September 2020
Moody’s Analytics API Webinar
API Webinar 2
1. API Driven Development 2. Case Study: Know Your Supplier3. Case Study: Coronavirus Pulse4. High-Level Architecture and Security5. Single Sign On with Identity Provider’s APIs6. Q&A
Agenda
1 API Driven Development
API Webinar 4
Amazon’s API Manifesto, 2002
Jeff Bezos
API Evangelist
1) All teams will henceforth expose their data and functionality through service interfaces.
2) Teams must communicate with each other through these interfaces.3) There will be no other form of inter-process communication allowed: no direct
linking, no direct reads of another team’s data store, no shared-memory model, no back-doors whatsoever. The only communication allowed is via service interface calls over the network.
4) It doesn’t matter what technology they use.5) All service interfaces, without exception, must be designed from the ground up
to be externalizable. That is to say, the team must plan and design to be able to expose the interface to developers in the outside world. No exceptions.
6) Anyone who doesn’t do this will be fired.
Jeff BezosFounder of Amazon, Author of the first API Mandate
API Webinar 5
Build internal APIs to be Externalizable
Jeff Bezos
API Evangelist
1) All teams will henceforth expose their data and functionality through service interfaces.
2) Teams must communicate with each other through these interfaces.3) There will be no other form of inter-process communication allowed: no direct
linking, no direct reads of another team’s data store, no shared-memory model, no back-doors whatsoever. The only communication allowed is via service interface calls over the network.
4) It doesn’t matter what technology they use.5) All service interfaces, without exception, must be designed from the ground up
to be externalizable. That is to say, the team must plan and design to be able to expose the interface to developers in the outside world. No exceptions.
6) Anyone who doesn’t do this will be fired.
Jeff BezosFounder of Amazon, Author of the first API Mandate
Treat internal APIs the same as you would external.
Internal APIs need documentation and security too.
API Webinar 6
API Comes First,
then the Implementation
What is API-driven development?
Focus on Only your Business Logic and define it as API contracts
Faster App Development: Build once, Use Multiple times
Make EVERYTHING accessible via APIs
Flexible, Agile, Test-driven development
Microservices Architecture Decoupling built with completely different tools and
technology
API-driven development is the practice of designing and building APIs first, then creating the rest of an application around them.
API Webinar 7
What steps did we take?
Step 1:Plan
Step 2:Design and Validate
Step 3:Test
Step 4:Implement and
Monitor
Determined the purpose of our app and made mental sketches
on what existing APIs will be reused or customized
A few hours into planning, tested to see if the API design
is feasible; made sample requests with Postman against
existing API endpoints and determined any additional areas
for development
Focused on Automated Testing and tested for user experience
and consistencyNote: APIs are the best testing interface as it is an automated way to access all functionality
Monitored performance and determined if API required re-design to support underlying infrastructure or whether to
scale up hosting
2 Case Study 1: Know Your Supplier
API Webinar 9
Help healthcare decision-makers more rapidly identify and qualify new suppliers
“Hospitals are struggling to supply and protect their front-line staff during this crisis, and with so many new vendors in the market, sourcing PPE (Personal Protective Equipment) and other equipment has become a critical challenge.”
Rob FauberCOO of Moody’s Corporation
Tool to help hospitals evaluate medical suppliers
1 Leverage the vast amount of Moody’s risk intelligence and customer screening dataThe solution uses both Bureau Van Dijk (BVD) and Regulatory Data Corporation (RDC) data along with open FDA.
2 Built in 2 weeks by leveraging APIsSimple serverless deployment in the cloud. Front-end app calling APIs in the back-end.
3 Launched to 100k members of the American Health Association Rapid promotion and launch of the new site.
API Webinar 11
Rapid product assembly – a live example
FDA
Caching and Web Firewall
KYS
Delivers application
Login and identity
Medical registration
API
Regulatory Data Corp
Adverse Person
API
Adverse Company
API
Bureau Van Dijk
Company Search
API
Company Information
API
Web Analytics
API Gateway
API Documentation throttling
Know Your Supplier
portalSource code management
Automated deployment as code is updated
• “Know Your Supplier Portal” built in mere weeks using “shared” tools, skills and APIs
• A rapid product assembly approach drives agility and scale
3 Case Study 2: Coronavirus Pulse
API Webinar 13
Analyze thousands of news articles related to Covid-19Find trends and keywords
Built on top of Machine Learning algorithms that
automatically extract data from unstructured
documents
Leverage AI Tech
Examine the extracted data and pull out key
trends and sentiment from the articles. Are they
positive, neutral or negative?
