The repository contains the deliverables that have been produced for the APISEC project. The screen recordings of the virtual project meetings can be found on the media page.
- Uitdagingen in de API-economie — Online, web-based software services are increasingly offered as an Application Programming Interface (API). This evolution, also known as the API economy, is a booming trend across many sectors and creates the opportunity for small players to have significant business impact despite limited resources. It is of great importance to the whole software sector and for the digitization (r)evolution. This whitepaper (in Dutch) looks at the challenges in API security and described some of the technical challenges that companies must deal with when implementing a new API service. [whitepaper]
- APISEC - Project introduction — The overall aim of the APISEC project is to enable software vendors in the fintech sector to quickly and effectively leverage complex new technologies in API security as a fundamental lever for their success in the digital economy. The concrete goals of the APISEC project are to broaden the knowledge and to make the knowledge applicable regarding advanced API security technologies, so that adoption and application for opening up web API in the fintech sector in Flanders is accelerated. This presentation introduces the project and describes the approach that will be followed throughout the project's lifetime. [presentation]
- APISEC - Concluding overview — The use of APIs has exploded and API Security is becoming ever more important as attacks surge at a much higher pace than API adoption. Sharing knowledge and expertise is the #1 enabler for safer API adoption in companies. By jointly researching best practices and new frameworks and tools, and collectively sharing insights and experience, we’re tackling the #1 reason why companies suffer API security incidents and breaches. This presentation looks back at the APISEC project and presents our concluding remarks. [presentation]
- Exploring OAuth 2.0: A practical guide to securing your APIs — OAuth 2.0 is the most-popular API authorization protocol in use today. In the decade since its introduction, a number of vulnerabilities have been discovered and the guidelines have been continually tweaked and improved to offer better security. The current OAuth2 best practices have been proven secure under a formal model, but many in-production OAuth implementations are still based on older versions of the OAuth2 guidelines and are insecure. In this talk, Pieter Philippaerts (KU Leuven) introduces the different flows of the OAuth2 authorization framework and talks about the changes that have been made over the years. The security requirements from the original protocol specification are compared with the current best practices, and clear advice is given for developers who are implementing their own APIs or are using third-party APIs. [presentation]
- OAuth 2.0 Best Practices — Since its publication, OAuth 2.0 has gotten massive traction in the market and became the standard for API protection and the basis for federated login using OpenID Connect. While OAuth is used in a variety of scenarios and different kinds of deployments, some security challenges have been observed. This document summarizes the most important changes to the original OAuth specification that must be taken into account when setting up a secure OAuth deployment. [document]
- APISEC - An Intigriti look — One way for a company to quickly scale up its security team is by leveraging a bug bounty platform. A bug bounty program rewards private individuals who manage to find bugs and vulnerabilities in web applications, effectively crowdsourcing flaw and vulnerability management. Most businesses use bug bounty platforms to supplement their in-house QA and bug finding efforts. Intigriti is Europe's leading bug bounty platform. Niels Hofmans (Intigriti) takes us through the testing methodologies for APIs and talks about the top 5 API vulnerabilities that are reported through the Intigrity platform. [presentation]
- Application-level access control for API based cloud applications: Architecture, tactics, patterns and technologies — Building cloud applications that leverage APIs - either as a client or a provider - is a daunting task. In this talk, Bert Lagaisse (KU Leuven) leads us through the maze of challenges and provides tactics and solutions to some of the most common problems. He starts from an application-driven requirements analysis that is representative for the APISEC project members' case studies. Possible architectural solutions are presented and the various trade-offs are discussed. [presentation]
- Trade-offs with token security — Tokens seem simple, but a look under the surface reveals quite a bit of complexity. Examples include the token type, its format, and its lifecycle, all of which require making choices with their trade-offs. In this session, Philippe De Ryck (Pragmatic Web Security) takes a nuanced look at token security challenges and successful token security patterns. [presentation]
- OAuch: Analyzing the Security Best Practices in the OAuth 2.0 Ecosystem — Adding support for an authorization protocol like OAuth to your API seems like a relatively straightforward proces: simply find and use a third-party library that takes care of it. But are you sure that this library is implemented correctly? Or that you are using this library correctly? In this session, we will introduce a new tool — called 'OAuch' — that uncovers hidden weaknesses in your OAuth implementation. The tool will be demonstrated and is made available to test your own implementation. We further discuss the results of a large scale study where 100 public OAuth implementations were analyzed with OAuch. These results offer a unique look into the current state of practice of the OAuth ecosystem. [presentation]
