A Tour of API Underprotection

Explore the critical aspects of API security in this 50-minute conference talk from APPSEC Cali 2018. Delve into potential threats arising from undersecured Web APIs and learn techniques to strengthen your API security posture. Gain a clear understanding of user authorization via OAuth2, software authorization using static API keys, and their crucial interplay. Address concerns about mobile API consumers with poorly concealed secrets in statically published code. Discover practical advice and code examples for improving mobile API security, including the implementation of certificate pinning to enhance channel communications. Examine advanced techniques such as app hardening, white box cryptography, and mobile app attestation. Walk away with a comprehensive understanding of the underprotected API problem, immediately applicable tips to enhance your API security, and insights into emerging tools and technologies that enable significant improvements in API protection.

Intro
ShipFast Delivery Service
Client Complexity Spurs API Growth
Ship Raider Shipper's Edge
Transport Layer Security
Man in the Middle Attack
Certificate Pinning
Pinning Upkeep
Rate Limiting and Load Shedding
Behavioral API Security
Add Request Signing
App Hardening Approaches
Calculate Secret at Runtime
How They Broke the HMAC
OAuth2 Overview
Abstract Protocol Flow
Outh2 Code Grant Flow
OAuth2 Proof of Key Code Exchange (PKCE)
Multiple API Services
API Proxy Pattern
App Integrity Measurement
Dynamic Pinning
Strengthening OAuth2 Flow
Architecture Pattern
Conclusion
Additional References