Category Archives: Products

AI-Powered Cyber-Attack Protection for APIs with WSO2 and PingIntelligence

The exponential increase in API adoption has made it a prime target for hackers who are hijacking tokens, cookies and keys, as well as targeting weaknesses in individual APIs. Because of the complexity of these attacks and the different access patterns and users of an API, static security controls alone cannot prevent a breach. That’s why we partnered with Ping Identity to protect APIs against cyber-attacks by combining the artificial intelligence (AI) powered API cybersecurity of PingIntelligence for APIs with the robust policy-based controls in the open source WSO2 API Manager.

WSO2 API Manager is a unique open source approach to addressing the full API lifecycle. It offers various static policy-based options for security and access control. These include:

  • OAuth 2.0 authentication and authorization for API access
  • Request and response validation against the most common request based attacks such as SQL injection, parsing attacks, and schema poisoning
  • API policy creation and enforcement based on specific parser properties and regular expressions
  • Support for many types of rate limiting capabilities including rate limits by request counts and network bandwidth usage
  • The ability to assign quotas to users, applications, IP addresses, devices, and regions among other things

PingIntelligence for APIs is the leading solution for AI-powered API cybersecurity. They help enterprises augment their static controls and extend their security capabilities with continuous, proactive API threat monitoring and detecting that automatically discovers anomalous API traffic behavior. Because bad actors are well versed in circumventing static security policies, PingIntelligence for APIs was purpose-built to recognize and respond to attacks which fly under the radar of foundational API security measures, and target API vulnerabilities—without policies, rules or code. These include:

  • Credential stuffing and brute-force attacks on login systems
  • Layer 7 DDoS attacks that scrape data and disrupt API services
  • Taking over accounts using stolen cookies, tokens or API keys
  • Rogue insiders exfiltrating data in small amounts over extended periods of time

WSO2 has developed an open source extension to communicate with the PingIntelligence API Security Enforcer (ASE), which can be deployed in the WSO2 API Gateway. This means that WSO2 API Manager users can apply AI-based security analysis for their APIs along with static policy-based security controls. Meanwhile, PingIntelligence users can utilize AI-based analytics when they externally expose their services as APIs.

To learn more about how the extension works and what attacks it can detect, read WSO2 Associate Director and Architect Sanjeewa Malalgoda’s article or register for our webinar. Download the extension for WSO2 API Manager here.

Enterprise Integrator 6.5.0 Focuses on Integration Developer Productivity

We are pleased to announce the release of WSO2 Enterprise Integrator 6.5.0. Our latest release includes unified integration and a data integration runtime (Integrator) as well as a micro integration runtime (Micro Integrator) and a comprehensive tooling distribution (Integration Studio) to support both runtimes.

This release aims at addressing developer productivity and cloud native integration requirements more comprehensively than ever. This has been one of the most anticipated WSO2 Enterprise Integrator releases, as it brings new product components and features specifically targeted at improving integration developers’ productivity as well as helping developers easily build and deploy container-native integration solutions. Following are the major highlights.

WSO2 Integration Studio

The integration team invested significant time and effort with the objective of improving the user experience and developer productivity of WSO2 Enterprise Integrator tooling. Some implementation targets for the new tooling included adding runtime validation of code, improving the look and feel of the tool palette and development canvas, improving the utilization of screen space, providing selection options for every possible configuration option, reducing the clicks and configuration steps, and adding Docker and WSO2 Integration Cloud support. In addition to the Integration Studio, we have improved the integration and micro integrator runtime with feature additions as well.

Some major capability enhancements are listed below:

  • New design for a superior graphical developer experience
  • Built-in micro runtime to support improved testing and debugging of integration artifacts
  • Capability to build Docker images from the development tool itself using runtime artifacts
  • Seamless experience to deploy integration artifacts into WSO2 Integration Cloud
  • Built-in project templates for faster initiation of new integration projects and artifacts
  • Artifact validation and error detection during the development stage of integration projects

WSO2 Micro Integrator

WSO2 Micro Integrator runtime is a lightweight product based on the same technology as that of WSO2 Integrator. Hence, artifacts developed for WSO2 Integrator (ESB) are fully compatible with WSO2 Micro Integrator. The reduced size and rapid startup time make this the ideal solution for enterprises that are planning to move into microservices and container deployable solutions. WSO2 Micro Integrator has been streamlined for developing composite microservices by orchestrating several services within a microservice implementation.

