Software: Application Architecture

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:01
>> Continuing on with our look at software architecture,
00:01
we're going to focus on application architecture now.
00:01
Now we'll talk a little bit about
00:01
service-oriented architecture and we'll
00:01
discuss the roles of APIs,
00:01
which we've already alluded to,
00:01
but we'll talk a little bit more about what
00:01
those do for us.
00:01
Let's start out by talking about web services.
00:01
Now I do want to stress we have Chapter 8,
00:01
which is Software Development Security.
00:01
I'm not trying to go real deep into software now.
00:01
I just want to talk a little bit about how
00:01
software is being utilized
00:01
primarily today or one of the main ways we're seeing
00:01
software and its development and have to
00:01
consider security in this realm as well.
00:01
What we're focused on here is the idea of web services.
00:01
Web services and the idea of being based
00:01
on service-oriented architecture has to
00:01
do with the design of the application and having
00:01
various elements that can be
00:01
accessible by other applications.
00:01
For instance, if we think about this,
00:01
let's say that I'm going on a flight to
00:01
Miami and I need to find a plane ticket.
00:01
I go to Orbitz and I'm
00:01
looking for plane tickets for a certain date,
00:01
for a certain price,
00:01
and I get a list of flights that
00:01
are available to me across all the airlines.
00:01
Now, Orbitz doesn't launch planes,
00:01
it doesn't fly planes.
00:01
I'm not buying this from Orbitz
00:01
but Orbitz provides a web service that can access
00:01
web services on Delta and United
00:01
and all the other airlines;
00:01
allowing these applications to
00:01
communicate with each other,
00:01
to provide services to one another.
00:01
That's because they're built on this SOA,
00:01
service-oriented architecture
00:01
that provides for that communication.
00:01
We know that everything is just about today,
00:01
all our applications are
00:01
being accessed through the Internet,
00:01
and often one application
00:01
provides that one-stop-shop like Orbitz does.
00:01
After I find my plane,
00:01
then I can find rental cars.
00:01
That's because Orbitz is able to
00:01
communicate with Hertz and with Budget and
00:01
Dollar and all these other rent cars and they provide
00:01
the services to Orbitz to provide the service onto me.
00:01
That's just a quick idea.
00:01
I want to mention that when
00:01
protocols communicate, I'm sorry, not protocols,
00:01
but when services communicate first of all,
00:01
they need a protocol to use.
00:01
If you've ever heard of SOAP,
00:01
Simple Object Access Protocol,
00:01
that's often the protocol that
00:01
websites use and there're other ones,
00:01
there are protocols in formats like JSON,
00:01
and some of the others.
00:01
Just not getting that deep here
00:01
but I just wanted to mention
00:01
that there needs to be
00:01
a protocol from service to service.
00:01
Then we also need an API,
00:01
an Application Programming Interface.
00:01
For our interface, I'll give you
00:01
a little example of what an API does.
00:01
Now, I enjoy a good cup of coffee.
00:01
As a matter of fact, it's interesting because I didn't
00:01
drink coffee till I was 40 years old.
00:01
I never had an interest in coffee.
00:01
But I went on a trip to Italy and
00:01
I just lag in everywhere I went,
00:01
coffee just smelled so good and I just
00:01
picked up the habit of drinking coffee.
00:01
Now when I came back to the States,
00:01
I was a coffee snob.
00:01
It was a hard adjustment coming back.
00:01
I started going into coffee shops as opposed
00:01
to just getting my fold juice at home,
00:01
which I did from time to time.
00:01
Now the thing about going to these coffee shops is men
00:01
wind up spending six bucks for a cup of coffee.
00:01
I'll tell you because if I'm
00:01
going to spend six bucks for a cup of coffee,
00:01
I'm going to get it exactly the way I wanted.
00:01
Now, let's say I go to Starbucks.
00:01
I'm not saying that's the best cup of coffee
00:01
>> in the land,
00:01
>> but let's say I go to Starbucks and
00:01
I never thought I'd be the person that ordered,
00:01
I'd like a half-caf breve cappuccino grande
00:01
with one pump of sugar-free vanilla heavy cream.
