Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

A Tour of API Underprotection

OWASP Foundation via YouTube

Overview

Explore the critical aspects of API security in this 50-minute conference talk from APPSEC Cali 2018. Delve into potential threats arising from undersecured Web APIs and learn techniques to strengthen your API security posture. Gain a clear understanding of user authorization via OAuth2, software authorization using static API keys, and their crucial interplay. Address concerns about mobile API consumers with poorly concealed secrets in statically published code. Discover practical advice and code examples for improving mobile API security, including the implementation of certificate pinning to enhance channel communications. Examine advanced techniques such as app hardening, white box cryptography, and mobile app attestation. Walk away with a comprehensive understanding of the underprotected API problem, immediately applicable tips to enhance your API security, and insights into emerging tools and technologies that enable significant improvements in API protection.

Syllabus

Intro
ShipFast Delivery Service
Client Complexity Spurs API Growth
Ship Raider Shipper's Edge
Transport Layer Security
Man in the Middle Attack
Certificate Pinning
Pinning Upkeep
Rate Limiting and Load Shedding
Behavioral API Security
Add Request Signing
App Hardening Approaches
Calculate Secret at Runtime
How They Broke the HMAC
OAuth2 Overview
Abstract Protocol Flow
Outh2 Code Grant Flow
OAuth2 Proof of Key Code Exchange (PKCE)
Multiple API Services
API Proxy Pattern
App Integrity Measurement
Dynamic Pinning
Strengthening OAuth2 Flow
Architecture Pattern
Conclusion
Additional References

Taught by

OWASP Foundation

Reviews

Start your review of A Tour of API Underprotection

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.