Key capabilities of WSO2 Micro Integrator runtime include:

  • Reduced startup time (< 5s)
  • Seamless deployment of integration artifacts from WSO2 Integration Studio
  • Reduced distribution size (< 150 MB)
  • Ability to generate micro integrator Docker images from WSO2 Integration Studio with integration artifacts
  • REST API to monitor and manage micro integrator runtime
  • CLI tool to inspect artifacts of micro integrator
  • Built-in monitoring capabilities with Prometheus, ELK, and WSO2 Integration Analytics

WSO2 Integrator Runtime

WSO2 Integrator runtime is the most common deployment environment used by a majority of WSO2 Integration platform customers. In this new release, we are introducing the following key capabilities to enhance integration development.

  • A new mediator named Property Group that enhances the usability by providing the ability to configure multiple properties inside a single mediator
  • Native JSON support for Iterate, Aggregate, and Enrich mediators
  • Message Processor improvements to handle poison messages
  • Enhanced REST support for Data Service JSON payloads
  • OData Support for MongoDB
  • Support to monitor statistics with Prometheus
  • Security fixes and bug fixes implemented since the previous release

Other Runtimes Packaged with WSO2 Enterprise Integrator

Bug fixes and security fixes that were done since the previous WSO2 Enterprise Integrator release are incorporated into WSO2 Business Process and WSO2 Message Broker runtimes.

Furthermore, in this release, we are announcing the deprecation of WSO2 Microservices for Java (MSF4J) runtime packaged within WSO2 Enterprise Integrator. The compelling reason for this is because we see more value added to users from the WSO2 MSF4J GitHub project and its artifacts since many microservice developers will use it as a dependency rather than a server runtime. Hence, we believe MSF4J is more useful for developers in its GitHub-based release cycle, so it won’t be packaged with WSO2 Enterprise Integrator in future releases.

To learn more about the latest release, features, and what it means for your experience, join our webinar on June 6, 2019.

We have also organized a webinar series with comprehensive discussions on WSO2 Integration Studio and how it can be used for integration efforts in your enterprise.

WSO2 Identity Server 5.8.0 is Here!

WSO2 Identity Server 5.8.0 is the latest success story of our Identity and Access Management team. After a marathon effort, we are glad to release v5.8.0 with new features, major improvements, and bug fixes.

New Features

OpenID Connect Back Channel Logout

So far WSO2 Identity Server has supported OIDC Session Management as the OIDC logout mechanism. From v5.8.0 onwards, it provides support for OIDC Backchannel logout as well. OpenID Connect Backchannel logout is a mechanism by which Relying Party (RP) applications are logged out with logout requests communicated directly between RPs and OpenID Providers (OP) bypassing the User Agent. The main advantage of this method is the ability to skip obtaining the support of user agents, hence this logout mechanism is less fragile.

SAML Front Channel Logout

WSO2 Identity Server 5.8.0 onwards provides supports for SAML Front Channel Logout. In SAML Front Channel Logout, session participants can use asynchronous binding such as:

  • HTTP Redirect Binding
  • HTTP POST Binding
  • Artifact Binding

Use this logout mechanism when the involvement of the browser agent is necessary.

Improvements

Product Observability

Product observability enables rapid debugging of product issues. By using this improvement, it is easy to narrow down issues in a production system by tracking the time of the major flows of the system. This helps to identify issues in production systems such as slow performance. There can be several reasons for the drop in performance. Examples include database bottlenecks, LDAP bottlenecks, or multiple JDBC queries. The observability feature helps you to identify the exact bottleneck that is slowing down performance.

SCIM2 Improvements for Filtering and Pagination

One of the main targets of this release is to stabilize SCIM filtering and pagination. We have mainly addressed some existing inconsistencies and spec compliance issues.

