Bulletproof APIs: Hands-On API Security
As APIs become a big part of our tech world, making sure they're secure is key. The 2023 version of the OWASP API Security top 10 shows us that API security needs our attention. Building secure APIs isn't easy, though. It needs developers and architects to really get API security, from the big picture down to the nitty-gritty details.
- Jan 8Radisson Blu Scandinavia Hotel2 days08:00 - 16:00 UTCPhilippe De Ryck12 990 NOK
This workshop is here to give you the skills you need to make your APIs secure. We're going to think like an attacker to test APIs and like a defender to figure out the best ways to protect them. With deep-dive talks, real-world demos, fun quizzes, and hands-on labs, you'll learn how to lock down your APIs.
During this hands-on training, we'll explore:
- The security model of API-based web applications
- Recognizing and addressing authorization failures
- Understanding Broken Object Property Level Authorization (BOPLA)
- Fixing Broken Object Level Authorization (BOLA)
- Testing the security of APIs that use JWTs
- Best practices for making JWTs secure in modern APIs
- Identifying, exploiting, and fixing Server-Side Request Forgery (SSRF) issues
- Understanding Cross-Origin Resource Sharing (CORS)
- Configuring secure CORS policies for various use cases
- Tracking user authentication securely with sessions or tokens
- Relying on OAuth 2.0/2.1 for securing APIs
- Advanced OAuth 2.x scenarios
- Quizzes and labs to make learning stick
- Q & A throughout the workshop to clear up any doubts
This workshop is about more than theory. We're all about giving you practical security tips you can use right away as an API developer. We dig into the root causes of API threats and how to handle them. We don't just skim the surface of problems and solutions - we get into the why's and how's, looking at common fixes, why some fall short, and which ones are currently the best way to go.
By the end of this workshop, you'll be up-to-speed on the best practices for API security. You'll also leave with a handy list of steps to check and boost the security of your applications.
Who should attend?
This training is perfect for developers and architects who work a lot with APIs. If your role involves building, testing, or designing modern apps, this workshop will give you a thorough, up-to-date understanding of the best ways to keep things secure. We'll often use NodeJS, Flask, and Spring Boot in our code examples and demos, but you'll easily be able to apply what you learn to other languages and frameworks.
These testimonials from previous workshops give you a good idea of what to expect:
- Trainer is great and an expert in the domain. All of the topics are very relevant. Practical examples for most of the topics. Excellent communication and addressing of questions.
- Even though the topic is broad, there was no single moment where my focus went astray. Philippe talks in a way to keep you interested to listen to him.
- I liked the the pleasant and relaxed way of speaking and the fresh style of presentation of this kind of dry stuff :)
- Philippe is a friendly and knowledgable trainer and delivered an interesting course that was well presented. Questions were answered promptly and in a detailed way.
To participate in this training, you should have some experience with building API-based applications. Knowledge of application security can be helpful, but is not required.
To participate in the lab sessions, participants need a computer with a full-featured modern browser installed (preferably Chrome).
Philippe De Ryck helps developers protect companies through better web security. As the founder of Pragmatic Web Security, he travels the world to train developers on web security and security engineering. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional knowledge of the security landscape. Google recognizes Philippe as a Google Developer Expert for his work on security in Angular applications.