SecAppDev 2024 workshop details
Bulletproof APIs: Hands-On API Security
Learning goal: Gain hands-on security strategies for APIs, understand the root causes of threats, and learn to implement effective solutions. Master best practices and leave with a checklist to enhance your application's security.
Thursday June 6th, 09:00 - 17:30
Room West Wing
Abstract
As APIs become a big part of our tech world, making sure they're secure is key. The 2023 version of the OWASP API Security top 10 shows us that API security needs our attention. Building secure APIs requires developers and architects to really get API security, from the big picture down to the nitty-gritty details.
This workshop will teach you the skills you need! We're going to think like an attacker to test APIs and like a defender to figure out the best ways to protect them. With lectures, real-world demos, fun quizzes, and hands-on labs, you'll learn how to secure your APIs.
Content overview
- The security model of API-based web applications
- Recognizing and addressing authorization failures
- Understanding Broken Object Property Level Authorization (BOPLA)
- Fixing Broken Object Level Authorization (BOLA)
- Testing the security of APIs that use JWTs
- Best practices for making JWTs secure in modern APIs
- Identifying, exploiting, and fixing Server-Side Request Forgery (SSRF) issues
- Quizzes and labs to make learning stick
- Q & A throughout the workshop to clear up any doubts
Content level
Introductory
Target audience
Developers, architects, and security professionals working with APIs
Prerequisites
Understanding of API-based applications. Labs do not require prerequisite security knowledge or proficient developer skills.
Technical requirements
A laptop with a modern browser
Philippe De Ryck
Security Expert, Pragmatic Web Security
Expertise: Web security, API security, OAuth 2.0, OpenID Connect
Other workshops
Navigating the 2021 OWASP Top Ten for web security
One-day workshop by Jim Manico in room West Wing
Friday June 7th, 09:00 - 17:30
This workshop offers a deep dive into the OWASP Top 10 2021, essential for web developers and security professionals aiming to master secure coding practices. It elucidates the critical web application security risks, fostering a comprehensive understanding and implementation of defensive programming. Attendees will gain insights into the most prevalent security threats and the methodologies to mitigate them, ensuring the development of secure and resilient web applications.
Learning goal: Participants will master the OWASP Top 10 2021, learning to identify, understand, and mitigate the most critical web application security risks, thereby enhancing their secure coding skills.
WAF Whirlwind Tour - A one day introduction to OWASP ModSecurity and OWASP CRS
One-day workshop by Christian Folini in room Lemaire
Thursday June 6th, 09:00 - 17:30
The OWASP ModSecurity WAF engine and it's rule set counterpart OWASP CRS is the dominant team in the WAF world. Most commercial products are based on CRS and very often also ModSecurity. The key characteristic is the high detection rate and the transparency of the rule set. The generic nature of the rule set also comes with a painful downside: false positives.
In this one day workshop, we will look into the configuration of the WAF, we will write a few rules and we will namely fight false positives. The workshop is all you need to understand the basics and to get you started with WAF.
Learning goal: This workshop aims to equip participants with the skills to perform basic WAF configuration, write and read simple ModSecurity rules, and handle false positives.
Externalizing authorization in a diverse application landscape using OPA
One-day workshop by Michael Boeynaems and Jasper Rots in room Lemaire
Friday June 7th, 09:00 - 17:30
This hands-on, interactive training will teach participants how their applications can benefit from external authorization and how they can implement this using Open Policy Agent (OPA), a modern solution to realize the PIP-PAP-PEP-PDP model and an accessible alternative to XACML-based solutions. OPA is application agnostic and allows writing policies as code in the Rego policy language. Through this policy engine, participants will learn how to manage access away from their applications, which will help them to address the current number one risk of the OWASP Top 10: Broken Access Control.
Learning goal: Participants will understand the benefits of externalizing authorization and will be able to do so in practice, while at the same time understanding the limitations of such an architecture.