Register for our Dec 19th Webinar: Beyond the Perimeter: Achieving Comprehensive API Security

Blog Post

Industry

OWASP Global AppSec Tel Aviv Recap

Salt SecuritySalt
Jun 26, 2019

OWASP Global AppSec 2019 happened recently in Tel Aviv and I was lucky enough to attend, present a few sessions, meet some new people and have lots of great conversations so I thought it would be good to do a writeup to share my thoughts about the event. First, let’s talk about why I attended.

OWASP Global AppSec 2019 happened recently in Tel Aviv and I was lucky enough to attend, present a few sessions, meet some new people and have lots of great conversations so I thought it would be good to do a writeup to share my thoughts about the event. First, let’s talk about why I attended.

Over the years I’ve talked to a lot of penetration testers, application security people and CISOs. Most recently at Salt I’m talking to them about API protection and from these conversations I’ve come to realize that there’s a general lack of understanding of how to approach penetration testing for APIs and it’s really different from testing traditional applications. There are tons of great resources out there for application penetration testing but the same can’t be said about APIs and I’ve found that a lot of people don’t know how to approach API security. I’ve also come to realize that there’s a lack of well defined methodology.

Get the latest API Security report and see how you compare

When the Global AppSec show was announced I heard about the call for papers and thought it would be the perfect opportunity and perfect audience to put together a session and share my insights into the world of API penetration testing and API security.

I was lucky enough to have my session on Testing and Hacking APIs selected for the event and I started to pull together slides focused on helping people who want to get smarter about hacking APIs.

Testing & Hacking APIs

In the session I shared my experience as a pen tester, the journey that brought me to the role that I’m in now at Salt and how to approach the new battle ground that we call API security. I dug into a few areas where people are struggling including how to:

  • Evaluate and understand the underlying implementation of an application from API traffic
  • Detect potential vulnerable points in APIs
  • Approach and perform a successful and effective penetration test in modern applications

I didn’t actually count but there seemed to be just under 100 people in the room for my session. This was a good chunk of the event attendees and they were really engaged with lots of good questions before and after the presentation which made me happy that it really got people thinking.

OWASP API Project

I did another session with Erez Yalon from Checkmarx to announce the OWASP API Security Project that we co-founded and have been working on for the past few months. This session gave us a chance to share the working doc for an API Security Top Ten and officially release it to the community for comment. We’re looking forward to good feedback from the community and finalizing the doc toward the end of 2019. You see our slides from the session here to learn more about the project

This session was a bit smaller than my Testing & Hacking session but the crowd was made up of people who want to go deep, understand what we’re working on and participate in the project. If you’re interested participating and providing feedback as well check out the page on how you can join the project for more details. We’re already starting to see comments roll in and would love to see more from others passionate about API security.

Even if you don’t want to join the project I’d love to hear your thoughts around API security, API penetration testing and how you’re approaching it in your environment. Let me know in the comments below.

OWASP Innovation Fair

OWASP Innovation Fair

This year OWASP kicked off a new tradition with the First Annual Innovation Fair — a competition for up and coming startups in the area of application and software security. At the fair each of the 6 startups were given 5 minutes to pitch their solution followed by a short Q&A by the hosts and then it was up to the audience to vote and pick a winner. We had some strong competition and I’m proud to say we were selected by the community as the winner. We’ll post a video soon of the winning pitch.

Tags

Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

November 27, 2024

Eric Schwake
Head of Product Marketing

Industry

Beyond Traditional Security: Addressing the API Security Gap

To safeguard your business from API-specific threats, you need a dedicated solution that offers comprehensive visibility, in-depth contextual analysis, automated governance, robust data protection, and AI-driven threat prevention.

Read more

November 21, 2024

Eric Schwake
Head of Product Marketing

Industry

API (In)security: The Hidden Risk of Black Friday

Learn how, for online retailers, Black Friday represents both a lucrative opportunity and a significant cybersecurity challenge.

Read more

November 5, 2024

Eric Schwake
Head of Product Marketing

Industry

API Security: The Non-Negotiable for Modern Transportation

Airlines and transportation companies heavily rely on APIs to handle sensitive data, from customer information to payment details and flight schedules. While crucial for efficient operations, these APIs are also prime cyberattack targets.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Get the guide
Back