Media
This page contains the screen recordings of the technical presentations in the virtual APISEC project meetings and external presentations. The corresponding slides can be found in the project repository.
APISEC Meeting #1
Date: November 30th, 2020
- API Security, a nightmare? — API integration is one of the most critical aspects of application development today. The number of web API counts has been steadily increasing over the past decade, and businesses increasingly become reliant on them. However, the other side of the coin is that the accelerating pace leads to new challenges for developers. One particularly difficult challenge is ensuring the security of an API and keeping intruders out. In this talk, Erwin Geirnaert (ShiftLeft Security) talks about the most common API security vulnerabilities. He zooms into the top 5 and presents a detailed overview of what can go wrong, giving examples of actual exploits along the way. [video]
APISEC Meeting #2
Date: January 19th, 2021
- Exploring OAuth 2.0: A practical guide to securing your APIs — OAuth 2.0 is the most-popular API authorization protocol in use today. In the decade since its introduction, a number of vulnerabilities have been discovered and the guidelines have been continually tweaked and improved to offer better security. The current OAuth2 best practices have been proven secure under a formal model, but many in-production OAuth implementations are still based on older versions of the OAuth2 guidelines and are insecure. In this talk, Pieter Philippaerts (KU Leuven) introduces the different flows of the OAuth2 authorization framework and talks about the changes that have been made over the years. The security requirements from the original protocol specification are compared with the current best practices, and clear advice is given for developers who are implementing their own APIs or are using third-party APIs. [video]
APISEC Meeting #3
Date: February 24th, 2021
- APISEC - An Intigriti look — One way for a company to quickly scale up its security team is by leveraging a bug bounty platform. A bug bounty program rewards private individuals who manage to find bugs and vulnerabilities in web applications, effectively crowdsourcing flaw and vulnerability management. Most businesses use bug bounty platforms to supplement their in-house QA and bug finding efforts. Intigriti is Europe's leading bug bounty platform. Niels Hofmans (Intigriti) takes us through the testing methodologies for APIs and talks about the top 5 API vulnerabilities that are reported through the Intigrity platform. [video]
APISEC Meeting #4
Date: March 25th, 2021
- Application-level access control for API based cloud applications: Architecture, tactics, patterns and technologies — Building cloud applications that leverage APIs - either as a client or a provider - is a daunting task. In this talk, Bert Lagaisse (KU Leuven) leads us through the maze of challenges and provides tactics and solutions to some of the most common problems. He starts from an application-driven requirements analysis that is representative for the APISEC project members' case studies. Possible architectural solutions are presented and the various trade-offs are discussed. [video]
APISEC Meeting #5
Date: May 5th, 2021
- Trade-offs with token security — Tokens seem simple, but a look under the surface reveals quite a bit of complexity. Examples include the token type, its format, and its lifecycle, all of which require making choices with their trade-offs. In this session, Philippe De Ryck (Pragmatic Web Security) takes a nuanced look at token security challenges and successful token security patterns. [video]
APISEC Meeting #6
Date: June 16th, 2021
- OAuch: Analyzing the Security Best Practices in the OAuth 2.0 Ecosystem — Adding support for an authorization protocol like OAuth to your API seems like a relatively straightforward proces: simply find and use a third-party library that takes care of it. But are you sure that this library is implemented correctly? Or that you are using this library correctly? In this session, we will introduce a new tool — called 'OAuch' — that uncovers hidden weaknesses in your OAuth implementation. The tool will be demonstrated and is made available to test your own implementation. We further discuss the results of a large scale study where 100 public OAuth implementations were analyzed with OAuch. These results offer a unique look into the current state of practice of the OAuth ecosystem. [video]
APISEC Meeting #7
Date: September 14th, 2021
- Policy-driven access control for multi-tenant cloud applications — In this third workshop on API-level access control for cloud applications, Bert Lagaisse walks us through the state of practice and the state of the art in policy-driven access control. He presents new research and state of practice solutions, with a focus on the most-common API-security problems. [video]
APISEC Meeting #8
Date: October 19th, 2021
-
API security is too hard!? —
API security is more than a hot topic these days. We often like to pretend that API security incidents follow from highly sophisticated and
advanced attacks. Unfortunately, more often than not, these attacks follow from a failure to apply API security best practices. The real question
here is why we suffer from this problem? Are we all writing insecure code, or is our approach to secure coding based on the wrong assumptions?
Is API security too hard?
Throughout this talk, Philippe De Ryck (Pragmatic Web Security) reviews various cases where erroneous security assumptions lie at the basis of critical security vulnerabilities in APIs. With practical examples, we will discuss API configurations that allow bypassing security mechanisms and authorization checks. We also take a deep dive into Server-Side Request Forgery, a vulnerability that recently made it into the OWASP top 10. You will walk away from this presentation with a set of API security guidelines that allow you to assess and improve the security of your APIs [video]
OSW 2020
Date: July 22th, 2020
- OAuch: Analyzing the Security Best Practices in the OAuth 2.0 Ecosystem — The aim of the OAuth Security Workshop (OSW) is to improve the security of OAuth and related Internet protocols by a direct exchange of views between academic researchers, IETF OAuth Working Group members and industry. In this presentation during the 2020 edition of OSW, Pieter Philippaerts introduced the OAuch tool — as discussed in APISEC session #6 — and talks in detail about the statistics gathered from the OAuth ecosystem. [video]
APIsecure 2023
Date: March 15th, 2023
- OAuch: Exploring OAuth Implementation Compliance and Weaknesses — OAuth 2.0 is a widely adopted authorization protocol for APIs. Despite its maturity, new vulnerabilities continue to appear in popular OAuth implementations. In this presentation, we introduce a tool, called OAuch, that analyzes the security of OAuth authorization servers. We show how the tool can help you to test and secure your implementations. We also present the results of our OAuth ecosystem analysis, and identify lessons learned. [link]