YoVDO

A Tour of API Underprotection

Offered By: OWASP Foundation via YouTube

Tags

Conference Talks Courses API Security Courses TLS Courses White-Box Cryptography Courses

Course Description

Overview

Explore the critical aspects of API security in this 50-minute conference talk from APPSEC Cali 2018. Delve into potential threats arising from undersecured Web APIs and learn techniques to strengthen your API security posture. Gain a clear understanding of user authorization via OAuth2, software authorization using static API keys, and their crucial interplay. Address concerns about mobile API consumers with poorly concealed secrets in statically published code. Discover practical advice and code examples for improving mobile API security, including the implementation of certificate pinning to enhance channel communications. Examine advanced techniques such as app hardening, white box cryptography, and mobile app attestation. Walk away with a comprehensive understanding of the underprotected API problem, immediately applicable tips to enhance your API security, and insights into emerging tools and technologies that enable significant improvements in API protection.

Syllabus

Intro
ShipFast Delivery Service
Client Complexity Spurs API Growth
Ship Raider Shipper's Edge
Transport Layer Security
Man in the Middle Attack
Certificate Pinning
Pinning Upkeep
Rate Limiting and Load Shedding
Behavioral API Security
Add Request Signing
App Hardening Approaches
Calculate Secret at Runtime
How They Broke the HMAC
OAuth2 Overview
Abstract Protocol Flow
Outh2 Code Grant Flow
OAuth2 Proof of Key Code Exchange (PKCE)
Multiple API Services
API Proxy Pattern
App Integrity Measurement
Dynamic Pinning
Strengthening OAuth2 Flow
Architecture Pattern
Conclusion
Additional References


Taught by

OWASP Foundation

Related Courses

PUFs and White-Box Cryptography
TheIACR via YouTube
Hack In The Studio - Fireside Chat
Hack In The Box Security Conference via YouTube
Unboxing the White-Box - Practical Attacks Against Obfuscated Ciphers
Black Hat via YouTube
White-Box Cryptography - Frameworks, Encoding, and Analysis
TheIACR via YouTube
White-Box Cryptography - Advanced Concepts and Applications
TheIACR via YouTube