Configuring X509 Authentication with SSL Termination

This is supported by passing the client certificate in the request header from the proxy over SSL tunneling.

Other improvements include:

  • Support for issuing access tokens per token request
  • Support for configuring a JWKS endpoint for OAuth or OIDC based service provider
  • Support for configuring SAML metadata validity period for the resident identity provider
  • Inclusion of OAuth transaction logs for token generation and introspection
  • Supports reCAPTCHA for password recovery and username recovery

Performance Improvements

Compared to previous versions, performance of the major flows of Identity Server have been increased. The following diagram shows the average response times taken for some major flows in v5.8.0 compared to v5.7.0

Seamless Migration WSO2 Identity Server 5.7.0

With few configurations changes, a user can seamlessly migrate from v5.7.0 to v5.8.0. To enable the new features introduced in v5.8.0, the schema changes are necessary. However without those schema changes, the system will not break, so existing customers can simply point to the existing database which they have used v5.7.0 for the v5.8.0 and consume the existing features. A few default configuration changes done with v5.8.0 may cause some behavioral changes and these configurations can be referred to here.

You can learn more about WSO2 Identity Server 5.8.0 from this screencast.

Why We Make Our Product Roadmaps Public

“Can you please share your roadmap?”

“What are your plans to engineer feature xxx?”

“Great product, but does your vision match ours?”

We get these questions all the time, from customers, partners, and analysts.

As the leading open source API integration company, it seemed antithetical to be open and transparent about our code, financials, and priorities, but not about our actual product roadmaps.

So we’ve now opened-up our product and solution visions and roadmaps for each of our integration-related products, all part of our Integration Agile platform:

Why would we do this?

There are a number of reasons we chose to take this bold step – a step that most high-tech companies shun as competitively risky, and thus guard their plans with absurd paranoia.

  • Public roadmaps are consistent with our open source community
  • We trust our community to work with us, and they can only do so if they know our plans. That way they are always involved in the technology and will be able to best deliver meaningful new features, contributions, and roadmap suggestions.

  • Public roadmaps signal our transparency
  • Transparency is key to building trust between partners. A public roadmap helps committers, partners and customers to know we’re pulling no punches with our direction. It’s also consistent with our no-lock-in approach… and that means there’s no lock-in to our roadmap either. With a transparent set of roadmaps, our technology partners know what to expect… and have a proactive vehicle to comment on the direction.

  • Public roadmaps are good for our customers’ trust
  • When our customers buy-in to our integration platform, they’re putting technology direction on the line. They want to know if we’ll be evolving in the direction they want. For them, it’s all about mitigating long-term technology risk. This way, we’re “opening the kimono” and boldly stating direction.

  • Public roadmaps show our pride, confidence, and vision
  • WSO2’s technology has been evolving for over 13 years. Over 350 engineers currently work on technologies like API management, identity management, ESBs, enterprise integration, and related integration architectures. This is one way of showing-off our vision and capabilities.

  • Public roadmaps are good for business
  • In sales situations, customers often ask pointed questions about specific (missing) features. And the usual answer “Yup, we’re working on supporting it” is always received with skepticism. Our public roadmaps put our money where our mouth is… either it’s on the roadmap, or it’s not. Or, we work with our partners to change the roadmap… for everyone else to see.

Next, what’s on our Roadmap roadmap?

This is the first of many more steps we’ll be taking toward increased openness and transparency. But the other critical component is your feedback. So if you have thoughts about our roadmap- positive or negative – there are many avenues you can use, including our Contact Us button – and include your feedback.

Everything I know about Integration I learned at the Ballet

or, New ways to bring together the world of arts and technology…

Why would the inventors of an integration programming language partner with a Ballet company?

We asked ourselves that when WSO2, launched Ballerina, a new programming language for writing code to integrate software.

The notion of integrating software isn’t new… it’s been around for 10-15 years. And the current market for software integration — the set of technologies used to connect different software components together — is billions of dollars. That’s huge because there is simply so much software and data in the world. It resides not only in the companies that build it, but also in the “cloud”and in the billions of devices that people carry and use.

