SecAppDev 2025 lecture details
OpenAPI as a security tool, not just documentation
OpenAPI specs are more than docs—they can drive API security. Learn how to use them in spec/code-first workflows to find vulnerabilities, guide audits, and power security tools for testing, attacks, and runtime protection.
Monday June 2nd, 16:00 - 17:30
Room Lemaire
Add to calendar (ICS) Add to Google calendarRecording session on Tuesday June 3rd, 16:00 - 17:30
Room Heilige-Geesttafel
Add to calendar (ICS) Add to Google calendarAbstract
OpenAPI specifications are more than just documentation—they can be a powerful foundation for improving your application's security.
This talk explores how to effectively use OpenAPI in both code-first and spec-first workflows. We’ll discuss how well-crafted specs help uncover security issues, guide audits, and power security tools for testing, automated attacks, and even runtime protection. You’ll walk away with practical insights into turning your API specs into a security asset, not just a developer convenience.
Key takeaway
A well-crafted OpenAPI spec can uncover security issues, guide audits, and power tools for testing, making it a key asset in your API security strategy.
Content level
Deep-dive
Target audience
Anyone designing, building, and securing APIs
Prerequisites
Experience with building APIs is useful, but not required.

Philippe De Ryck
Security Expert, Pragmatic Web Security
Expertise: Web security, API security, OAuth 2.0, OpenID Connect
Related lectures
My Name Is Not Cassandra: AppSec and "I Told You So"
Advanced lecture by Izar Tarandach in room Lemaire
Wednesday June 4th, 16:00 - 17:15
Lack of authority, an outsider's view of the development process and a faulty language of risk. Are security practitioners fated to point at risk and not be heard?
Key takeaway: "Raw" security can be fun, but does not lead to change. We must adapt our ways in order to impact the environment we want to protect.
Verifiable Credentials: Concepts to Practice
Introductory lecture by Kristina Yasuda in room Lemaire
Monday June 2nd,
14:00 - 15:30
Also available as a recorded session on
Tuesday June 3rd,
11:00 - 12:30
A technical introduction to Verifiable Credentials, highlighting use cases, implementation lessons, interoperability profiles, and recent updates to the related specifications.
Key takeaway: Interoperability in the wallet model requires aligned choices across the stack that meet use case requirements in terms of UX, security, privacy, etc.
The Bug Bounty Effect: From DevSecOops to Success!
Deep-dive lecture by Emil Vaagland in room Lemaire
Tuesday June 3rd, 09:00 - 10:30
Discover how bug bounty programs outperforms traditional AppSec tools by uncovering more vulnerabilities at lower cost. We share real-world examples, strategies, and challenging takes on conventional security practices.
Key takeaway: Bug bounty programs are essential and should be the key ingredient in modern AppSec programs.