SecAppDev 2022 Workshop Details

Getting API authorization right

Philippe De Ryck
Thursday June 16, 09:00 - 17:00

Building secure APIs and microservices is hard, really hard. This workshop provides API developers with the necessary knowledge to assess and improve the security of their APIs. This workshop consists of a mixture of lectures, demos, interactive quizzes, and hands-on labs.

In this workshop, we explore common authorization failures in APIs and various defensive strategies, along with their trade-offs and pitfalls. We dive deep into API-specific topics, such as handling JSON Web Tokens (JWTs) and dealing with OAuth 2.0 access tokens. You will walk away with an actionable set of best practices.

  • Common API authorization failures
  • API authorization best practices
  • The nonsense of "cookies vs tokens"
  • JWT security pitfalls and best practices
  • Making authorization decisions with OAuth 2.0 access tokens
  • Custom-built offensive and defensive lab assignments
Learning goal

An in-depth perspective on common authorization failures and best practices for APIs.

Content level


Target audience

Anyone who is concerned about building secure APIs.


Experience with developing web-facing APIs.

Technical requirements

A laptop with a modern browser (e.g., Chrome, Firefox) installed.

Philippe De Ryck

Philippe De Ryck

Web Security Expert, Pragmatic Web Security

Philippe De Ryck helps developers protect companies through better web security. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional knowledge of the security landscape. As the founder of Pragmatic Web Security, Philippe delivers security training and security consulting to companies worldwide. His online course platform allows anyone to learn complex security topics at their own pace. Philippe is a Google Developer Expert and an Auth0 Ambassador for his community contributions on the security of web applications and APIs.

Full speaker profile

Related web and api security sessions

Purple team AWS - Discoverer edition

One-day workshop by Abhay Bhargav

With companies moving and operating extensively on the AWS Cloud, security remains a key challenge.

This training is an extensive deep-dive into Attack, Detect and Defense implementations within AWS. The training is dedicated to cookbook-style “Attack, Detect and Defence” cyber-ranges.

The aim of this training is to take the participant through a journey of highly practical, scalable and granular knowledge of AWS offense, defense and security automation.

Web and API security Friday June 17, 09:00 - 17:00

Building secure web applications

One-day workshop by Jim Manico

This highly intensive and interactive workshop provides essential application security training for every web developer. The class is a combination of lectures, security testing demonstrations, code review, and interactive threat modeling discussions. Students will learn the most common threats against applications. More importantly, students will learn how to code secure software via a variety of techniques such as secure design practices, defense-based coding, the use of security libraries and services, and the use of a variety of web security standards.

Web and API security Friday June 17, 09:00 - 17:00

The (bright) future of API Security

Lecture by Isabelle Mauny

What are the key API-based integration patterns and their security implications? Which strategies can we adopt to protect APIs now and in the future? How can we do better and attack the security issues from design time?

Web and API security Tuesday June 14, 16:00 - 17:30

Fantastic API Vulnerabilities and where to find them

Lecture by Abhay Bhargav

Learn about the unique nature of API compromises, nuanced SSRF attack patterns, webhook boomerang attacks, JWT implementation vulnerabilities, and authorization flaws

Web and API security Wednesday June 15, 14:00 - 15:30

Security of WebAssembly applications

Lecture by Quentin Stiévenart

WebAssembly enables near-native performance for web applications. We will dive deep into the world of WebAssembly, with a focus on the security concerns that need to be addressed when developing WebAssembly applications.

Web and API security Wednesday June 15, 09:00 - 10:30

The OWASP Top Ten 2021-2022 release

Lecture by Jim Manico

The OWASP Top 10 represents a broad consensus about the most critical security risks to web applications. In this session, we explore how developers can mitigate these threats in modern web applications.

Web and API security Tuesday June 14, 09:00 - 10:30

Web request forgery - SSRF, CSRF and clickjacking

Lecture by Jim Manico

The web is full of request forgery attacks, such as CSRF, SSRF, and Clickjacking. In this session, we provide actionable guidance on mitigating these issues in modern applications.

Web and API security Wednesday June 15, 11:00 - 12:30