But when we thought about creating a programming language for integrating software, we didn’t realize how it would lead us to the San Francisco Ballet.

Enter Stage Left: Two entirely different — yet similar — partners

I don’t consider the SF Ballet one of those stodgy steeped-in-tradition companies. Just the fact that it’s in San Francisco means it has access to diverse-thinking, art-loving, Silicon Valley open-to-anything audiences…as well as access to global dance talent. To further appeal to this audience, they offer an annual Sensorium program that synthesizes dance, art, and music. They asked, “What could be possible when we integrate all of these art forms into one evening of celebration?”

Meanwhile, leadership at WSO2 asked something similar. What could be possible if we took a radical, new and open approach to connecting and integrating all software technologies? What would be possible if we developed an internal corporate culture of openness and transparency, of appreciation of our personal diversity?

When WSO2 began developing Ballerina roughly three years ago, we chose the name because of its technical elegance. But we hardly knew how prescient that name would be. So in 2018 when we officially launched the language, we thought that involving a ballet company might be a cool creative move, consistent with the “Ballerina” name. But what we discovered with the SF Ballet was much more. We realized that we had many themes and goals in common.

Common themes in the arts *and* in technology

When the SF Ballet told us about Sensorium and their mission to blend arts and technology, we knew we had a great future together. And so, WSO2 became the SF Ballet’s first technology sponsor.

Together, we found three common overarching themes arose that both patrons of the arts — as well as technologists — could appreciate: the concepts of integration, elegance, and openness.

Integration: Literally and metaphorically, this is the key to all creativity. In the arts, SF Ballet knew that dance, music, culture, and even technology could come together to create new experiences and new ways to engage the public. Integration at the Sensorium was a way to co-locate art, music, and dance exhibitions — and allow guests to interact with all of them. In the arts, integration often means a “synthesis” of diverse media and approaches to its use. And so, in technology, integration is a necessary approach to innovation, building on diverse software components that are often created by others. The beauty with technological integration is that the original developer may never know how the software component might be used by others to create something new, exciting or valuable.

Elegance: This is a word that’s often used with the assumption that it relates to the arts, to fashion or to dance. In those contexts, elegance is the use of resources like the body, fabric or media (or a combination) to create something of beauty — something that makes perfect or unique use of those assets. Often we just know elegance when we see it. As a recovering engineer, I also know there is absolutely an elegance to technology, science, and mathematics as well. Think about a suspension bridge, making perfect use of minimal materials — steel or concrete as support and cables to suspend — not a touch more heft or bulk than needed. Similarly, in mathematics, there are often short, concise formulas that so perfectly describe the physical world. And the same goes for coding where elegant programming makes efficient use (and re-use) of software components.

Openness: This last theme is deceptively simple but powerful. It’s about the importance of openness to new experiences, cultures, media, and perspectives. In technology, openness (i.e. open-source software) is also a well-known concept that means allowing others to build and create on top of your work, to view your code, your instructions, your architecture. In personal relationships — as well business and politics — openness implies trust and even a disruption of power (think: free press). So, openness is a necessary platform for true creativity as well as for effective innovation.

Will Ballerina learn more from SF Ballet?

At WSO2 and with Ballerina, as well as with the SF Ballet, we’re looking to continue thinking about more and different ways to “do integration” — whether it’s a revolutionary mashup of arts and culture, or new code-first approaches to integrate software, data and cloud computing. And that’s the beginning of a beautiful relationship: common goals, common interests, common values.

After all, a more integrated world—in arts and technology — is a more interesting, innovative, and creative place to be.

Meeting the March 2019 PSD2 Compliance Deadline with WSO2 Open Banking

We’re reaching the final stretch of the PSD2 timeline. However, before targeting the final deadline, the Regulatory Technical Standards (RTS) also specifies an earlier deadline set on March 14, 2019. This will open doors to open banking by letting interested third parties explore the open banking ecosystem and start developing applications around it. As defined by the RTS, implementers should open up a sandbox environment ready to onboard third parties where testing can be done without exposing any sensitive information — a safe playground to kickstart open banking.

