00:00
So Good afternoon, everyone. I think we have a small crowd. The faithful API Everybody uses API S here or wants to Excellent. Great. So my name is I'm the CTO for security and networking at Pure I have three key charters, so I run the Dev Ops programme at Pure Storage.
00:21
I run the API governance and Security programme at pure storage and recently I run the generative A I governance at pure storage as well. So you'll see a lot of some good examples here on how we can actually use chat GP T and to build a code number API. Many of you may have worked with bars. He's been he's like a 10 year 12 year old
00:48
veteran at PR. Unfortunately, he had a family emergency, so he he had to leave. So he's the real expert on API. So if you have down and dirty questions on something about API, you know, please share those and we'll get barks to respond. So we want to encourage customers to use our API S and get the benefits
01:10
of automation and scale using these a PS. That's the key message from us. And to do that, we we talk to a lot of storage, uh, personas everybody from the administrators all the way to people that run cubs to to to get an understanding of, you know, what do these personas want? And what does API first mean for these personas?
01:36
So as we and and this is a distillation of, you know what, That what that API first strategy means. So when we are talking to to an organisation or or us as an organisation building API S, it means having a formal API life cycle that is designed using the right principles. We have governance throughout the life cycle of the of the API.
01:58
When a P is going to get sunset or something is going to change, there are proper methods to to tell the youth community how that happens. So all that is a formal programme. And that's what we are trying to adopt. When we talk to CIO S, they want to make sure that it has ability, scalability, flexibility. So we distil some of these key takeaways from
02:17
we talk to some of our, uh, user personas. But the developer hears the term API first, and they think that oh, build API S first and the apps later. Many times it's the other way around. You're building user experiences and and and those things first and the API S come second and that creates a lot of friction.
02:37
And then SREs have a different meaning from And we picked that persona because they are orthogonal to the actual usage of those API S. But when something goes wrong, that's the person you have to you asking what went wrong And they look for statistics around the usage of these API. So So the the the idea here was to kind of expose that,
02:58
uh, API first means different things to different people. But us as an organisation, when we building a governance programme, we want to cover all of these. So we have. We'll talk about governance in a second. But just to touch upon it, we have programmes in place to do proper design,
03:14
for example, for triple authentication, authorization and audit across all a PS. Today, As you might know, pure supports port works content B which is cumulative centric, then we have and and DX which is cloud centric. And then we have Flash and Flash Player, which are apply centric, and we want to have a unified experience across all those. Otherwise, you'll get frustrated, saying, I just learned something over here,
03:40
and when I go over there, they're entirely different and and that's why we try to unify Now there are a number of challenges. Um, companies like us fall prey to this. The designs we go build something, and then they say, OK, now we go build an a P on top of it, and that creates what I call an impetus mismatch.
03:59
And the appliance wants to work in a certain way. Cloud operating models have a different way to operate, and now we have a problem. A couple like ours has, Like I mentioned four different business units, and each business unit has a number of products. So we are constantly doing releases in a cloud operating model, and this then leads to problems where you have some silos put together.
04:25
They're all working hard and fast and not talking to somebody else. So you want to make sure that doesn't happen. Uh, this is a big problem. So many time documentation gets out of sync with what's out there, and now you have, uh, unsatisfied customers because they're built to a certain
04:40
documentation that it's not real. Telemetry is important for us as well as our customers, because if we don't have those measurements, we don't know what to improve or what's getting used. Lots of languages and wrappers. Everybody has a favourite one, and I'll show you some examples at the end,
04:59
where we are using generative A I to build these rappers on top and, of course, um, four different product lines and potentially four different ways to do authentication authorization that are on premise as a different set of identity providers. And we go to the cloud different set of providers. So it's a challenge for us to merge all of that
05:19
and give you consistent experience. So to do this, we have I. I chair the Governance Committee for API S at Pure. It consists of the lead architects from each of our business units. So so port works or content? BU um, our cloud business unit, the two appliances.
