Christian Wenz
Bullet-Proof APIs: The OWASP API Security Top Ten
#1about 2 minutes
Understanding the OWASP API Security Top Ten list
The OWASP API Security Top Ten list was created based on public incidents to raise awareness of common vulnerabilities.
#2about 2 minutes
Preventing broken object level authorization vulnerabilities
Attackers can access unauthorized data by guessing sequential IDs if proper permission checks are not implemented for every object.
#3about 5 minutes
Securing APIs against broken authentication flaws
Common authentication risks include misconfigured JWTs and weak secrets, which can be mitigated using the BFF pattern for single page applications.
#4about 3 minutes
Mitigating mass assignment and overposting attacks
Mass assignment vulnerabilities allow attackers to modify protected object properties by sending extra fields in an API request.
#5about 3 minutes
Preventing unrestricted resource consumption and DoS
APIs must implement rate limiting and validate parameters like page size to prevent denial-of-service attacks from excessive resource requests.
#6about 1 minute
Enforcing broken function level authorization
Authorization checks must be applied consistently across all API functions and HTTP methods to prevent unauthorized actions.
#7about 1 minute
Protecting sensitive business flows from API abuse
APIs can be exploited to manipulate business logic, requiring both technical and process-based countermeasures to protect core operations.
#8about 2 minutes
Understanding server side request forgery (SSRF)
An attacker can exploit an SSRF vulnerability to force a server to make requests to internal network resources that are otherwise inaccessible.
#9about 3 minutes
Avoiding security misconfigurations with HTTP headers
Proper configuration, including setting security-enhancing HTTP headers and removing revealing headers, is crucial for securing APIs.
#10about 1 minute
The importance of proper API inventory management
Failing to track all API versions and environments can lead to unmaintained and vulnerable endpoints that pose a significant security risk.
#11about 1 minute
Defending against unsafe consumption of third-party APIs
Treat data from third-party APIs with zero trust, validating and handling it as carefully as any other user input to build resilient applications.
Related jobs
Jobs that call for the skills explored in this talk.
Matching moments
05:12 MIN
Identifying top security risks with the OWASP Top 10
Plants vs. Thieves: Automated Tests in the World of Web Security
06:01 MIN
Understanding risks with the OWASP Top 10
Plants vs. Thieves: Automated Tests in the World of Web Security
1:15:27 MIN
Understanding common web and API vulnerability classes
Software Security 101: Secure Coding Basics
05:47 MIN
Understanding the OWASP Top 10 for web security
Security in modern Web Applications - OWASP to the rescue!
04:13 MIN
Focusing on key OWASP Top 10 risks for developers
Delay the AI Overlords: How OAuth and OpenFGA Can Keep Your AI Agents from Going Rogue
05:11 MIN
Focusing on the top three OWASP security threats
It's a (testing) trap! - Common testing pitfalls and how to solve them
21:01 MIN
Applying typed security to OWASP vulnerabilities
Typed Security: Preventing Vulnerabilities By Design
02:06 MIN
Focusing on secure architecture over just code
Architecting API Security
Featured Partners
Related Videos
26:59Security in modern Web Applications - OWASP to the rescue!
Jakub Andrzejewski
47:34Architecting API Security
Philippe De Ryck
23:47Lessons learned from observing a billion API requests
Pratim Bhosale
58:19Typed Security: Preventing Vulnerabilities By Design
Michael Koppmann
28:41101 Typical Security Pitfalls
Alexander Pirker
20:29REST in Peace? What does the API protocol of the future look like? Or do we have it already?
Simon Auer
29:50Real-World Security for Busy Developers
Kevin Lewis
40:38How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR
Anna Bacher
From learning to earning
Jobs that call for the skills explored in this talk.
