October 31 - November 2  - Portland, OR
Click Here For Information & Registration
Back To Schedule
Tuesday, October 31 • 3:30pm - 5:00pm
OWASP’s Latest Category: API Underprotection - Skip Hovsmith, CriticalBlue

Log in to save this to your schedule, view media, leave feedback and see who's attending!

OWASP’s 2017 top ten adds a new category called 'underprotected APIs', reflecting the growth of RESTful Web APIs and richer front-end clients which stress current security and access authorization approaches. You’ll learn about potential threats resulting from undersecured Web APIs and techniques to strengthen your API security posture. You'll gain a clear understanding of user authorization via OAuth2, software authorization via static API keys and the critical interplay between them. Of particular concern are mobile API consumers whose code is statically published with secrets which are often poorly concealed. Practical advice with code examples will show how to improve mobile API security. TLS is necessary but insufficient to fully secure client-server communications. Certificate pinning is explained with code examples to show how to strengthen channel communications. Some advanced techniques will be discussed such as app hardening, white box cryptography and mobile app attestation. You should gain a good understanding of the underprotected API problem, with some immediately practical tips to improve your API security posture and a sense of emerging tools and technologies that enable a significant step change in API security.

avatar for Skip Hovsmith

Skip Hovsmith

Growth Hacker, CriticalBlue
Mobile API Protection

Tuesday October 31, 2017 3:30pm - 5:00pm PDT
Pavilion West