05:37
So they all have contributed the lead architects to work on this, and we're defining standards on what's a good design, what principles that follow. How do we deploy it consistently. So when we release something, there are guidelines on how water release means Security is very important for us. So I run our programme at pure as well and we want to make sure that our API S when we build
06:02
them are immune to the OS top 10 type of vulnerabilities. Weaknesses. So we do exhaustive threat modelling across all major designs. All code is scanned using code scanners like like snake or shift left. The slew of code scanners, the check for vulnerabilities for the code that has been written. We then do a P testing.
06:23
So everything that we release has a pen test and you can get a formal report or a third party pen test on what they've done when we operate a PS in our cloud. So some of you are thinking of using fusion or API S for our CNB report works. Then all of those are hitting over cloud and that is front ended by a full range of security controls, everything from data protection to bottom protection,
06:48
firewalls in the cloud Web application, firewalls and API security gateways. So So we take that very seriously and try to protect all that. So we deploy and operate with security and then we have our So our cloud footprints all go through so compliance and this compliance. And then we run our own security operation centre on top of it.
07:10
So a lot of effort there to make it secure. And then during the lifetime, it's, you know, it's hard enough to build it consistently. It's even harder to support it through its life cycle as we introduce more and more variations. So we want to make sure all that so This is part of the governance programme at Pure. Just to touch upon security, we follow Gartner's model on API security maturity,
07:35
and it has these dimensions to it. So in all of our API, S are monitored. So in the cloud, we have a specialised tool. Sets that monitor the API usage run time as traffic is going by. We're monitoring all the parameters being used in the cloud. We then use threat protection.
07:55
So we are detecting anomalies, bad parameters. All of those is happening in real time, uh, strong AAA authentication authorization. And then we want to have a strong security culture. So this is where our programme comes in where all engineers go through training. They understand what O top 10 weaknesses mean and and we ingrain that into the development
08:19
cycle. So so security is not orthogonal. It is part of the development life cycle. At pure there are various maturity levels. So we think we think we are somewhere around here, we are managing it, and then we want to make it more optimised and and and just be a natural part of how we develop API.
08:43
And on top of it, there are there is a large number of frameworks to manage. So the the problem keeps on amplifying many languages. Many frameworks and we do publish, uh, tools and wrappers in many of these environments, and and and there's lots of resources that that you can look at and we'll make this available so you'll be able to if you haven't already seen this.
09:03
This is all available. You know, some external, uh, did you want Sorry, please. And and there are some really good articles now. Many of you are building solutions internally for your own consumers. And there are lots of guidelines on how to implement API,
09:29
S and API based solutions for consumption by by your customers. So now we come to the fun part, and, uh uh, so bars our API expert is sort of a one man army, and, uh, he he would get bogged down with with all these requests. So once chat came along, we then said, Let's experiment with this and see how good this is. So So right out of the box without any contextual training,
09:59
it's 90% there, and I'm sure I'll show you examples of good and good and bad. So we gave it that previous prompt and you know it. It built some code parts of our expert said this looks really good and passed the first smoke test, and then we gave it some more examples and it made some mistakes. And we have pointed this out on purpose because, uh, be very careful generating using generative
10:26
a I because it will make minor mistakes. And at this level of complexity, this is just a tiny super cord. These things can grow fast and hard, so we have to have some care on on what it is producing. Many times it will just fail. Working in the environment,
10:43
and you can then ask it to debug what the failure is and it will come back with with the right answer. We gave the same test to Google board, and Google Board is a little bit more up to date because Google does continuous scanning so it learns more and you can you'll notice that we did a little bit of prompt and engineering at the top. So we said, assume the persona of a pure
11:05
storage product expert. So So it makes these generative A I models behave better if you give it some some more. Some personas. And this one actually was 100% correct, right with box. Simple example again, but nonetheless, and it will auto generate the documentation too.
11:25
So if you then have people that are using it on your side, you have documentation. Um, I asked it to then write unit functional stress and exception tests, and I did all of those. So this work, you know.
