Tuesday

Room 1

09:00 - 17:00 (UTC+02)

2 Days

API security for developers

Building secure APIs and microservices is hard, really hard. Not only do you have to make the right architectural security decisions, you also have to be aware of various implementation vulnerabilities to ensure the security of your applications. This workshop provides API developers with the necessary knowledge to assess and improve the security of their APIs.

Security

In this workshop, you will discover best practices for building secure APIs. We investigate various techniques to implement authentication and authorization, along with their trade-offs and pitfalls. We dive deep into handling JSON Web Tokens, but also discuss the relevance of browser security features such as Cross-Origin Resource Sharing. Additionally, we discuss current best practices for securing an API with OAuth 2.0.
This course offers practical and immediately applicable security advice for architects and developers. Throughout the course, Philippe is available to answer any questions, including concrete scenarios applying to your own applications.
Concretely, we will cover the following topics:

  • The security model of APIs
  • Modern security header configurations for APIs
  • API authentication techniques
  • Common API authorization failures
  • API authorization best practices
  • The nonsense of "cookies vs tokens"
  • Understanding Cross-Origin Resource Sharing (CORS)
  • JWT security pitfalls and best practices
  • Token management challenges
  • The role of OAuth 2.0 in API security
  • Making authorization decisions with access tokens
  • Effectively using scopes and permissions


This workshop consists of a mixture of lectures, demos, interactive quizzes, and hands-on labs. The lectures provide in-depth knowledge of attacks and defenses. The hands-on labs are conducted in a custom-built competitive training environment, allowing participants to gain hands-on experience with offensive and defensive technologies.


Who should attend?

This security training specifically targets API developers. Anyone involved in building API-based systems or managing development teams should be here. This training course is not just any training course. It is packed with in-depth and up-to-date content. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.


Prerequisites

To participate in this training, you should have development experience with APIs. Familiarity with the basics of security is helpful, but not required. The training will use examples from the Spring Boot and NodeJS ecosystems, but also applies to other environments.


Computer Setup

To participate in the lab sessions, participants need an internet-accessible laptop with a modern browser installed (E.g., Chrome, Firefox).

Philippe De Ryck

Philippe De Ryck helps developers protect companies through better web security. As the founder of Pragmatic Web Security, he travels the world to train developers on web security and security engineering. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional knowledge of the security landscape. Google recognizes Philippe as a Google Developer Expert for his work on security in Angular applications.