- Tool: OAuch.io — OAuch is a security testing framework for the OAuth 2.0 protocol. It takes an in-depth look at how an implementation adheres to the standard and performs under attack. OAuch generates a report based on the analysis of the tests and identifies potential weaknesses. [site]
- OAuch Source Code Repository — OAuch is an open-source security best practices and threats analyzer for OAuth 2.0 server implementations. Its main goal is to encourage providers to secure their services by uncovering relevant threats and pointing out security improvements that could be made in the implementation. OAuth implementations are tested using a large set of security-related test cases. The tests are based on the requirements put forth by the original OAuth 2.0 specification, as well as other documents that refine the security assumptions and requirements. These documents include the OAuth threat model, the Security Best Current Practices, and others. In addition to OAuth, OAuch also supports OpenID Connect providers. [repository]
- Policy-driven access control for multi-tenant cloud applications — In this third workshop on API-level access control for cloud applications, Bert Lagaisse walks us through the state of practice and the state of the art in policy-driven access control. He presents new research and state of practice solutions, with a focus on the most-common API-security problems. [presentation]
- Grant Overview in Common Libraries and Services — The OAuth 2.0 specification is a flexibile authorization framework that describes a number of grants (“methods”) for a client application to acquire an access token (which represents a user’s permission for the client to access their data) which can be used to authenticate a request to an API endpoint. This document gives an overview of which grant types are supported in common OAuth libraries and services. [document]
API security is too hard!? —
API security is more than a hot topic these days. We often like to pretend that API security incidents follow from highly sophisticated and
advanced attacks. Unfortunately, more often than not, these attacks follow from a failure to apply API security best practices. The real question
here is why we suffer from this problem? Are we all writing insecure code, or is our approach to secure coding based on the wrong assumptions?
Is API security too hard?
Throughout this talk, Philippe De Ryck (Pragmatic Web Security) reviews various cases where erroneous security assumptions lie at the basis of critical security vulnerabilities in APIs. With practical examples, we will discuss API configurations that allow bypassing security mechanisms and authorization checks. We also take a deep dive into Server-Side Request Forgery, a vulnerability that recently made it into the OWASP top 10. You will walk away from this presentation with a set of API security guidelines that allow you to assess and improve the security of your APIs [presentation]
- Architecting API Security — Traditional application security and more modern API security approaches often focus on writing secure code, and righteously so. But building secure APIs goes way beyond coding alone. One common example is the use of an API gateway to enforce security.In this session, we look at how to improve API security by designing a robust API architecture. We investigate security patterns and components that you can use, along with their pros and cons. You will walk away from this session with a solid understanding of best practices to secure your API architecture. [presentation]
- Offensive API Security — Does the rise of APIs result in the downfall of security? Why are there so many vulnerabilities and incidents involving APIs? How can you ensure that your APIs are secure? In this session, we use real-world cases to dive into best practices for securing your APIs. We discuss the attack surface of an API, common authorization problems, and best practice techniques to avoid these problems. At the end of this session, you will have an actionable set of guidelines to assess and improve the security of your own APIs. [presentation]
- OAuch: Analyzing the Security Best Practices in the OAuth 2.0 Ecosystem — The aim of the OAuth Security Workshop (OSW) is to improve the security of OAuth and related Internet protocols by a direct exchange of views between academic researchers, IETF OAuth Working Group members and industry. In this presentation during the 2020 edition of OSW, Pieter Philippaerts introduced the OAuch tool — as discussed in APISEC session #6 — and talks in detail about the statistics gathered from the OAuth ecosystem. [presentation]
- The OAuth 2.0 Ecosystem: Statistics & Analysis — We have analyzed over 100 publicly available OAuth providers to create an overview of the current OAuth ecosystem. For this analysis, we focus on public API providers and OIDC providers. We observe that many crucial requirements are scarcely implemented. The analysis has been discussed on the OAuth Security Workshop (OSW). This document summarizes that presentation and extends the presentation with previously unpublished results. [document]