11:43
So first you gotta read over documentation and figure out what the operating model is. Then you got to write some code, debug it and then say OK, it's working for the singular case that. He just did. Now you need to write this battery of tests to make sure it works. In every case, you know, there's a network failure or there's some other problem.
12:02
So you got to write all those test cases and then you got to document all of that. So that's a lot of work. And we believe this. You know what could be like 10 days of work is down to, like, one day of work. It's a little bit of expertise on your side and some assistance from a gene of a I. And you get there really fast.
12:20
And then, uh, again we're using on purpose. We're showing you be careful, but things like board are getting much better. So this is, uh, uh, using rest end point. So same thing. But, you know, just using a different language and using, uh, go. So So So So you know, whatever your your poison
12:42
is, we have you have all that availability so that our message to you is, uh use more API S. And today, those are the barriers, right? You gotta read over talks, understand them? Uh, understand what API is. Understand your use case.
13:03
now, your use case itself has requirements, right? You are a little mini development Shop yourself, so to generate requirements. Also use chat GP D and say I want to achieve such and such. Give me the functional requirements of what I need to do, and it'll generate those for you.
13:18
And then you say, given this functional requirement, give me code using the pure storage, you know, using the persona the little prompt that we defined earlier to to achieve that. Add in security concerns, you say, You know, make sure that this does not have any OS top 10 issues review this code for security weakness. Let chat GP or your favourite generative A. I do all that for you,
13:41
right? Right. Test cases generate, you know, write, write the documentation that we just talked about. So use this to accelerate, uh, API usage. And just for fun, I you know, I, I have my little Google board session here. And so this was
14:02
my so first it I had to generate all the code. You know, the same example we just talked to earlier. But then we said, you know, it gave me all the documentation for it. And I said, you know, generate all the test cases and, you know, it went ahead. Now all this has to fit into automation
14:19
framework that you're using, but you can feed it all that. It's also great at, uh, it's good for, uh, learning so far. And I've been I. I kind of go between and and chat GP T. And it's really good at, you know, for us to just learn what's out there, and it gave me It gave me a really good high level of classification of saying These
14:42
are all the capabilities that the pure SDK has right? And and this is a great starting point because there's a lot of stuff here, right? And and it's easy. It's very difficult to just even learn all this. So So please use uh, generative A I capabilities to to figure all this out.
14:59
There's lots of examples on, uh, you know how to do this. So I'll pause here. Hopefully, this was, uh, an interesting new way to kind of look at some of these problems. Any any questions? Issues, concerns about pure API S and
15:25
and any interesting use cases that you are thinking about on on how to use our API for automation. There's more coming. We are. We are busy building heard of fusion and people have heard of right, So that's our entire cloud operating model, which is 100% APR, and that will give you a lot more power and flexibility.
15:49
But then again, you have to adhere to some of these principles. Here. You've got the, um, flash flag power shield powershell module. I see the flash Tokyo is the execute or make buckets. Or what else do you do if you're 1000?
16:12
Oh, so that's our cloud side. So pure one is our cloud side, uh, integration and then the and then you get all the telemetry and you know all the visibility from over from pure one. And that's this module here. Yeah. So, uh so So we have MS manage service
16:34
providers that are managing many number of customers, and they're using this to automate their understanding of what the stage for various customers is. Whether somebody needs service, somebody needs to be upgraded. Somebody needs new hardware so that they get all those insights. So as an individual user, it's great. You go to a pure one.
16:53
You get a dashboard and you can play around with it. But when you're managing many of them, then you won't get this kind of automation. Um, you wonder in his 90 days Yeah, and we sometimes OK, you go back far enough to understand. Great. So we've now started recording. Stay back out back your own database or something if you don't know the history of and
17:25
using the API S to get that pull here. OK, there you go. Yeah, right. Great. So hopefully next time we meet, we'll have you guys present your GP to use cases. That will be much more fun. This is OK, so I'll give the rest of the hour back to back to you guys, and hopefully this was interesting.
17:47
And and we really wanted to expose a new way of achieving acceleration, you know, Pun intended on a PH. Thank you, everyone