Regulatory Requirements

We’ll explore the essential building blocks that you’ll need to meet the March deadline. With WSO2 Open Banking it’s possible to meet these regulatory requirements out of the box and gain regulatory compliance in just over a month.

Open APIs

The main interface for consuming payment services is through APIs. Third parties bearing the roles of “payment initiation service providers”, “account information service providers” or both, will consume two types of exposed resources — accounts read-only API or payments read-write API.

Apart from exposing Open APIs, WSO2 Open Banking comes with fully-fledged API management capabilities that were positioned as a leader in The Forrester WaveTM: API Management Solutions, Q4 2018 report. This allows easy lifecycle management with pre-defined templates to support UK, Berlin Group and STET API specifications.

Strong Customer Authentication

The aforementioned APIs are protected with PSD2 Strong Customer Authentication (SCA) which is based on two or more authentication methods categorized under knowledge-based and possession-based factors. A solid SCA implementation will ensure that only authorized parties are consuming the APIs with explicit user consent.WSO2 Open Banking provides an out of the box SCA solution that is aligned with the PSD2 regulatory requirements. Also provided are identity and access management capabilities that allow seamless integration with legacy user stores.

Consent Management

The mediator between the Open APIs and SCA is consent management, which governs the access of user information by third-party providers. Access to this sensitive information is only retrievable with the user’s explicit consent. WSO2’s PSD2 compatible consent management module handles the heavy lifting while providing portals for customer care and self-consent revocation, therefore, allowing banks and users to manage their consent.

The task of consent management is to capture a user’s consent with fine grain details of transactions that ensures the user is informed of and has authorized the transactions. Consent can be of different types. For example, consent can either be given per transaction or for a recurring payment (where the consent is long-lived). The implementer’s consent management system should be able to handle a multitude of consent types while giving users and banks the ability to revoke and manage consent.

Transaction Risk Analysis

SCA provides a great layer of trust for open banking but handicaps user experience. This view was shared by many when the first drafts of the RTS were presented. The answer to this was Transaction Risk Analysis (TRA) — a context-aware rule-based system that makes sure SCA is exempted in low-risk scenarios thus increasing customer experience.

The solution ties TRA with a strong analytics and stream processing engine allowing accurate risk analysis and fraud detection. Proper implementation of this component is crucial to be PSD2 compliant and will promote better user experience with SCA.

Third Party Provider Onboarding (TPP)

The prior mentioned components build the fundamental open banking solution, but this won’t be any good if third parties are not able to onboard and consume its functionality. The system needs to be able to onboard third parties manually or through dynamic client registration, where third parties are on-boarded instantly with the backing of a competent authority.

WSO2 Open Banking provides customizable workflows for third-party onboarding and lifecycle management. External trust anchor integration allows dynamic client registration.

Regulatory Reporting

Each competent authority specifies certain statistical information to be reported regularly. WSO2 provides reporting tools to export required regulatory statistics.

Conclusion

By getting all these components together, banks will be prepped and ready for the external testing deadline in March. Additionally, this preparation provides strong guidance for meeting the September deadlines of the RTS. WSO2 Open Banking is equipped to help you meet both these deadlines within reasonable time frames and minimal effort from the bank.

For more information on how we can help you get ready for the March 2019 deadline, drop us a note at openbankingdemo@wso2.com. You can also download an effort estimate to understand how we can help you meet the deadline in just over a month and check out our webinar for more information.

Ask an Expert: Catching up with Ruwan Abeykoon

Ruwan, on the right, participating in a badminton competition in WSO2

If you bump into Ruwan outside WSO2, you’re most likely to meet him along a hiking trail or underwater, scuba diving somewhere in Sri Lanka’s southern coast. He’s also a vehicle enthusiast and loves technology. Inside WSO2, Ruwan currently looks into product stabilization efforts of WSO2 Identity Server that results in improving the overall architecture of the product.

