API Vulnerabilties and What to Do About Them

By Eoin Woods

Thanks to the increasingly dangerous threat landscape, a large number of high profile security breaches, and the tireless work of organisations like OWASP, security is finally becoming a high priority topic in many software development projects. For many years OWASP have provided simple, practical guidance on security to software developers, their best known output probably being their "Top 10" lists of vulnerabilties for webapps and mobile development. However in recent years the explosion in popularity of application APIs has opened up another dangerous attack vector in many systems. In response, OWASP have recently developed their "API Security Top 10" list to provide similar guidance for APIs.

In this talk we will review the current security landscape, particularly as it relates to API-based applications, and explore the API Security Top 10 vulnerabilities in order to understand the top security threats to our APIs, which ones we might have missed in our systems, and what practical mitigations we can use to address them when we get back to work after the conference.

Some of this (such as logging and monitoring) will probably be familiar to those who who are already aware of the webapp Top 10, but is likely to bring a different perspective to it, while other parts (such as payload related problems) is likely to be new.