Explore the fundamentals of API security assessment in this 39-minute conference talk from AppSecEU 2015 in Amsterdam. Delve into why API security is crucial and often overlooked, learn key considerations for API testing, and discover common vulnerabilities. Gain insights on developer tips, information leakage prevention, and mobile app security. Examine topics such as hidden functionality, access control, transport security, and injection concerns. Understand the importance of fuzzing, parameter validation, and API key management. Conclude with takeaways on implementing least privilege and valuable resources for further learning in API security.
Overview
Syllabus
Introduction
Agenda
Greg Patton Introduction
Why is API security important
Security is often overlooked
Key things to consider
Things to collect
Two key things
HTTP
Common Things
Testing Steps
Developer Tips
Information Leakage
RSA Mobile
Review API Responses
Mobile App Example
Things to Consider
Hidden Functionality
Other Verbs
Protection
Access Control
Transport Security
Injection Concerns
Fuzzing
Validate Parameters
Manage API Keys
Mobile Application Assessment
Key Management
Takeaways
Least Privilege
Resources
Contact Greg
References
Questions
Taught by
OWASP Foundation
