In preparation for the API World 2016 Conference, here at DevNetwork, we have Jeffrey Leggett, Director, Cloud Services, API & Integration at Qualys, talking about their API.
What services do you currently enable developers to build on via your API’s?
We released our first APIs shortly after the launch of our first product, Qualys Vulnerability Management, in the early 2000s. We’ve intensified our API efforts in the last four or five years.
Today, we enable almost all of the major functions of the Qualys Cloud Platform with APIs: Web Application Scanning, Web Application Firewall, Vulnerability Management, Policy Compliance, Continuous Monitoring, Malware Detection and the platform’s underlying asset management and tagging functionality all have complete API sets.
For example, customers can use the Vulnerability Management Scan API Version 2 to obtain a list of vulnerability scans in their account and to take actions such as cancel, pause, resume, and fetch (download) finished results. Some benefits of the new version of this API include:
- The ability to make a single API request to view all scans in the scan history list, including running, completed, paused and resumed scans.
- More input parameters to filter out scans from the scan list output, so customers don’t have to retrieve and view their entire scan history list.
- The ability to make a request to launch a scan asynchronously, so that the API call will quit after the request without having to wait for the complete scan results.
What are some of the most interesting/innovative applications that developers have built on top of your API?
We have customers and partners who have built complete orchestration of toolsets with our APIs. I would highlight two recent integrations as examples of interesting and innovative uses of our API:
- Qualys VM and Qualys WAS Apps for Splunk Enterprise
These apps access VM and WAS data via our API and streamlines its export to Splunk Enterprise. Within Splunk Enterprise, the apps provide dashboards containing summary charts about affected web applications and IT asset vulnerabilities, respectively, as well as search tools.
- Qualys App for ServiceNow Configuration Management
This app automatically synchronizes information about any asset that Qualys discovers into the ServiceNow Configuration Management Database (CMDB) system. Likewise, when an asset is added to the ServiceNow CMDB, the app adds it to the Qualys asset inventory. The app gives joint customers real-time asset visibility and inventory so they can flag security and compliance risks across their IT environment.
Here are a few videos in which customers explain how they’ve leveraged our APIs for a variety of purposes:
- Sony talks about the benefits of implementing the Qualys VM API
- Ogilvy & Mather describes various Qualys API integrations
- Splunk and Qualys speak about the Qualys VM app for Splunk Enterprise
How do API’s factor into your company’s long-term growth strategy? Do you see your company becoming an “open platform” of integrations?
APIs are very important and strategic to our long-term growth strategy, so we want to add a lot of functionality to the API.
For example, we expect to have very soon — in the fourth quarter of this year — a full set of management APIs for automatically deploying and orchestrating our Cloud Agents, which we launched in April of last year. Customers have embraced the Cloud Agents, with over 1 million deployed in their environments, and we want to make this process even simpler and easier for them via APIs.
Longer term, our goal is to let customers and partners fully automate all aspects of Qualys, so that any function you can access within the Qualys Cloud Platform, you should be able to reproduce with the API.
As a SaaS vendor, we have minimal onsite pieces, so API integrations make our platform more “sticky” with customers, so that they stay with us year after year. Right now, about 20 percent of our customers use our API, and we want to continue growing that number.APIs also play an important role in our relationship with our partners, especially those who manage security on behalf of their customers. With our APIs, they can consolidate functionality from our UIs within their own UIs, and that way they can manage Qualys from their own consoles for their clients. We want to support them in that way.
Are the growth of open API standards important to your industry?
Absolutely, APIs are strategically critical for every infosec vendor out there. We must be able to integrate solutions for customers so that they’re able to get an overarching view into their environment across all of their toolsets, as well as leverage other types of third-party software that helps them with security data management, business intelligence, operations workflows and the like. So we support efforts towards API industry standards.
I think it might be relevant to mention in this context our release last year of free assessment APIs and of a free open source tool for our SSL Labs service for doing bulk and automated website testing. With those APIs and tool, security pros who manage multiple websites can consolidate testing, detect changes and receive certificate-expiration notifications.
Specifically, the Server Assessment APIs give full access to the SSL Labs server inspection functionality, allowing programmatic invocation for any number of hosts. The availability of the APIs allow system operators to integrate SSL Labs assessment with their security policies and perform frequent automated checks.
In this effort, we’re not just aiming at our enterprise customers and partners, but also at a larger industry constituency, such as domain name registrars, certification authorities and large infrastructure providers.
What are some ideas for apps or integrations that developers or startups could build on your API?
There are myriad ways in which companies could add value to our platform via workflow orchestrations.A favorite of mine is I think there’s an opportunity to build an iPad Pro app so executives could take a quick look into all of their Qualys data and metrics from those tablets.
What has your team learned about building scalable, accessible API’s? What advice can you give to other teams building their own API?
Scalable is the key word when you’re building APIs for the enterprise market. You must test under load or your customers surely will. You also must make your API architecture flexible and reliable.
If your APIs are convoluted to use, poorly documented, clunky and erratic, external developers will quickly lose confidence in them and abandon their efforts to leverage them. If the API integration is critical for their use of your technology, this could be a major step towards a decision to drop your product altogether.
These developers don’t want to build apps and services on top of your API architecture that will disappoint their internal users and/or external customers. If this happens, they’ll quickly start looking for better options from your competitors.
When drafting your API strategy, you must not only take into account your company’s goals, but also put yourself in the shoes of the third-party developers who will be using your platform, and let this guide your technology decisions.
At a basic level, this means providing good, clear documentation; sample code; analytics reports; management tools; open, standard and secure technology; and API updates that are minimally disruptive to existing apps and integrations.