09:00 - 17:00
Practical API Security Workshop
In this hands-on workshop you will get to know vulnerabilities and how they can be exploited to break into an application through an API. A closer look at OWASP’s API Security Top 10 will provide you with details about some possible attacks and their prevention. You will learn to protect APIs against attacks using secure coding practices, software architecture and security infrastructure like API gateways.
This practice-oriented workshop is not about compliance and papers. It’s about technology and methodology with lots of demonstrations and exercises.
Content & Process
APIs are connecting Single Page Applications on the Web with backend systems containing sensitive data. Companies are becoming platforms by exposing business functions as APIs. The ever-growing attack surface of APIs is opening backdoors into applications. IT security has just started to recognize APIs as a vector for attacks.
To effectively protect APIs, it is important to understand potential attacks and their targeting. In the workshop you learn how to think like a hacker and to apply several techniques to break into an application through an API. You will learn how to discover API related security issues and vulnerabilities. We will discuss current best practices and strategies improving API security.
Almost every company was affected by the Log4J vulnerability at the end of last year. In the workshop we will demonstrate the complete attack including the remote code execution through an API.
This workshop is for IT security specialists, software architects and developers who have to protect resources against threats imposed by APIs.
Part 1: How to hack an API?
You will learn how hackers use vulnerabilities and exploits like mass assignment, SQL injection and broken user authentication to get access to resources through an API.
Part 2: Security Risks in Detail
We will have a closer look at the attacks from part one and discuss why the attacks were possible.
Part 3: How to protect an API?
Learn how to apply secure coding practices, proper software architecture and infrastructure to give hackers a hard time.
Part 4: The Defense Tools
Get to know how API gateways, Web Application Firewalls, code scanners and other tools can contribute to secure APIs.
Audience & Requirements
- Docker Desktop (https://www.docker.com/products/docker-desktop) and pull the image of the OWASP Juice Shop: docker pull bkimminich/juice-shop:v13.1.0
- Visual Studio Code (https://code.visualstudio.com/)
- The REST Client extension for Visual Studio Code (https://marketplace.visualstudio.com/items?itemName=humao.rest-client)