SlideShare a Scribd company logo

Practical API Security - Midwest PHP 2018

Adam Englander
Adam Englander

The document discusses practical API security and provides recommendations for securing APIs. It recommends implementing defense in depth with layers of security including transport layer security, rate limiting, authentication, data validation, encryption, logging, and access control. It then goes into more detail about how to implement specific security measures like replay prevention, rate limiting, authentication methods, message and response validation, encrypting data at rest and in transit, and logging recommendations.

Technology
1 of 90
Download to read offline
@adam_englander Practical API Security Adam Englander, Software Architect iovation
@adam_englander Let's set some expectations...
@adam_englander What are we protecting against?
@adam_englander
@adam_englander 1: Injection
@adam_englander 2: Broken Authentication
@adam_englander 3: Sensitive Data Exposure
@adam_englander 4: XML External Entities (XXE)
@adam_englander libxml_disable_entity_loader(true);
@adam_englander Use defusedxml and defusedexpat to protect lib.xml
@adam_englander 5: Broken Access Control
@adam_englander 6: Security Misconfiguration
@adam_englander 7: Cross-Site Scripting XSS
@adam_englander 8: Insecure Deserialization
@adam_englander 9: Using Components with Known Vulnerabilities
@adam_englander PHP Resources • https://security.sensiolabs.org/ • roave/security-advisories package • https://github.com/FriendsOfPHP/security- advisories
@adam_englander 10: Insufficient Logging & Monitoring
@adam_englander How do we provide that protection?
@adam_englander
@adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
@adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
@adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
@adam_englander
@adam_englander
@adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
@adam_englander Replay prevention requires unique requests
@adam_englander Determine Uniqueness of Request GET / HTTP/1.1 Accept: application/json
@adam_englander Determine Uniqueness of Request GET / HTTP/1.1 Accept: application/json X-Nonce: 5ed518e8c5c51a64638b2b50c192242d
@adam_englander Store that unique value in a datastore so you can verify you don't see it again
@adam_englander Use the add function on the cache to prevent race conditions
@adam_englander Cache Example if ($token === null) { throw new AuthorizationRequiredException(); } elseif (!$this->cache->add(hash('sha512', $token), 1, 10)) { throw new InvalidRequestException(); }
@adam_englander Use insert on unique index for RDBMS to prevent race conditions
@adam_englander Rate limiting requires unique identification for restrictions
@adam_englander api-user-id|create-widget|20:01 ebf4e1d4bb33e5f6028e8443d6a1d6aa
@adam_englander Use the add and increment functions of the cache to prevent race conditions
@adam_englander Cache Example $key = sprintf("%s|root-post|%s", $userId, $timeSlice); $this->cache->add($key, 0, 1); $total = $this->cache->increment($key);
@adam_englander Use insert with unique index and update returning in RDBMS to prevent race conditions
@adam_englander Data stores can be done in three ways.
@adam_englander In Memory Datastore
@adam_englander Local Datastore
@adam_englander Global Datastore
@adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
@adam_englander Do not make authentication part of the body
@adam_englander Use the Authorization header
@adam_englander HTTP Basic Authentication Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
@adam_englander HTTP Digest Authentication DO NOT USE!
@adam_englander HTTP Bearer Authentication Authorization: Bearer mF_9.B5f-4.1JqM
@adam_englander Roll Your Own
@adam_englander Many APIs do this
@adam_englander What about never rolling your own crypto?
@adam_englander Single Use JWT
@adam_englander No auth service required
@adam_englander Can use existing JWT libraries to create and validate
@adam_englander Can be extended beyond auth to provide data validation and MITM protection
@adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
@adam_englander Message Validation
@adam_englander Request Validation
@adam_englander Method Validation GET /user/abc HTTP/1.1 Accept: application/json
@adam_englander Method Validation DELETE /user/abc HTTP/1.1 Accept: application/json
@adam_englander Path Validation GET /user/abc HTTP/1.1 Accept: application/json
@adam_englander Path Validation GET /user/def HTTP/1.1 Accept: application/json
@adam_englander Body Validation PATCH /user/abc HTTP/1.1 {"email": "valid@user.com"}
@adam_englander Body Validation PATCH /user/abc HTTP/1.1 {"email": "pwned@hkr.com"}
@adam_englander Response Validation
@adam_englander Status Code Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"expected": "value"}
@adam_englander Status Code Validation HTTP/1.1 400 Invalid Request Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"expected": "value"}
@adam_englander Status Code Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"expected": "value"}
@adam_englander Status Code Validation HTTP/1.1 301 Moved Content-Type: application/json; charset=UTF-8 Content-Length: 21 Location: https://bad.actor.com {"expected": "value"}
@adam_englander Header Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 Cache-Control: no-cache {"expected": "value"}
@adam_englander Header Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 Cache-Control: max-age=99999999 {"expected": "value"}
@adam_englander Data Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"active": false}
@adam_englander Data Validation HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 Content-Length: 21 {"active": true}
@adam_englander Validation of request data
@adam_englander Defense in Depth Transport Layer Security Rate Limiting/Replay Prevention Authentication Data Validation Data Encryption Logging Access Control
@adam_englander Encrypt Data at Rest
@adam_englander Use a structure format that allows for in-place key rotation and nonce storage
@adam_englander COSE CBOR Object Signing and Encryption (COSE) Concise Binary Object Representation (CBOR)
@adam_englander Roll Your Own keyid|nonce|encrypted-data
@adam_englander Encrypt Data in Transit
@adam_englander WW?D
@adam_englander JSON Web Encryption
@adam_englander Log Everything
@adam_englander Log in a structured format for easier parsing
@adam_englander Log all pertinent actions
@adam_englander Include all data regarding state. Anonymize sensitive data.
@adam_englander Include origin data to identify bad actors.
@adam_englander Utilize tools like ELK or Greylog to aggregate logs
@adam_englander Determine anomalous conditions and alert on those conditions.
@adam_englander And now a demonstration...
@adam_englander https://joind.in/talk/9895f

