Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post

OWASP Global AppSec Tel Aviv Recap

Salt SecuritySalt
Jun 26, 2019

OWASP Global AppSec 2019 happened recently in Tel Aviv and I was lucky enough to attend, present a few sessions, meet some new people and have lots of great conversations so I thought it would be good to do a writeup to share my thoughts about the event. First, let’s talk about why I attended.

OWASP Global AppSec 2019 happened recently in Tel Aviv and I was lucky enough to attend, present a few sessions, meet some new people and have lots of great conversations so I thought it would be good to do a writeup to share my thoughts about the event.  First, let’s talk about why I attended.

Over the years I’ve talked to a lot of penetration testers, application security people and CISOs.  Most recently at Salt I’m talking to them about API protection and from these conversations I’ve come to realize that there’s a general lack of understanding of how to approach penetration testing for APIs and it’s really different from testing traditional applications.  There are tons of great resources out there for application penetration testing but the same can’t be said about APIs and I’ve found that a lot of people don’t know how to approach API security. I’ve also come to realize that there’s a lack of well defined methodology.

Get the latest API Security report and see how you compare

When the Global AppSec show was announced I heard about the call for papers and thought it would be the perfect opportunity and perfect audience to put together a session and share my insights into the world of API penetration testing and API security.  

I was lucky enough to have my session on Testing and Hacking APIs selected for the event and I started to pull together slides focused on helping people who want to get smarter about hacking APIs.

Testing & Hacking APIs

In the session I shared my experience as a pen tester, the journey that brought me to the role that I’m in now at Salt and how to approach the new battle ground that we call API security.  I dug into a few areas where people are struggling including how to:

  • Evaluate and understand the underlying implementation of an application from API traffic
  • Detect potential vulnerable points in APIs
  • Approach and perform a successful and effective penetration test in modern applications

I didn’t actually count but there seemed to be just under 100 people in the room for my session.  This was a good chunk of the event attendees and they were really engaged with lots of good questions before and after the presentation which made me happy that it really got people thinking.


I did another session with Erez Yalon from Checkmarx to announce the OWASP API Security Project that we co-founded and have been working on for the past few months.  This session gave us a chance to share the working doc for an API Security Top Ten and officially release it to the community for comment.  We’re looking forward to good feedback from the community and finalizing the doc toward the end of 2019. You see our slides from the session here to learn more about the project

This session was a bit smaller than my Testing & Hacking session but the crowd was made up of people who want to go deep, understand what we’re working on and participate in the project. If you’re interested participating and providing  feedback as well check out the page on how you can join the project for more details. We’re already starting to see comments roll in and would love to see more from others passionate about API security.

Even if you don’t want to join the project I’d love to hear your thoughts around API security, API penetration testing and how you’re approaching it in your environment.  Let me know in the comments below.

OWASP Innovation Fair
OWASP Innovation Fair

This year OWASP kicked off a new tradition with the First Annual Innovation Fair –  a competition for up and coming startups in the area of application and software security.  At the fair each of the 6 startups were given 5 minutes to pitch their solution followed by a short Q&A by the hosts and then it was up to the audience to vote and pick a winner.  We had some strong competition and I’m proud to say we were selected by the community as the winner. We’ll post a video soon of the winning pitch.


Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

July 16, 2024

Eric Schwake
Head of Product Marketing


The Biggest Factors Influencing API Security Today

Several key factors are driving the current state of API security, including the rise of AI, the ongoing digital transformation, a booming app economy, and the challenges posed by shadow IT and regulatory compliance.

Read more

July 9, 2024

Eric Schwake
Head of Product Marketing


Salt Security Empowers API Governance with New Posture Policies Hub

Salt Security's Posture Policies Hub is a powerful new tool designed to help organizations simplify and streamline API posture governance.

Read more

June 21, 2024

Amanda Fitzsimmons
Head of Legal


Don't Get Salted: Why API Inventory is Key to PCI DSS 4.0 Compliance (and How Salt Security Can Help You Achieve It)

A secure API ecosystem starts with a clear understanding of what APIs you have and how they interact with your data.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Get the guide