Sentiment Analysis
Real-time news feed from hundreds of different
media outlets and social media sources
News Feeds
Utilize existing AI/ML models to analyze Coronavirus newsTrend analysis provided early warning indicators for companies impacted by Coronavirus. e.g. the airline industry and retail industries
API Webinar 14
Completely Serverless Technology• “Coronavirus Pulse” built in
mere weeks using “shared” tools, skills and APIs
• Completely Serverless technology was stood up quickly and scaled
React AppCaching and Web Application Firewall
User
API Gateway Service
NoSQL Database
Search MLFabric
API Webinar 15
Machine Learning Platform
Model A
Model B
Kubernetes Cluster
Load Balancer
Source Code Management
REST API
Document Ingestion
News Feed
4 High-Level Architecture & Security
API Webinar 17
High-Level Cloud ArchitectureAuthentication using the Identity Provider with backend microservices behind an API Gateway
Single Page App (SPA) Identity Provider
Easy to deploy, quick and easy to use as there is no need to wait to reload the page; less bandwidth and improved performance
Ready-made out of the box authentication service; supports management of users and groups by admin UI and via API
Cloud Hosting Services API Gateway
Applied policy restrictions and firewall and routing rules to limit inbound traffic to whitelisted CDN domains/IP ranges
Authentication validation can be handled as one stop shop for all backed micro-services. e.g. JWT ID token validation
API Webinar 18
Our Security Tech Stack
Edge Content Delivery Network (CDN) service and Web Application Firewall (WAF) Screening
Hosting Services Routing and Security Restrictions
Identity Provider Authentication
API Gateway Rate Limiting and identity token JWT verification
5 Single Sign On with Identity Provider’s APIs
API Webinar 20
New Beginning of our Customer Identity Journey..
Month 1 Month 2Month 3
M o n t h 1 Debuted Identity Platform with Know Your Supplier (KYS) release We decided to leverage our identity provider’s API to implement authentication for the KYS application.
M o n t h 2 Custom Single Sign On (SSO) DashboardEmbarking on the customer SSO journey, we designed a customer-facing dashboard application to improve user experience.
M o n t h 3 Onboarded Coronavirus Pulse SSOWe enabled Federated SSO for other sites which included the Coronavirus Pulse application.
Single Sign On: Authentication + Federation
Federated Single Sign-OnThe combination of a single authentication event with multiple requests for proof of authentication
AuthenticationThe process of proving the identity of a person or system
FederationThe process by which an app or site requests proof of authentication from a trusted source
21
Why Single Sign On (SSO)?Each time we deploy a new product or application, customers have to create a new set of credentials to remember. The result is having to remember too many passwords.
SSO is a function that allows users to access multiple web applications at once, using just one set of credentials.
The objective is to authenticate user credentials with an Identity Provider and not the application themselves. So when a customer attempts to log into an application, the application then communicates with the Identity Provider to authenticate the user.
Identity Provider
Users are authenticated
Apps are federated
Trust Relationship
Identity Provider
Trust Relationship
API Webinar 22
How did we get started?Work in parallel streams with ongoing testing
Rapid Discovery and Configuration
Design User Experience
Application Federation
Business Process Identification and
Restructuring
» Fully understand the out of the box features – Identity Provider’s
Sign-in Widget
» How to use APIs
» User experience with JavaScript and CSS– Include a separate
user agreement
» Multiple types of login flows were tested – Both apps required
custom integrations as they are homegrown apps
» Determined whether we could adjust our business processes around pre-packaged workflows– e.g. KYS: Admin
must vet all users’ access manually
API Webinar 23
What was the key driver?We heavily leveraged our Identity provider’s sign-in widget and APIs
Authentication Transaction Workflows <Sign-in Settings>
» User Registration
» Account Activation
» Login
» Logout
» Reset Password
» Account Unlock
» Request Help
Know Your Supplier (2 week delivery) Coronavirus Pulse (1 week delivery)
» Step 1: Initial discovery of authentication transaction scenarios and identified customization requirements:– Determined that widget could not be
used out of the box due to customization requirements and embedded the widget on the app.