In this interview Ruwan sheds light into his journey at WSO2 so far, identity and access management (IAM), and his view about software.

1. How did you enter this industry (was it by accident, why IAM)? Tell us about your journey at WSO2 so far?

Every change in my career was based on calculated decisions at critical junctures and I’m very pleased at how everything has turned out.”

I started off as an entrepreneur after grad school, working in the telecom and retail sectors. My expertise lies in telecom signalling and it’s been one of my interests for the longest time, in addition to high performance computing and IoT. Subsequently, I joined WSO2 where I was a part of the App Manager team, which is now the WSO2 Identity Server team. Every change in my career was based on calculated decisions at critical junctures and I’m very pleased at how everything has turned out.

2. What are some of the interesting projects you’ve worked on recently?

Adaptive authentication is one of the latest features we added to WSO2 Identity Server. What’s different about how we offer adaptive authentication is that it’s based on scripting language similar to ECMA. This is also involves user behavior analytics based authentication.

WSO2 Identity Server analytics is able to monitor login and logout sessions, and provide analysis based on a user’s behavior which helps with providing an additional security layer when authenticating them. This is what adaptive authentication is ultimately about.

Adaptive authentication is very important right now and not because of user convenience alone. Major financial institutions use adaptive authentication to provide advanced user experiences while providing Open-Banking APIs.

3. Do you see adaptive authentication as a game changer and how so?

People always want easy access to applications and systems. Making this process difficult means users will either move away from the business or they will have weak security methods. For example, enforcing people to use long and complex passwords can lead to them writing their passwords on a piece of paper somewhere, which isn’t a smart thing to do.

On the other hand, security experts want to limit access to resources and systems as well. Hence there is a need to find the right balance. And a need to detect risk and limit access while allowing free access for legitimate cases or users. This involves evaluation of many parameters and behaviors than simple static rules that are offered by most IAM solutions. In the future, we’ll also need to embrace AI on the authentication process.

4. What trends do you see in the IAM market? Where do you think we’re heading?

I’m going to provide a very brief overview of some trends that I’ve observed. For one, there’s an increasing dilemma between whether or not we should opt for a centralized IAM system. But given privacy concerns, it’s quite evident the IAM industry is heading towards a decentralized identity and access management system. Another trend is sovereign identity, where an individual decides what can be done with an identity. Although there’s a growing need for increased privacy, people must be able to share and delegate easily. Another is space-time-bound edge device security with identity of a person.

5. We now keep hearing that IAM is an enabler and it’s more than just security or an IT project. What’s stopping enterprises from embracing this? Why do you think they should?

It is easy to start an IAM system with a homegrown solution of simple databases. There are a plethora of libraries available to kick start a homegrown IAM system. But it gets into an inescapable vortex when more and more functionalities are needed in today’s agile businesses. Enterprises need to detect this at an early stage and adopt a proper IAM solution before the vortex grows into an unmanageable beast by itself.

6. Two things you’ve learned in your career that you’d like to share with a newbie?

Think of software as a medium of communication between both systems and people.”

First, think of software as a medium of communication between both systems and people. This could be system to system, system to person, and person to person. Second, learn to unlearn. No software practice has lasted for more than a decade. New languages and methods keep propping up and your openness to learn is what helps you progress.

Ruwan on one of his many scuba diving adventures!

A Year in Identity

We’re looking at the possibilities of 2019, and after spending one year as the product marketing manager for WSO2 Identity Server, here are some observations I’ve made as to why enterprises would need identity and access management (IAM).

Identity is more than SSO, it’s a key enabler for Integration Agility

Throughout 2018, we kept hearing how identity should be treated as something more than merely a security project at every identity conference we took part in. We have to go back to our enterprises and say why identity is the glue that holds it all together. Single sign-on (SSO0, authentication or securing APIs, would come off a simple task or singular project but it all eventually becomes a part of a much larger project, like integration. Customer identity and access management (CIAM) is a great example of integration. You use identity, API management, and integration components along with analytics to give users a fantastic user experience. So whatever your enterprise strategy may be, identity plays a key role in being future-proof and it’s more than just logging into applications.

