Securing and Attacking APIs

With the increased, and eventually complete, reliance on APIs in modern systems, as well as the quick decline of the monolithic architecture for systems and applications; it is becoming increasingly necessary to tackle and understand the various security issues, weaknesses and gotchas in API designs. Many products, platforms and technologies now expose an API or two (or many more), sometimes in decentralized and autonomous fashion. Where does security come in this new world of rapid build-up and teardown of microservices and serverless (functionality as a Service - Faas) architectures?

How do web and mobile apps securely communicate with APIs through devices they can’t trust, network paths they cannot predict, and on infrastructure they don’t own? All of that, and many more, will be studied, tried, tested and answered in this fast-paced, scenario-based hands on training course.

This course will discuss various attacks and countermeasures for security issues typically found in API servers and clients such as authentication, injection attacks, credential handling, cryptography, authorization, caching, secure file and resource management, and many more. This training aims to engage students in design, analysis and breakdown of security in clientside and serverside components of modern APIs and application infrastructure, while combining both new and old attack vectors and pitfalls. This course doesn’t reinvent the wheel in security, but it will help you not to reinvent the old bugs.

Who Should Attend: • Software developers, security engineers, architects, researchers, bug bounty hunters, system administrators, students and curious security professionals who would like to expand their skills. • Anyone interested in keeping relevant knowledge and skill in the world of cloud, API and app security. Why you should take this course: • You want to write secure APIs. • You want to attack insecure APIs. • You want to learn the full picture of API and app integration security. • You have deep interest in small implementation details. Course goals and takeaways: • Be able to create secure web APIs and microservices infrastructure. • Assess the security of API implementation and configuration. • Utilize cloud-native tools and infrastructure to deliver secure APIs. **Course level: ** Beginners to Intermediate (Check Prerequisite Knowledge section) Key Learning Objectives: • Getting fluent with tooling and API management using custom made tools. • API and microservices security architecture. • How to create APIs that are easy to use securely and hard to use insecurely. • What are the techniques and tools to design, test and attack APIs and microservices. • Understanding the intricate and minute details of authentication and authorization frameworks and technologies. • Learning how to effectively solve the problem of credential storage. • Attack and defend against injection vulnerabilities such as Template Injection, SQL injection, NoSQL injection (MongoDB, GraphQL.. etc), • Attack and defend against API and serverless oriented vulnerabilities such as serialization, JSON injection, pickling, Edge Side Includes, Serverless Event Injection… etc. • Learn AJAX and REST security best practices. • Know when to use signing, when to use encryption, and when to use both. • Implement applied, battle-tested secure cryptography. • Obtain actionable knowledge and experience in using secure tokens, cookies, keys and tickets for authentication and authorization. • Attack insecure implementations of session management, input validation, output encoding and loosely coupled components. • Implement secure communication channels with API consumers such as web browsers and mobile apps. • Mitigate and defend against XSS, CSRF, JSONP and CORS security weaknesses in APIs. • Implement secure web socket channels and defend against Cross-Site WebSocket Hijacking. • Implement and attack multi factor authentication for APIs. • Learn and understand cache security and what threats and vulnerabilities can arise out of insecure caching methods and configurations. • Handle files securely by allowing only authorized downloads even in segmented microservice architectures.

Prerequisite Knowledge: • Should be familiar with the concepts of Web, Linux, Cloud services, security, and APIs. • Should have basic programming skills. • Basic ability to use command line interfaces. • Scripting experience recommended. • Familiarity in Python, JavaScript and Go is recommended.