Overview
Explore the critical importance of API design in securing software's future through this insightful conference talk from OWASP AppSec California 2015. Delve into Timothy D. Morgan's examination of why traditional security training methods fall short and discover innovative approaches to prevent vulnerabilities. Learn about the properties of safe development environments and gain valuable insights into guiding principles for API designers. Understand how well-designed APIs can subtly guide developers towards secure implementations, potentially preventing entire classes of vulnerabilities. Examine real-world examples of both problematic and secure API designs, including discussions on LDAP Filter Injection, ColdFusion, and SQL Injection. Consider the role of standardization in convincing vendors to prioritize API security and explore strategies for building better platforms that inherently promote secure coding practices.
Syllabus
Introduction
Is software security getting better
We have a big pile of code
We know we have a lot of bugs
We try to educate them
We really need to do better
What else do we do
Training
Developers release vulnerabilities faster
Importance of contesting
Focus on external code
Build better platforms
Language lawyers
Counterexamples
LDAP Filter Injection
Cold Fusion
Encoding
Adobe API
ColdFusion
Example Code
Sequel Injection
PHP Abstract API
Apache Foundation
API Security
How do we convince vendors
Standardization
Conclusion
Questions
Taught by
OWASP Foundation