Common API Security Pitfalls • Philippe De Ryck • GOTO 2019
Вставка
- Опубліковано 7 лис 2019
- This presentation was recorded at GOTO Amsterdam 2019. #GOTOcon #GOTOams
gotoams.nl
Philippe De Ryck - Founder of Pragmatic Web Security, Google Developer Expert
ABSTRACT
The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account?
These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs [...]
Download slides and read the full abstract here:
gotoams.nl/2019/sessions/810/...
RECOMMENDED BOOKS
Aaron Parecki • OAuth 2.0 Simplified • amzn.to/2A3IMOf
Aaron Parecki • OAuth 2.0 Servers • amzn.to/3ecHEsz
Aaron Parecki • The Little Book of OAuth 2.0 RFCs • amzn.to/3i7qnlC
Erdal Ozkaya • Cybersecurity: The Beginner's Guide • amzn.to/2T6OIj3
Richer & Sanso • OAuth 2 in Action • amzn.to/3hXiAH6
Wilson & Hingnikar • Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0 • amzn.to/2U8iLY2
/ gotoamst
/ goto-
/ gotoconference
#API #APIs #Security #SecurityPitfalls
Looking for a unique learning experience?
Attend the next GOTO Conference near you! Get your ticket at gotocon.com
SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily.
ua-cam.com/users/GotoConf... - Наука та технологія
A super crisp talk by Phillepe on the API Security pitfalls. And here's some bookmarks from the talk for a ready reference.
- OWASP Underprotected APIs vulnerabilities [2:10]
- Brute force attack & Lack of using *different* rate limits for different APIs [6:08]
- IDOR vulnerabilities & Lack of Proper Authorization [8:05]
- Scaling Need to move authorization states a.k.a. sessions to clients using JWT [13:04]
- JWT basics
- Integrity checks for JWT
- Mishandling client side auth headers [17:15]
- HMAC based JWT Signatures [17:57]
- Symmetric (Shared Secrets) vs Asymmetric JWT signatures [22:22]
- Key Management [23:00]
- Cookies vs Custom Authorization Headers [25:00]
- CORS policies [30:00]
- Enforcing strict CORS policies.
- Input Validations [34:44]
- Not the primary last line of defense
- Not for Complex Data
- Compartmentalizing your APIs [37:30]
All in all a pretty good talk.
Great talk. Concise analysis of the topic.
This talk is really good.
Great talk!
Thanks 😊
i will review his presentations a couple of times...
Oh...
Poor cameraman.
After reading this comment, I lost all the focus on the presentation and was just watching the camera move.. hahaha 😂
Such typical German lecture, extremely boring
I know that Philippe's talks are usually not super-sexy and mind-blowing entertaining, but still really relevant. I am curious why you label it "typical German" though.