has access to the URL and that enable them to have access to resources within the application.

In contrast, internal APIs form the collective glue that binds together hundreds if not thousands of internal microservices to work successfully together in tandem.  They collectively possess the business logic of the application and have direct access to the application’s resources in the backend.

API Observability: Taking a holistic approach to managing your APIs

In a world so reliant on software and for that matter reliant on APIs, how do we ensure that applications are healthy and remain so? How do we anticipate problems or critical issues that can impair the functioning of the application as it serves millions of users around the world? An application software change can impact hundreds of internal API calls, creating a cascade of issues that can range from the back-end access of data to the end-user who is interacting with the application. How can organizations anticipate, isolate, and resolve application issues before they become so problematic that end-users, partners, and the competition become aware of their application weaknesses?

For organizations to continue to be resilient and secure, organizations need to deploy tools that help break down the problem of understanding large, distributed, and complex software in order to surface key issues that can impair and impact the daily use of their API-driven applications.

Organizations should ask these questions about the external and internal APIs that make up their applications:

  1. Are our APIs providing the functionality they were designed to deliver?
  2. Are our APIs providing the optimum performance to the user?
  3. Are our APIs secure?
  4. How are our users consuming our APIs?

To answer these questions, you need runtime observation of your entire application that includes the API and microservices that make up your applications.

We call that API Observability.

API Observability can be broken into 4 pillars to answer the questions above:

  • API Functional Test Automation
  • API Performance Management
  • API Security
  • API User analytics

Pillar 1: API Functional Test Automation

API application software is complex, increasingly utilizing more time and resources from development teams to identify, isolate and resolve critical software bugs before they cause issues or affect the quality of experience of users. One of the biggest challenges with modern API applications is finding all the failure modes that can occur throughout the application. Utilizing traditional monitoring or observability tools, you can obtain metrics, logs, and traces that eventually help you isolate the root cause of the failure. But it begs the question, why couldn’t you detect the failure modes with the testing framework you have in place?

In large part, the issue stems from existing test software that is extensively used by R&D teams to identify software bugs and issues. Static code analysis and other traditional testing software that is used by QA teams are unable to detect rapid API changes across large internal microservices and validate those software changes before they go into production. This process often leads to failure.

In contrast, API functional test automation helps you model your APIs based on information gained from input and output data from the overall application. This type of framework can help you understand why certain microservices call each other with specific APIs and to convey this data in a more structured way that is easier to understand.

These generated models help to validate your APIs with every software change, ensuring you can catch software changes that break your API models and how the application behaves early in the development cycle, ensuring that your API application functions the way you expect it to. You can also create automated contract testing workflows and better-integrated tests that run as part of your CI/CD. Because data is captured through this whole process, you can have a historical view into the evolution of your APIs over time, enabling you to view changes to parameters and enabling checks to ensure that new software changes are compatible with upstream and downstream microservices.

Pillar 2: API Performance Management

Performance is usually a critical factor in delivering applications to the end-user. A bottleneck within an application, such as poorly written software or inability to properly scale to match user demand, can directly impact the user experience of the end-user. The growing complexity of API applications makes determining the root cause of performance issues a lot harder using traditional monitoring tools. These tools, built for monolithic applications, are not suitable for modern API-driven applications. In essence, today’s developers do not know what their software failures are, or in other words, they do not know their unknown unknowns, unaware that an actual problem exists.  Today’s traditional monitoring tools can only help in monitoring known unknowns, enabling value if you know where the problems are and you can monitor them.

API Observability can redefine how you discover the root cause of issues within your applications through MELT(metrics, events, logs, and traces) that make API-driven applications  “observable” by answering questions about a system without delving into a black box.  In the past, metrics and logs were extensively used to detect and resolve performance issues but they lack context, requiring more work to stitch together events to understand why issues occurred.

The arrival of “tracing” to the development teams has enabled a forklift upgrade to troubleshoot and diagnose problems across complex API-driven applications. Tracing information is contextually rich, timeline aware, and systematically enables the aggregation of signals in the system. Combined with event information, it can help to correlate discrete actions happening at any moment in time.

Pillar 3: API Security

As with any complex software, APIs also have software flaws, any one of which could potentially be exploited by cybercriminals. The business logic that used to be contained in a single monolithic application (exposing less risk) is now spread across hundreds to thousands of microservices that work together in tandem to deliver the application functionality to the user (exposing more risk). Distributed independent software teams operate dynamically, driven by their own requirements, unable to step back to the 50,000-foot level to see how API vulnerabilities can emerge across multiple and independent microservices. This lays the foundation to understand how API security is increasingly becoming an extremely difficult, yet critical, problem to solve.

What is required is to recreate observability at a macro-level that can obtain a complete end-to-end view of how the application operates and then surface security vulnerabilities, unseen by the individual software teams working on their own APIs. Enabling instrumentation end-to-end, across the front-end application, within each internal microservice,  and through the backend can help to extract critical operating data obtained through application  “telemetry”. This data could be stored in a data lake that could be used to stitch together an end-to-end view of the entire application. Powered by machine learning, it could recreate the business logic of the application, looking for deviations in user interaction with your application. The slightest deviations would be surfaced as anomalous behavior that is malicious attempts to exploit API vulnerabilities or the application business logic flaws.

This observability approach to API Security enables organizations to obtain a much more sophisticated view into their API-driven applications, enabling development teams to proactively understand and fix vulnerabilities or business logic flaws before they are exploited.

Pillar 4: User Analytics

Any successful business, small or large requires understanding your users. Business and product decisions are fed by information that describes users’ behavior, needs, frustrations, and overall level of happiness. This information is critical to ensuring a business’s ability to strive or even thrive in highly competitive markets.

In SaaS and cloud-based applications, this need is even greater and requires detailed information on thousands of users who span across the world.  API-driven applications are data-heavy where all data is processed across all touchpoints within the application to deliver services to the end-user.

Well-informed decisions can make the difference in making wrong product decisions that can cost businesses millions. Data is the key deciding factor in understanding how users behave in general or segment themselves depending on a particular feature that solves a pain point.

User analytics can be a key differentiator enabling teams to understand the dynamics of the business, detect subtle patterns and predict future behavior.  For example, an e-commerce business relying heavily on its mobile app might consider the following questions critical for evaluating future product decisions:

  • How many daily active users have my iPhone and Android app had in the last week? Which of the two had more usage?
  • How many active users per state within the US have my iOS app had in the last 30 minutes?
  • Which products were viewed but not eventually purchased, how many reviews did they have?

Since the mobile apps are accessed primarily using APIs, gleaning effective information from their users and providing user analytics that provides key insights can help businesses to make their business grow faster with the least amount of missteps.

API Observability is a Journey

API Observability lays the groundwork for development, operations, and security to take a cohesive approach of working together when developing modern API-driven applications. Organizations can use the pillars of API Observability to understand more deeply how their API-driven applications work and properly rectify issues that might impact the availability, performance, and security of the entire application. Since API applications will continue to increase in complexity, an API observability framework enables tomorrow’s teams to accelerate innovations by obtaining a deeper understanding of their applications, removing unforeseen obstacles, and obtaining key product insights that can enable organizations to drive their business further and faster than ever before. What results is API-driven applications that are no longer developed in obscurity but rather a continuous development process where organizations can uncover critical blindspots before they hinder the operation of your application, enabling teams to have better insight and control than they could ever have imagined before.

Download Blog Post

The Inside Trace

Subscribe for expert insights on application security.

Thanks! Your subscription has been recorded.

or subscribe to our RSS Feed

Read more

See Traceable in Action

Learn how to elevate your API security today.