SecAppDev 2022 Lecture Details
The (bright) future of API Security
Isabelle Mauny
Tuesday June 14, 16:00 - 17:30
Short description
What are the key API-based integration patterns and their security implications? Which strategies can we adopt to protect APIs now and in the future? How can we do better and attack the security issues from design time?
Abstract
APIs are at the heart of most applications and have become the cornerstone of system integrations. Several API flavors are popular today, like REST, GraphQL or gRPC: is any of them more secure? Which approaches can we adopt to prevent security issues from reaching production systems? Which role should developers play in security and API security in particular?
In this session, we will use real world examples to illustrate potential approaches and put your API Security knowledge to the test!
Key takeaway
The inherent risks of exposing APIs and what we can do today and tomorrow to address them.
Content level
Keynote
Target audience
All SecAppDev participants
Prerequisites
None

Isabelle Mauny
Field CTO, 42Crunch
I have been spending the last 15 years helping people integrate their applications internally and externally. I introduced IBM DataPower in Europe in 2005 and worked with numerous enterprises customers deploying what were the first API Gateways. I have stayed in that field since then, with a stronger focus on security in the past 5 years with 42Crunch
Related web and api security sessions
Getting API authorization right
One-day workshop by Philippe De Ryck
Building secure APIs and microservices is hard, really hard. This workshop provides API developers with the necessary knowledge to assess and improve the security of their APIs. This workshop consists of a mixture of lectures, demos, interactive quizzes, and hands-on labs.
In this workshop, we explore common authorization failures in APIs and various defensive strategies, along with their trade-offs and pitfalls. We dive deep into API-specific topics, such as handling JSON Web Tokens (JWTs) and dealing with OAuth 2.0 access tokens. You will walk away with an actionable set of best practices.
Web and API security Thursday June 16, 09:00 - 17:00
Purple team AWS - Discoverer edition
One-day workshop by Abhay Bhargav
With companies moving and operating extensively on the AWS Cloud, security remains a key challenge.
This training is an extensive deep-dive into Attack, Detect and Defense implementations within AWS. The training is dedicated to cookbook-style “Attack, Detect and Defence” cyber-ranges.
The aim of this training is to take the participant through a journey of highly practical, scalable and granular knowledge of AWS offense, defense and security automation.
Web and API security Friday June 17, 09:00 - 17:00
Building secure web applications
One-day workshop by Jim Manico
This highly intensive and interactive workshop provides essential application security training for every web developer. The class is a combination of lectures, security testing demonstrations, code review, and interactive threat modeling discussions. Students will learn the most common threats against applications. More importantly, students will learn how to code secure software via a variety of techniques such as secure design practices, defense-based coding, the use of security libraries and services, and the use of a variety of web security standards.
Web and API security Friday June 17, 09:00 - 17:00
Security of WebAssembly applications
Lecture by Quentin Stiévenart
WebAssembly enables near-native performance for web applications. We will dive deep into the world of WebAssembly, with a focus on the security concerns that need to be addressed when developing WebAssembly applications.
Web and API security Wednesday June 15, 09:00 - 10:30
The OWASP Top Ten 2021-2022 release
Lecture by Jim Manico
The OWASP Top 10 represents a broad consensus about the most critical security risks to web applications. In this session, we explore how developers can mitigate these threats in modern web applications.
Web and API security Tuesday June 14, 09:00 - 10:30
Web request forgery - SSRF, CSRF and clickjacking
Lecture by Jim Manico
The web is full of request forgery attacks, such as CSRF, SSRF, and Clickjacking. In this session, we provide actionable guidance on mitigating these issues in modern applications.
Web and API security Wednesday June 15, 11:00 - 12:30