Finite State automates product security for connected devices and embedded systems, enabling developers and security teams to ship products with confidence across the software supply chain. Finite State's main Postgres database, their knowledge base, was wrapped with an internal GraphQL API which was federated into a front-end GraphQL endpoint. This made development of their customer facing UI easy and flexible. However, they discovered that their customer’s actually preferred to use a ReSTful API, which their competitors had— Finite State did not!!!
That’s where we come in - Finite State sought the assistance of augustwenty. They had committed to a client in October of 2021 that they would deliver an API by December 15th! It would encompass the following 3 end-points and would have to be completed with the utmost efficiency to meet their deadline.
Upload new firmware for analysis
Return a list of firmware issues
Generate Reports. This would also include security management via authentication tokens.
collaborate where you are
We started by targeting the organization’s strengths and strived to maintain some familiarity to what their developers were already used to. In this case, it meant working within their existing API patterns and established infrastructure, including:
Reproducible, templated Terraform files that ran in a well-configured AWS CodeBuild pipeline. Their applications and services were containerized and deployed in environment-specific Kubernetes clusters, and their metrics and logs were being gathered in CloudWatch.
A solid CI/CD foundation had been created. Each repository had environment specific branches, and each branch had hooks configured to build and deploy in AWS. Local development made use of composable Docker stack deployments, and patterns were already well established for running new database instances and connecting to existing ones.
Finite State's main Postgres database, their knowledge base, was wrapped with an internal GraphQL API which was federated into a front-end GraphQL endpoint. This made development of their customer facing UI easy and flexible.
digging deeper to discover the solution
Much of our approach is to get a thorough understanding of the project and how it will yield value to the client. We always begin by asking lots of questions and listening carefully—treating their business like it is our own. Through this process with Finite State, we discovered that each of the existing endpoints had a challenge to overcome:
The upload endpoint would take firmwares that could end up being larger than 5GB, which is the maximum chunk size for a multipart upload to S3. This meant that we would need to handle chunked uploads ourselves.
The issue’s endpoint would need to aggregate data from a relatively opaque internal model and convert it into something paginated that could be consumed by customers. The GraphQL resolvers responsible for returning the necessary data were federated and unfortunately undocumented. This would require a substantial amount of trial and error.
The reports endpoint would utilize the existing report generation code, but the process to generate a report could take several minutes to complete, which would result in timeouts in the request chain. This meant that we needed to either support asynchronous report generation (and a more complicated API), or configure custom timeouts from the application all the way up to the load balancer.
pressed for time - now let’s get busy!
With a tight deadline of just under 2 months, the first thing that we did was work with the team's product owner to determine an MVP. We used versioned endpoints in order to give ourselves some flexibility around change adoption, and we wrote cards that progressively enhanced each capability. We started with the "simple" version of each endpoint and worked from there.
Derek, the manager, assigned some of the surrounding responsibilities to his team. One developer would work on a UI page for auth token management, another would start looking into multipart uploads, and another would wrap Django's built in auth support with a custom class to authenticate against their internal API.
On our side, this meant that we would need to be in constant communication not only with the team's product management, but also the operations team, people familiar with the data and the existing backend, the UI team, internal security, and the developers that were working along-side us.
innovative solution
With a lot of work, by December 15th, we had deployed an API that provided all three endpoints secured with auth tokens and a single page of documentation. The first tokens were manually given out, and the endpoints were still in need of a lot of features, but Finite State was able to retain their customers.
Over the next two months, we would turn the API into a complete product. Our understanding of the data model grew, and so did our collaboration with the rest of the teams. We added Swagger documentation, dynamic auth tokens, and solved the hard problems for each endpoint. Bryan, our product owner, was promoted to lead the product organization for the whole company.
With our remaining time, we delivered as many "nice to haves" as we could. New endpoints, new report types (like SPDX), bookmarking, filtering, flags, and new paths of hierarchical data discovery. When we wrapped up, they had everything they had asked for and more.
smooth transition for the future
Everyone at Finite State was a pleasure to work with, and we were incredibly fortunate to have everything set up to hit the ground running. In our final weeks, we worked with their developers to ensure that they had everything they needed to keep the ball rolling, and we signed off feeling confident that we had delivered the right thing, the right way, at the right time.
“My experience working with augustwenty was very positive and I highly recommend them as technical partners. I manage a cross functional development team and we had augustwenty help us to design and deliver a public facing API for our platform. We met our delivery date with a quality API but even more impressive was the handoff at the end of the process. Our in-house team was well supported with documentation, training and felt equipped to continue the great work already in flight. Augustwenty was a great team to collaborate with, I have no hesitation to recommend them and would partner with them again if needed.”
— Derek Hall, Engineering Manager Finite State