APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Top Ten Security Tips for APIs
Tanya Janca, CEO and Founder at WeHackPurple
2. @SheHacksPurple
• APIs rule the web, but they are being
attacked
• Top Ten API Security Best Practices
• Resources
• PDF of this talk’s 10 tips
• Free Mini Course
What are we going to talk about today?
Photo by Dex Ezekiel on Unsplash
3. @SheHacksPurple
Tanya Janca
About Me
• Technical Advisor at Bright Security
• CEO & Founder @ We Hack Purple
• AKA @SheHacksPurple
• Author: Alice and Bob Learn Application Security
• Advisor: Nord VPN, Cloud Defense, Aiya
• 25 years in tech, Sec + Dev
• Blogger, Podcaster, Streamer, Builder, Breaker
• Nerd at Large
6. @SheHacksPurple
APIs still need just as much security attention as
web applications; not having a front end does not
make them invisible to attackers.
The Problem
Web apps are the #1 cause of data breach, and
most web apps are now just a bunch of APIs with a
GUI in front.
17. @SheHacksPurple
All the same secure
coding practices you
normally do; input
validation using
approved lists,
parameterized queries,
bounds checking, etc.
18. @SheHacksPurple
What did we learn today?
APIs need just
as much
attention as
web apps!
Best practices
are doable!
Secure SDLCs
produce secure
software
22. @SheHacksPurple
I have a podcast!!!!!
We Hack Purple Podcast, season 2,
offers short security lessons and best
practices! Watch it on YouTube or
subscribe on any podcast platform.
youtube.com/WeHackPurple
23. @SheHacksPurple
Awesome Books!
• The DevOps Handbook
• The Phoenix Project
• Accelerate
• The Unicorn Project
• Alice and Bob Learn Application Security
Thanks for joining us this afternoon, X
I’m Rieve, RSD, Western Half of NA
I’m joined by
Who else is joining us from your side and what are their roles?
APIs are being attacked by bots all the time, being abused all over the internet. Even without a front end, APIs are still a big target for malicious actors. How do we fight this? In this talk we will cover all the best practices for making your APIs tough and safe!
Current state of affairs: a review for most, but I want to make sure we a real on the same page