» Step 2: Registered custom vanity url domain <<login.moodysanalytics.com>>
» Step 3: Customized the sign-in and registration page with Moody's branding and required fields
» Step 4: Modified user email notification templates
» Step 1: With discovery of authentication transaction scenarios, identified that further customization was not required– Decided to use the sign-in widget hosted by
our Identity Provider
» Step 2: Re-used the customized Moody’s branding and user email notification templates
API Webinar 24
Visit pulse.moodysanalytics.com
Sign-in Flow APIs
User
Authorization Server
Coronavirus Pulse App
Browser
Sign-in Widget
2. Submit Username & Password
3. Verify Credentials
4. Create Identity Session
Sign-in to Application
Identity Provider1. Browse to
Pulse app url
/authorize
Login.moodysanalytics.com
/authn
/token
6 Q&A
Questions and AnswersMOODY’S ANALYTICS API PORTAL W EBINAR
API Webinar 27
Contact Us at API Portal
Please visit the Moody’s Analytics API Portal at developer.moodysanalytics.com for more information about our APIs.
We encourage you to register at our portal and start the developer experience.
We are also interested in hearing about your success stories using our APIs. We would appreciate your insights and feedback.
You can submit any inquiries or provide feedback by browsing to Contact Us.
https://developer.moodysanalytics.com/contact
Thank YouMOODY’S ANALYTICS API PORTAL W EBINAR
moodysanalytics.com
Chris Thomas7 World Trade CenterNew York, NY [email protected](212) 553-0222
Sarrah Bang7 World Trade CenterNew York, NY [email protected](212) 553-2945
API Webinar 30
© 2020 Moody’s Corporation, Moody’s Investors Service, Inc., Moody’s Analytics, Inc. and/or their licensors and affiliates (collectively, “MOODY’S”). All rights reserved.
CREDIT RATINGS ISSUED BY MOODY'S INVESTORS SERVICE, INC. AND/OR ITS CREDIT RATINGS AFFILIATES ARE MOODY’S CURRENT OPINIONS OF THE RELATIVE FUTURE CREDIT RISK OF ENTITIES, CREDIT COMMITMENTS, OR DEBT OR DEBT-LIKE SECURITIES, AND MATERIALS, PRODUCTS, SERVICES AND INFORMATION PUBLISHED BY MOODY’S (COLLECTIVELY, “PUBLICATIONS”) MAY INCLUDE SUCH CURRENT OPINIONS. MOODY’S INVESTORS SERVICE DEFINES CREDIT RISK AS THE RISK THAT AN ENTITY MAY NOT MEET ITS CONTRACTUAL FINANCIAL OBLIGATIONS AS THEY COME DUE AND ANY ESTIMATED FINANCIAL LOSS IN THE EVENT OF DEFAULT OR IMPAIRMENT. SEE MOODY’S RATING SYMBOLS AND DEFINITIONS PUBLICATION FOR INFORMATION ON THE TYPES OF CONTRACTUAL FINANCIAL OBLIGATIONS ADDRESSED BY MOODY’S INVESTORS SERVICE CREDIT RATINGS. CREDIT RATINGS DO NOT ADDRESS ANY OTHER RISK, INCLUDING BUT NOT LIMITED TO: LIQUIDITY RISK, MARKET VALUE RISK, OR PRICE VOLATILITY. CREDIT RATINGS, NON-CREDIT ASSESSMENTS (“ASSESSMENTS”), AND OTHER OPINIONS INCLUDED IN MOODY’S PUBLICATIONS ARE NOT STATEMENTS OF CURRENT OR HISTORICAL FACT. MOODY’S PUBLICATIONS MAY ALSO INCLUDE QUANTITATIVE MODEL-BASED ESTIMATES OF CREDIT RISK AND RELATED OPINIONS OR COMMENTARY PUBLISHED BY MOODY’S ANALYTICS, INC. AND/OR ITS AFFILIATES. MOODY’S CREDIT RATINGS, ASSESSMENTS, OTHER OPINIONS AND PUBLICATIONS DO NOT CONSTITUTE OR PROVIDE INVESTMENT OR FINANCIAL