OWASP Global AppSec 2019 happened recently in Tel Aviv and I was lucky enough to attend, present a few sessions, meet some new people and have lots of great conversations so I thought it would be good to do a writeup to share my thoughts about the event. First, let’s talk about why I attended.
Over the years I’ve talked to a lot of penetration testers, application security people and CISOs. Most recently at Salt I’m talking to them about API protection and from these conversations I’ve come to realize that there’s a general lack of understanding of how to approach penetration testing for APIs and it’s really different from testing traditional applications. There are tons of great resources out there for application penetration testing but the same can’t be said about APIs and I’ve found that a lot of people don’t know how to approach API security. I’ve also come to realize that there’s a lack of well defined methodology.
When the Global AppSec show was announced I heard about the call for papers and thought it would be the perfect opportunity and perfect audience to put together a session and share my insights into the world of API penetration testing and API security.
I was lucky enough to have my session on Testing and Hacking APIs selected for the event and I started to pull together slides focused on helping people who want to get smarter about hacking APIs.
Testing & Hacking APIs
In the session I shared my experience as a pen tester, the journey that brought me to the role that I’m in now at Salt and how to approach the new battle ground that we call API security. I dug into a few areas where people are struggling including how to:
- Evaluate and understand the underlying implementation of an application from API traffic
- Detect potential vulnerable points in APIs
- Approach and perform a successful and effective penetration test in modern applications
I didn’t actually count but there seemed to be just under 100 people in the room for my session. This was a good chunk of the event attendees and they were really engaged with lots of good questions before and after the presentation which made me happy that it really got people thinking.
OWASP API Project
I did another session with Erez Yalon from Checkmarx to announce the OWASP API Security Project that we co-founded and have been working on for the past few months. This session gave us a chance to share the working doc for an API Security Top Ten and officially release it to the community for comment. We’re looking forward to good feedback from the community and finalizing the doc toward the end of 2019. You see our slides from the session here to learn more about the project
This session was a bit smaller than my Testing & Hacking session but the crowd was made up of people who want to go deep, understand what we’re working on and participate in the project. If you’re interested participating and providing feedback as well check out the page on how you can join the project for more details. We’re already starting to see comments roll in and would love to see more from others passionate about API security.
Even if you don’t want to join the project I’d love to hear your thoughts around API security, API penetration testing and how you’re approaching it in your environment. Let me know in the comments below.
OWASP Innovation Fair
This year OWASP kicked off a new tradition with the First Annual Innovation Fair – a competition for up and coming startups in the area of application and software security. At the fair each of the 6 startups were given 5 minutes to pitch their solution followed by a short Q&A by the hosts and then it was up to the audience to vote and pick a winner. We had some strong competition and I’m proud to say we were selected by the community as the winner. We’ll post a video soon of the winning pitch.