Bulletproof APIs: Hands-On API Security (December 2024)

Contents and outline

APIs are everywhere in tech, and their security is crucial. The latest OWASP API Security Top 10 underscores the importance of getting API security right—not just in coding but in understanding the nuances and making smart trade-offs.

This workshop will provide you with the skills to secure your APIs, diving into the principles of building robust, modern APIs and providing practical, actionable security advice to enhance your applications immediately.

During this two-day hands-on training, we'll explore a broad range of API-specific security topics. The outline below illustrates what the workshop will look like.

Day 1

• The security model of API-based web applications
• Recognizing and addressing authorization failures
• Fixing Broken Object Level Authorization (BOLA)
• Understanding Broken Object Property Level Authorization (BOPLA)
• The mechanics behind Cross-Origin Resource Sharing (CORS)
• Configuring secure CORS policies for various use cases
• Architecture patterns for user authentication tracking
• Securing session and token-based user authentication
• Hands-on labs throughout the day

Day 2

• Relying on OAuth 2.0 for securing APIs
• Testing the security of APIs that use JWTs
• Best practices for making JWTs secure in modern APIs
• Finding and fixing Server-Side Request Forgery (SSRF)
• OAuth 2.0 scenarios for complex architectures
• Hands-on labs throughout the day

This workshop is here to give you the skills you need to make your APIs secure. We're going to think like an attacker to test APIs and like a defender to figure out the best ways to protect them. With deep-dive talks, real-world demos, fun quizzes, and hands-on labs, you'll learn how to lock down your APIs.

To participate in the hands-on labs, all you need is a modern browser (Chromium / Firefox).

Testimonials

The testimonials below illustrate how attendees experience Philippe's trainings.

Trainer is great and an expert in the domain. All of the topics are very relevant. Practical examples for most of the topics. Excellent communication and addressing of questions.

Even though the topic is broad, there was no single moment where my focus went astray. Philippe talks in a way to keep you interested to listen to him.

Great workshop! The instructor was very well-prepared and gave an amazingly insightful explanation on API security. The mix of interactive quizzes (kahoot) and challenges kept us engaged throughout the day.

Philippe is a friendly and knowledgeable trainer and delivered an interesting course that was well presented. Questions were answered promptly and in a detailed way.