Subscribe to the Salt blog

Privacy Policy

Subscribe to our blog.

Subscribe Now

OWASP Global AppSec Tel Aviv Recap

Salt SecuritySalt
Jun 26, 2019

OWASP Global AppSec 2019 happened recently in Tel Aviv and I was lucky enough to attend, present a few sessions, meet some new people and have lots of great conversations so I thought it would be good to do a writeup to share my thoughts about the event. First, let’s talk about why I attended.

OWASP Global AppSec 2019 happened recently in Tel Aviv and I was lucky enough to attend, present a few sessions, meet some new people and have lots of great conversations so I thought it would be good to do a writeup to share my thoughts about the event.  First, let’s talk about why I attended.

Over the years I’ve talked to a lot of penetration testers, application security people and CISOs.  Most recently at Salt I’m talking to them about API protection and from these conversations I’ve come to realize that there’s a general lack of understanding of how to approach penetration testing for APIs and it’s really different from testing traditional applications.  There are tons of great resources out there for application penetration testing but the same can’t be said about APIs and I’ve found that a lot of people don’t know how to approach API security. I’ve also come to realize that there’s a lack of well defined methodology.

Get the latest API Security report and see how you compare

When the Global AppSec show was announced I heard about the call for papers and thought it would be the perfect opportunity and perfect audience to put together a session and share my insights into the world of API penetration testing and API security.  

I was lucky enough to have my session on Testing and Hacking APIs selected for the event and I started to pull together slides focused on helping people who want to get smarter about hacking APIs.

Testing & Hacking APIs

In the session I shared my experience as a pen tester, the journey that brought me to the role that I’m in now at Salt and how to approach the new battle ground that we call API security.  I dug into a few areas where people are struggling including how to:

  • Evaluate and understand the underlying implementation of an application from API traffic
  • Detect potential vulnerable points in APIs
  • Approach and perform a successful and effective penetration test in modern applications

I didn’t actually count but there seemed to be just under 100 people in the room for my session.  This was a good chunk of the event attendees and they were really engaged with lots of good questions before and after the presentation which made me happy that it really got people thinking.

OWASP API Project

I did another session with Erez Yalon from Checkmarx to announce the OWASP API Security Project that we co-founded and have been working on for the past few months.  This session gave us a chance to share the working doc for an API Security Top Ten and officially release it to the community for comment.  We’re looking forward to good feedback from the community and finalizing the doc toward the end of 2019. You see our slides from the session here to learn more about the project

This session was a bit smaller than my Testing & Hacking session but the crowd was made up of people who want to go deep, understand what we’re working on and participate in the project. If you’re interested participating and providing  feedback as well check out the page on how you can join the project for more details. We’re already starting to see comments roll in and would love to see more from others passionate about API security.

Even if you don’t want to join the project I’d love to hear your thoughts around API security, API penetration testing and how you’re approaching it in your environment.  Let me know in the comments below.

OWASP Innovation Fair
OWASP Innovation Fair

This year OWASP kicked off a new tradition with the First Annual Innovation Fair –  a competition for up and coming startups in the area of application and software security.  At the fair each of the 6 startups were given 5 minutes to pitch their solution followed by a short Q&A by the hosts and then it was up to the audience to vote and pick a winner.  We had some strong competition and I’m proud to say we were selected by the community as the winner. We’ll post a video soon of the winning pitch.

Tags

Events
Go back to blog
Salt Security Addresses Critical OAuth Vulnerabilities Enhancing API Security with OAuth Protection Package

Salt Security Addresses Critical OAuth Vulnerabilities Enhancing API Security with OAuth Protection Package

Salt Security is enhancing its API protection platform with a comprehensive suite of new OAuth threat detections and posture rules.

Eric Schwake
April 25, 2024
Introducing Salt Security’s New AI-Powered Knowledge Base Assistant: Pepper!

Introducing Salt Security’s New AI-Powered Knowledge Base Assistant: Pepper!

We are happy to announce the availability of our AI-powered KB assistant, Pepper.

Eric Schwake
April 3, 2024
Security Flaws within ChatGPT Ecosystem Allowed Access to Accounts On Third-Party Websites and Sensitive Data

Security Flaws within ChatGPT Ecosystem Allowed Access to Accounts On Third-Party Websites and Sensitive Data

Salt Labs researchers identified generative AI ecosystems as a new interesting attack vector. vulnerabilities found during this research on ChatGPT ecosystem could have granted access to accounts of users, including GitHub repositories, including 0-click attacks.

Aviad Carmel
March 13, 2024

Download this guide for advice on evaluating key capabilities in API Security

Learn everything you need to know to keep your APIs secure

We have updated and re-designed our Privacy Policy as of  March 2024 to make it easier to understand how we collect and use your personal data.

Get the guide
Read the new policy
Back