WEBINAR: Positive Security for APIs


About

Positive Security for APIs: What it is and why you need it!

Many of the issues on the OWASP API Security Top 10 are triggered by the lack of input or output validation. Here are a few illustrative real-life examples on this:

  • Drupal suffered a major issue in February 2019: a remote code execution flaw due to a parameter not properly validated.
  • Tchap, the brand new messaging app of the French government was hacked in an hour due to the lack of validation of the registration email.
  • CVE-2017-5638, better known as the “Equifax attack”. This vulnerability in Apache Struts could be exploited by crafting a custom Content-Type header and embedding ONGL expressions in the header value.
  • Cisco got fined $8.6 million for knowingly selling its Video Surveillance Manager (VSM) product that included API vulnerabilities to the US federal and state agencies. The actual API flaws included a lack of user input validation and insufficient authentication.

To protect APIs from such issues, an API-native, positive security approach is required: we create a whitelist of the characteristics of allowed requests. These characteristics are used to validate input and output data for things like data type, min or max length, permitted characters, or valid values ranges. But how do we fill the gap between security and development mentioned above?

What you’ll learn:

  • Why WAFs fail in protecting APIs
  • How a whitelist protects against A3, A6 and A8 of the OWASP API Security Top 10 – (with real-life examples)
  • How to build a proper whitelist for API security

 

 

All answers to questions from the webinar can be viewed here.


Location


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy


Upcoming Events

Construct Event Event Date Event End Date Event Location Event Category Event Image
AppSec California January 21, 2020 8:00 am January 24, 2020 5:00 pm Annenberg Community Beach House, Pacific Coast Highway, Santa Monica, CA, USA Conference
LIVE WEBINAR: Are You Properly Using JWTs? January 30, 2020 11:00 am January 30, 2020 12:00 pm Conference
Developer Week San Francisco February 12, 2020 8:00 am February 16, 2020 5:00 pm Oakland Convention Center, 10th Street, Oakland, CA, USA Conference
RSA Conference 2020 February 24, 2020 8:00 am February 28, 2020 6:00 pm Moscone Center, Howard Street, San Francisco, CA, USA Conference
APIdays Jakarta March 17, 2020 8:00 am March 17, 2020 6:00 pm Multivision Tower, Jalan Kuningan Mulia, RT.6/RW.1, Menteng Atas, South Jakarta City, Jakarta, Indonesia Conference
KubeCon Cloud Native Europe March 30, 2020 8:00 am April 2, 2020 6:00 pm RAI, Amsterdam, Amsterdam, The Netherlands Conference
APIdays Singapore April 1, 2020 8:00 am April 2, 2020 6:00 pm 1 Old Parliament Ln, Singapore 179429, Singapore Conference
Developer Week Seattle: Cloud Edition May 4, 2020 8:00 am May 5, 2020 5:00 pm Grand Hyatt Seattle, Pine Street, Seattle, WA, USA Conference
European Identity and Cloud Conference 2020 May 12, 2020 8:00 am May 15, 2020 6:00 pm Conference
APIdays Helsinki June 2, 2020 8:00 am June 3, 2020 6:00 pm Katariina Saksilaisen katu 9, 00560 Helsinki, Finland Conference
Developer Week New York June 16, 2020 8:00 am June 18, 2020 5:00 pm Brooklyn EXPO Center, Noble Street, Brooklyn, NY, USA Conference