In this workshop, you will discover best practices for building secure APIs. We investigate various techniques to implement authentication and authorization, along with their trade-offs and pitfalls. We dive deep into handling JSON Web Tokens, but also discuss the relevance of browser security features such as Cross-Origin Resource Sharing. Additionally, we discuss current best practices for securing an API with OAuth 2.0.
This course offers practical and immediately applicable security advice for architects and developers. Throughout the course, Philippe is available to answer any questions, including concrete scenarios applying to your own applications.
Concretely, we will cover the following topics:

Modern security header configurations for APIs

Understanding Cross-Origin Resource Sharing (CORS)

Making authorization decisions with access tokens


This workshop consists of a mixture of lectures, demos, interactive quizzes, and hands-on labs. The lectures provide in-depth knowledge of attacks and defenses. The hands-on labs are conducted in a custom-built competitive training environment, allowing participants to gain hands-on experience with offensive and defensive technologies.

This security training specifically targets API developers. Anyone involved in building API-based systems or managing development teams should be here. This training course is not just any training course. It is packed with in-depth and up-to-date content. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.

To participate in this training, you should have development experience with APIs. Familiarity with the basics of security is helpful, but not required. The training will use examples from the Spring Boot and NodeJS ecosystems, but also applies to other environments.

To participate in the lab sessions, participants need an internet-accessible laptop with a modern browser installed (E.g., Chrome, Firefox).

NDC { Security }

Agenda 2021