Getting API Security Right

Explore best practices for securing APIs in this comprehensive NDC Security 2022 conference talk. Dive into real-world cases illustrating the evolving API landscape and its impact on application security. Learn about the API attack surface, common authorization problems, and effective techniques to mitigate vulnerabilities. Gain actionable guidelines to assess and enhance your API security, covering topics such as enforcing sensible limits, handling sensitive data exposure, implementing function-level authorization, and understanding JWT security. Discover the importance of proper client controls, mass assignment prevention, and API testing. Examine the role of API firewalls, auditability, and token management in creating a robust security framework. By the end of this talk, acquire valuable insights to fortify your APIs against potential threats and ensure a secure application ecosystem.

Intro
The cowboy years are over
Enforce sensible limits
The client is irrelevant
Client controls are useless
Sensitive Data Exposure
Mass Assignment
Test Your API
API Firewalls
Rest API
Implement Function Level Authorization
Auditability
Cookies
Tokens
Understand your requirements
Follow Jot Security
What happens when API goes wrong
Outro