00:01
I don't know when I became that person,
00:01
but now I'm that person.
00:01
Now, honestly, it would be
00:01
easier for me just to go in Starbucks,
00:01
walk back into the kitchen and start making my coffee.
00:01
I'd actually prefer that because I could really
00:01
get it exactly the way I want it. But you know what?
00:01
If you try that at Starbucks,
00:01
they will decline your request.
00:01
Don't forget, Clark Wilson said,
00:01
"Hey, people at Starbucks,
00:01
don't let Kelly in the kitchen,
00:01
she's going to break it." What happens instead?
00:01
We'll instead, I go up to the Barista.
00:01
It's the barista's job to make sure I'm ordering
00:01
the right thing in the right way and that
00:01
the request I make is authorized and is in
00:01
the right format before
00:01
the baristas sends that information
00:01
>> back to the kitchen.
00:01
>> The first thing that I'm going to
00:01
ask is I'm going to say, hey,
00:01
I'd like a large coffee,
00:01
and the barista going to say,
00:01
we don't have large, we have grande.
00:01
Is it big or it's large.
00:01
No, you got to ask for a grande.
00:01
I make a request that isn't formatted properly.
00:01
It's up to the API either to correct
00:01
the request or to give me an error message and say,
00:01
you need to reformat that request.
00:01
I want a grande cup of coffee and a large pizza.
00:01
I can order a pizza at Starbucks.
00:01
That's another improper request.
00:01
I'm requesting something that
00:01
kitchen can't prepare for me.
00:01
She comes back and says nothing doing
00:01
and we serve coffee that's all you can ask for.
00:01
I'd like a cup of coffee with some Irish cream in it.
00:01
No, the API says you're not going to do that either.
00:01
The APIs job is to take whatever
00:01
I may request and make sure it's formatted,
00:01
I'm asking for the right thing,
00:01
in the right context so that
00:01
the back-end application is able to
00:01
serve me the resource that I want properly.
00:01
The API is my interface,
00:01
if you remember Clark Wilson,
00:01
user interface back-end application.
00:01
If we're thinking about this in relation to a database
00:01
or some server that's providing me with a resource.
00:01
Let's go back to thinking of web services,
00:01
if Orbitz makes an improper request
00:01
or formats the request in
00:01
a way that American Airlines can't understand it
00:01
then the systems are
00:01
not going to be able to share information.
00:01
They'll be no exchange of services.
00:01
That's why standard-based APIs are so
00:01
important so that we can make sure that
00:01
the application that's connecting or
00:01
requesting a service from Orbitz
00:01
is in that format and knows what requests to make,
00:01
how to format the parameters,
00:01
and to follow the proper methods.
00:01
APIs are what allow
00:01
web services to communicate
00:01
with each other because remember,
00:01
each one is an untrusted entity.
00:01
We're not going to allow unfettered,
00:01
untrusted access so that interface acts
00:01
just like the barista and make
00:01
sure that both ends are happy.
00:01
I send a request that the kitchen can understand.
00:01
The kitchen gives me back my cup of
00:01
coffee and everybody is
00:01
happy as long as the API is functional,
00:01
is standard space and we can't forget security.
00:01
The API has to be written in
00:01
such a way that these requests that are
00:01
forward and from one service to another
00:01
don't pass along sensitive information,
00:01
obviously in that case.
00:01
That's what your APIs do.
00:01
In summary, we talked about
00:01
service-oriented architecture,
00:01
and I didn't really mention but Cloud Architecture.
00:01
All we're meaning by that right now,
00:01
not getting into the Cloud,
00:01
other than to say,
00:01
most of these web services are
00:01
accessed through the cloud or we develop
00:01
and design applications that
00:01
our customers can access through the cloud.
00:01
Those web services are often
00:01
designed on an architecture that promotes
00:01
sharing and the APIs allow
00:01
web service to web service to
00:01
communicate in a secure fashion.
Up Next