Your customer comes first

CIAM, which may appear as a trend, should be the ultimate goal for any enterprise. Most customers that we deal with use WSO2 Identity Server for CIAM through SSO, identity federation, etc. CIAM helps to give your users a unified experience. An example is West Corporation, who does an excellent job of giving their customers a connected experience.

We’re moving from multi factor authentication to adaptive authentication for the very same reason, to help you make your user’s life secure and better.

There’s an API for that

Everything today is API driven. All businesses are inclined to expose their APIs and the rate of exploding endpoints is surely alarming. Yet, what would be the point if these are not secure?

Open source IAM is “still” an emerging concept and this should change

Although open source might not be the most known option for IAM, it should be. A lot of people assume that open source means free, but it’s the “freedom” to try the product, to scan and test the code as you please and NOT being “locked-in” to a vendor. It’s also easy to innovate fast with open source and it’s versatile because of the variety of authenticators and connectors. One of my team-mates illustrated this quite brilliantly on Quora.

Therefore if one were to choose an IAM solution for their enterprise, I strongly urge to give open source a try.

Privacy

It takes a situation like Cambridge Analytica for enterprises to take IAM seriously. With the rise of General Data Protection Regulation (GDPR) and the upcoming California Consumer Privacy Act (CCPA), user consent and privacy are taking the precedence over everything and we fully support this. IAM is wired to provide compliance so that users are secure and businesses can make use of this opportunity to demonstrate that they are “user-centric” and prioritize privacy over everything. This way you maximize user retention too.

Some final thoughts

2018 has been a fantastic learning curve, also because I get to work with the best in the industry (both in Marketing and Engineering/IAM). One such person is Prabath Siriwardena, who is a walking encyclopedia of all things identity (check out his blog, you’ll learning something you didn’t know).

Here’s to a data breach free 2019!

. . .

You can read more blogs posts from me here. I also Tweet and get in touch with me @fishfaceishi

WSO2 Named a Leader in The Forrester Wave™: API Management Solutions, Q4 2018 Report

Today, The Forrester Wave™: API Management Solutions, Q4 2018 was released and WSO2 is named a leader!

You can download the report (without filling in a form) here.

This recognition is a major achievement. Congratulations to the many internal teams, partners and customers that participated in the efforts to make WSO2 the only open source vendor evaluated in the report.

Nuwan Dias, WSO2’s product lead for APIM gave a tour-de-force 2-hour non-stop demo demonstrating raw software athleticism. Also, I’d like to tip my hat to Randy Heffner and the Forrester team for structuring a thorough (and frankly, exhausting) analysis that assuredly left no stone unturned from any vendor.

The API management market is growing because IT professionals see APIs as a critical foundation for agile software to support customer engagement, operational excellence, digital transformation, and business agility.

Forrester states why APIs are essential: “The API management solutions market is growing because more AD&D pros see APIs as a critical foundation for agile software to support customer engagement, operational excellence, digital transformation, and business agility.”

API management has become an essential part of every integration strategy and it’s why WSO2’s APIM solution is fundamental to how we help organizations become integration agile.

What Forrester Says About WSO2

  1. “WSO2’s open source solution provides a solid base for a variety of API strategies.”
  2. “[WSO2 is] the only fully open source solution in our Forrester Wave analysis.”
  3. “WSO2 provides good breadth across all evaluation criteria.”
  4. “[WSO2’s] strengths include formal life-cycle management and non-REST APIs, both of which facilitate mature and disciplined enterprise API strategies.”
  5. “WSO2’s solution provides flexibility to address a variety of approaches to APIs.”
  6. “The reference customers provided by WSO2 are highly satisfied with its solution and very satisfied with the vendor.”
  7. “[Customers] tend to be very to extremely satisfied with the product’s detailed features and functions.”
  8. “Customer comments include“[WSO2’s] partnership attitude inspires confidence and trust.”
  9. And “[WSO2’s] solution is easy to use.”

