SecAppDev 2025 lecture details
OpenAPI as a security tool, not just documentation
OpenAPI specs are more than docs—they can drive API security. Learn how to use them in spec/code-first workflows to find vulnerabilities, guide audits, and power security tools for testing, attacks, and runtime protection.
Schedule TBD
Abstract
OpenAPI specifications are more than just documentation—they can be a powerful foundation for improving your application's security.
This talk explores how to effectively use OpenAPI in both code-first and spec-first workflows. We’ll discuss how well-crafted specs help uncover security issues, guide audits, and power security tools for testing, automated attacks, and even runtime protection. You’ll walk away with practical insights into turning your API specs into a security asset, not just a developer convenience.
Key takeaway
A well-crafted OpenAPI spec can uncover security issues, guide audits, and power tools for testing, making it a key asset in your API security strategy.
Content level
Deep-dive
Target audience
Anyone designing, building, and securing APIs
Prerequisites
Experience with building APIs is useful, but not required.
Join us for SecAppDev. You will not regret it!
Grab your seat now
Philippe De Ryck
Security Expert, Pragmatic Web Security
Expertise: Web security, API security, OAuth 2.0, OpenID Connect
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
The Bug Bounty Effect: From DevSecOops to Success!
Deep-dive lecture by Emil Vaagland
Discover how bug bounty programs outperforms traditional AppSec tools by uncovering more vulnerabilities at lower cost. We share real-world examples, strategies, and challenging takes on conventional security practices.
Key takeaway: Bug bounty programs are essential and should be the key ingredient in modern AppSec programs.
Reviewing 3rd party libraries security using Scorecards
Introductory lecture by Niels Tanis
We rely on 3rd party libraries which results in security risks. OpenSSF’s Scorecard helps assess package security. This session explores its checks and additional insights to strengthen supply-chain security.
Key takeaway: Understanding how to leverage the OpenSSF Scorecard to review used 3rd party libraries more easily.
Breaking and securing OAuth 2.0 in frontends
Deep-dive lecture by Philippe De Ryck
Using OAuth 2.0 in the frontend increases your attack surface. Learn why BFF is safer and how to defend against real-world token attacks.
Key takeaway: Frontend OAuth 2.0 patterns, even with token protections, leave apps exposed—real security comes from moving sensitive logic to a secure backend.