ADVICE, AND MOODY’S CREDIT RATINGS, ASSESSMENTS, OTHER OPINIONS AND PUBLICATIONS ARE NOT AND DO NOT PROVIDE RECOMMENDATIONS TO PURCHASE, SELL, OR HOLD PARTICULAR SECURITIES. MOODY’S CREDIT RATINGS, ASSESSMENTS, OTHER OPINIONS AND PUBLICATIONS DO NOT COMMENT ON THE SUITABILITY OF AN INVESTMENT FOR ANY PARTICULAR INVESTOR. MOODY’S ISSUES ITS CREDIT RATINGS, ASSESSMENTS AND OTHER OPINIONS AND PUBLISHES ITS PUBLICATIONS WITH THE EXPECTATION AND UNDERSTANDING THAT EACH INVESTOR WILL, WITH DUE CARE, MAKE ITS OWN STUDY AND EVALUATION OF EACH SECURITY THAT IS UNDER CONSIDERATION FOR PURCHASE, HOLDING, OR SALE.
MOODY’S CREDIT RATINGS, ASSESSMENTS, OTHER OPINIONS, AND PUBLICATIONS ARE NOT INTENDED FOR USE BY RETAIL INVESTORS AND IT WOULD BE RECKLESS AND INAPPROPRIATE FOR RETAIL INVESTORS TO USE MOODY’S CREDIT RATINGS, ASSESSMENTS, OTHER OPINIONS OR PUBLICATIONS WHEN MAKING AN INVESTMENT DECISION. IF IN DOUBT YOU SHOULD CONTACT YOUR FINANCIAL OR OTHER PROFESSIONAL ADVISER.
ALL INFORMATION CONTAINED HEREIN IS PROTECTED BY LAW, INCLUDING BUT NOT LIMITED TO, COPYRIGHT LAW, AND NONE OF SUCH INFORMATION MAY BE COPIED OR OTHERWISE REPRODUCED, REPACKAGED, FURTHER TRANSMITTED, TRANSFERRED, DISSEMINATED, REDISTRIBUTED OR RESOLD, OR STORED FOR SUBSEQUENT USE FOR ANY SUCH PURPOSE, IN WHOLE OR IN PART, IN ANY FORM OR MANNER OR BY ANY MEANS WHATSOEVER, BY ANY PERSON WITHOUT MOODY’S PRIOR WRITTEN CONSENT.
MOODY’S CREDIT RATINGS, ASSESSMENTS, OTHER OPINIONS AND PUBLICATIONS ARE NOT INTENDED FOR USE BY ANY PERSON AS A BENCHMARK AS THAT TERM IS DEFINED FOR REGULATORY PURPOSES AND MUST NOT BE USED IN ANY WAY THAT COULD RESULT IN THEM BEING CONSIDERED A BENCHMARK.
All information contained herein is obtained by MOODY’S from sources believed by it to be accurate and reliable. Because of the possibility of human or mechanical error as well as other factors, however, all information contained herein is provided “AS IS” without warranty of any kind. MOODY'S adopts all necessary measures so that the information it uses in assigning a credit rating is of sufficient quality and from sources MOODY'S considers to be reliable including, when appropriate, independent third-party sources. However, MOODY’S is not an auditor and cannot in every instance independently verify or validate information received in the rating process or in preparing its Publications.
To the extent permitted by law, MOODY’S and its directors, officers, employees, agents, representatives, licensors and suppliers disclaim liability to any person or entity for any indirect, special, consequential, or incidental losses or damages whatsoever arising from or in connection with the information contained herein or the use of or inability to use any such information, even if MOODY’S or any of its directors, officers, employees, agents, representatives, licensors or suppliers is advised in advance of the possibility of such losses or damages, including but not limited to: (a) any loss of present or prospective profits or (b) any loss or damage arising where the relevant financial instrument is not the subject of a particular credit rating assigned by MOODY’S.
