Bulletproof APIs: Hands-On API Security (December 2024)

APIs are everywhere in tech, and their security is crucial. The latest OWASP API Security Top 10 underscores the importance of getting API security right—not just in coding but in understanding the nuances and making smart trade-offs.

This workshop will provide you with the skills to secure your APIs, diving into the principles of building robust, modern APIs and providing practical, actionable security advice to enhance your applications immediately.

During this two-day hands-on training, we'll explore a broad range of API-specific security topics. The outline below illustrates what the workshop will look like.

Day 1

• The security model of API-based web applications
• Recognizing and addressing authorization failures
• Fixing Broken Object Level Authorization (BOLA)
• Understanding Broken Object Property Level Authorization (BOPLA)
• The mechanics behind Cross-Origin Resource Sharing (CORS)
• Configuring secure CORS policies for various use cases
• Architecture patterns for user authentication tracking
• Securing session and token-based user authentication
• Hands-on labs throughout the day

Day 2

• Relying on OAuth 2.0 for securing APIs
• Testing the security of APIs that use JWTs
• Best practices for making JWTs secure in modern APIs
• Finding and fixing Server-Side Request Forgery (SSRF)
• OAuth 2.0 scenarios for complex architectures
• Hands-on labs throughout the day

This workshop is here to give you the skills you need to make your APIs secure. We're going to think like an attacker to test APIs and like a defender to figure out the best ways to protect them. With deep-dive talks, real-world demos, fun quizzes, and hands-on labs, you'll learn how to lock down your APIs.