SecAppDev 2025 lecture details

OpenAPI as a security tool, not just documentation

OpenAPI specs are more than docs—they can drive API security. Learn how to use them in spec/code-first workflows to find vulnerabilities, guide audits, and power security tools for testing, attacks, and runtime protection.

Download handouts
Monday June 2nd, 16:00 - 17:30
Room Lemaire
Recording session on Tuesday June 3rd, 16:00 - 17:30
Room Heilige-Geesttafel
API security
Authorization
Governance
Abstract

OpenAPI specifications are more than just documentation—they can be a powerful foundation for improving your application's security.

This talk explores how to effectively use OpenAPI in both code-first and spec-first workflows. We’ll discuss how well-crafted specs help uncover security issues, guide audits, and power security tools for testing, automated attacks, and even runtime protection. You’ll walk away with practical insights into turning your API specs into a security asset, not just a developer convenience.

Key takeaway

A well-crafted OpenAPI spec can uncover security issues, guide audits, and power tools for testing, making it a key asset in your API security strategy.

Content level

Deep-dive

Target audience

Anyone designing, building, and securing APIs

Prerequisites

Experience with building APIs is useful, but not required.

Join us for SecAppDev. You will not regret it!

Philippe De Ryck
Philippe De Ryck

Security Expert, Pragmatic Web Security

Expertise: Web security, API security, OAuth 2.0, OpenID Connect

More details

Join us for SecAppDev. You will not regret it!

Related lectures

My Name Is Not Cassandra: AppSec and "I Told You So"

Advanced lecture by Izar Tarandach in room Lemaire

Wednesday June 4th, 16:00 - 17:15

Lack of authority, an outsider's view of the development process and a faulty language of risk. Are security practitioners fated to point at risk and not be heard?

Key takeaway: "Raw" security can be fun, but does not lead to change. We must adapt our ways in order to impact the environment we want to protect.

Application Security
Governance

Verifiable Credentials: Concepts to Practice

Introductory lecture by Kristina Yasuda in room Lemaire

Monday June 2nd, 14:00 - 15:30
Also available as a recorded session on Tuesday June 3rd, 11:00 - 12:30

A technical introduction to Verifiable Credentials, highlighting use cases, implementation lessons, interoperability profiles, and recent updates to the related specifications.

Key takeaway: Interoperability in the wallet model requires aligned choices across the stack that meet use case requirements in terms of UX, security, privacy, etc.

Identity
Cryptography
Governance

The Bug Bounty Effect: From DevSecOops to Success!

Deep-dive lecture by Emil Vaagland in room Lemaire

Tuesday June 3rd, 09:00 - 10:30

Discover how bug bounty programs outperforms traditional AppSec tools by uncovering more vulnerabilities at lower cost. We share real-world examples, strategies, and challenging takes on conventional security practices.

Key takeaway: Bug bounty programs are essential and should be the key ingredient in modern AppSec programs.

Application Security
Governance
Secure Coding
all workshops all lectures

SecAppDev offers the most in-depth content you will find in a conference setting