To the extent permitted by law, MOODY’S and its directors, officers, employees, agents, representatives, licensors and suppliers disclaim liability for any direct or compensatory losses or damages caused to any person or entity, including but not limited to by any negligence (but excluding fraud, willful misconduct or any other type of liability that, for the avoidance of doubt, by law cannot be excluded) on the part of, or any contingency within or beyond the control of, MOODY’S or any of its directors, officers, employees, agents, representatives, licensors or suppliers, arising from or in connection with the information contained herein or the use of or inability to use any such information.
NO WARRANTY, EXPRESS OR IMPLIED, AS TO THE ACCURACY, TIMELINESS, COMPLETENESS, MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OF ANY CREDIT RATING, ASSESSMENT, OTHER OPINION OR INFORMATION IS GIVEN OR MADE BY MOODY’S IN ANY FORM OR MANNER WHATSOEVER.
Moody’s Investors Service, Inc., a wholly-owned credit rating agency subsidiary of Moody’s Corporation (“MCO”), hereby discloses that most issuers of debt securities (including corporate and municipal bonds, debentures, notes and commercial paper) and preferred stock rated by Moody’s Investors Service, Inc. have, prior to assignment of any credit rating, agreed to pay to Moody’s Investors Service, Inc. for credit ratings opinions and services rendered by it fees ranging from $1,000 to approximately $2,700,000. MCO and Moody’s investors Service also maintain policies and procedures to address the independence of Moody’s Investors Service credit ratings and credit rating processes. Information regarding certain affiliations that may exist between directors of MCO and rated entities, and between entities who hold credit ratings from Moody’s Investors Service and have also publicly reported to the SEC an ownership interest in MCO of more than 5%, is posted annually at www.moodys.com under the heading “Investor Relations — Corporate Governance — Director and Shareholder Affiliation Policy.”
Additional terms for Australia only: Any publication into Australia of this document is pursuant to the Australian Financial Services License of MOODY’S affiliate, Moody’s Investors Service Pty Limited ABN 61 003 399 657AFSL 336969 and/or Moody’s Analytics Australia Pty Ltd ABN 94 105 136 972 AFSL 383569 (as applicable). This document is intended to be provided only to “wholesale clients” within the meaning of section 761G of the Corporations Act 2001. By continuing to access this document from within Australia, you represent to MOODY’S that you are, or are accessing the document as a representative of, a “wholesale client” and that neither you nor the entity you represent will directly or indirectly disseminate this document or its contents to “retail clients” within the meaning of section 761G of the Corporations Act 2001. MOODY’S credit rating is an opinion as to the creditworthiness of a debt obligation of the issuer, not on the equity securities of the issuer or any form of security that is available to retail investors.
Additional terms for Japan only: Moody's Japan K.K. (“MJKK”) is a wholly-owned credit rating agency subsidiary of Moody's Group Japan G.K., which is wholly-owned by Moody’s Overseas Holdings Inc., a wholly-owned subsidiary of MCO. Moody’s SF Japan K.K. (“MSFJ”) is a wholly-owned credit rating agency subsidiary of MJKK. MSFJ is not a Nationally Recognized Statistical Rating Organization (“NRSRO”). Therefore, credit ratings assigned by MSFJ are Non-NRSRO Credit Ratings. Non-NRSRO Credit Ratings are assigned by an entity that is not a NRSRO and, consequently, the rated obligation will not qualify for certain types of treatment under U.S. laws. MJKK and MSFJ are credit rating agencies registered with the Japan Financial Services Agency and their registration numbers are FSA Commissioner (Ratings) No. 2 and 3 respectively.
MJKK or MSFJ (as applicable) hereby disclose that most issuers of debt securities (including corporate and municipal bonds, debentures, notes and commercial paper) and preferred stock rated by MJKK or MSFJ (as applicable) have, prior to assignment of any credit rating, agreed to pay to MJKK or MSFJ (as applicable) for credit ratings opinions and services rendered by it fees ranging from JPY125,000 to approximately JPY250,000,000.
MJKK and MSFJ also maintain policies and procedures to address Japanese regulatory requirements.