What Is Special About WSO2

In addition to the demo and a (many 100s) questionnaire, we delivered a summary presentation to Forrester’s team discussing our market penetration, product composition, and long term thinking.

WSO2 API Manager: The only comprehensive open source solution has been shipping for 6 years

API Management provides full lifecycle management of APIs for a variety of scenarios, whether B2B access, internal development, shared libraries, or monetization. WSO2 has been shipping our offering for 6 years and it has expanded to include a macro and micro gateway, embedded analytics and API identity, and API development tooling. WSO2 was the only vendor whose entire stack was both open source and available in on-premises or cloud offerings.

Embedded identity and integration makes legacy asset transformation into APIs possible without buying other products.

WSO2 provides a complete set of capabilities that allow customers to pursue any kind of API strategy. We front-end our offering with our ESB, identity server, and embedded analytics offerings to provide means to digitally transform legacy infrastructure into APIs.

More than 100 billion transactions run through WSO2 each day.

We are fortunate to have customers that participate in our conferences, give case studies and act as references. More than 30% of our API customers are financial services institutions. Starting small, our API management business is growing more than 75% each year and makes up 1/3 of our business.

What Are WSO2’s Big Bets

Forrester evaluates 26 criterion around the vendor’s current offering, strategy, and market presence.

WSO2’s long term strategy and roadmap are largely influenced by what we are seeing across the projects that we are working. Our observations are influenced by exploding endpoint issues on how integration has been preventing many organizations from realizing their agility goals.

  • Expect an increasing proliferation of digital endpoints, APIs, and applications that consume APIs. There is an integration economy that will grow exponentially with endpoints in the trillions, driven by edge computing, IoT, SaaS-SaaS integration, AI, machine learning, cloud computing and serverless.
  • APIs and digital endpoints will have an increasing diversity of origin. Different groups and personas will be creating APIs whether they are developers, knowledge workers or self-actualizing systems. There will be different locations where APIs reside, internal, external, on the edge, or in the cloud. And the structure of APIs will diversify taking construction from streams, events, async, and new protocols.
  • Expect the rise of dynamic APIs: short-lived, with frequent changes to facility agility. Microservices drive needs for fast-boot, low footprint, containerized services and some architectures requiring a microgateway per API. This creates change management and deployment problems for DevOps.
  • A need for adaptive management of APIs due to their proliferation and dynamism. Integral monitoring and management needed across diverse API origins. This amplifies demand for dynamic and federated identity, token swapping and SSO integration along with decentralized observability and monitoring with tools that keep pace with API rate-of-change.

These dynamic conditions allow us to invest into features that enable micro API management in environments that have thousands of constantly changing and distributed APIs.

WSO2 API Manager roadmap focuses on diversity and micro-ization of distributed APIs

Rethinking API Development and Lifecycle With Ballerina

Starting three years ago, WSO2 began working on Ballerina. It’s a new programming language that is designed to be the best language for writing services that need to talk over the network. Ballerina’s launch earlier this year has received a number of accolades, has grown in adoption, and now has multiple enterprises using it to build service-based architectures.

A service, or an API, is a first class concept within the language. Ballerina is a compiled, strongly and statically typed, concurrent language. The language provides modern benefits of structural programming without requiring significant scaffolding to resiliently (load balance, fail over, transaction, payload management, and error conditions) build and talk to APIs.

Ballerina dramatically improves developer productivity by making API iterations fast and agile. Ballerina has a built-in API gateway and is designed to plug any services built by Ballerina into an API management solution, or drag along a micro gateway. Essentially, the Ballerina language and compiler are distributed systems aware, and prepare the artifacts made by developers to be API management ready.

Get Started with WSO2’s API Management Offering

WSO2 is now the world’s 6th largest open source software company. Our significant size and staff (600 employees!) allow us to run a 24/7 operation with a global reach. We have sold and delivered into 63 different countries with offices in the United Kingdom, Brazil, Mexico, United States, Sri Lanka, Australia, and Germany.

And as usual, if you have any questions about open source, our API management offerings, or WSO2 (we are hiring, a lot!), you can reach me at tyler@wso2.com.