Recommended

Cryptography for Beginners - Midwest PHP 2018
Cryptography for Beginners - Midwest PHP 2018Cryptography for Beginners - Midwest PHP 2018
Cryptography for Beginners - Midwest PHP 2018Adam Englander
 
ZendCon 2018 - Practical API Security
ZendCon 2018 - Practical API SecurityZendCon 2018 - Practical API Security
ZendCon 2018 - Practical API SecurityAdam Englander
 
Practical API Security - PyCon 2019
Practical API Security - PyCon 2019Practical API Security - PyCon 2019
Practical API Security - PyCon 2019Adam Englander
 
API documentation
API documentationAPI documentation
API documentationLow-Code Starter Pack
 
Finding Bugs FASTER with Fuzzing
Finding Bugs FASTER with FuzzingFinding Bugs FASTER with Fuzzing
Finding Bugs FASTER with FuzzingAlper Başaran
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Devoxx Ukraine 2018 "Break me if you can: practical guide to building fault-t...
Devoxx Ukraine 2018 "Break me if you can: practical guide to building fault-t...Devoxx Ukraine 2018 "Break me if you can: practical guide to building fault-t...
Devoxx Ukraine 2018 "Break me if you can: practical guide to building fault-t...Alex Borysov
 
Threat Modeling for Dummies
Threat Modeling for DummiesThreat Modeling for Dummies
Threat Modeling for DummiesAdam Englander
 

Recommended

Cryptography for Beginners - Midwest PHP 2018
Cryptography for Beginners - Midwest PHP 2018Cryptography for Beginners - Midwest PHP 2018
Cryptography for Beginners - Midwest PHP 2018Adam Englander
 
ZendCon 2018 - Practical API Security
ZendCon 2018 - Practical API SecurityZendCon 2018 - Practical API Security
ZendCon 2018 - Practical API SecurityAdam Englander
 
Practical API Security - PyCon 2019
Practical API Security - PyCon 2019Practical API Security - PyCon 2019
Practical API Security - PyCon 2019Adam Englander
 
API documentation
API documentationAPI documentation
API documentationLow-Code Starter Pack
 
Finding Bugs FASTER with Fuzzing
Finding Bugs FASTER with FuzzingFinding Bugs FASTER with Fuzzing
Finding Bugs FASTER with FuzzingAlper Başaran
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Devoxx Ukraine 2018 "Break me if you can: practical guide to building fault-t...
Devoxx Ukraine 2018 "Break me if you can: practical guide to building fault-t...Devoxx Ukraine 2018 "Break me if you can: practical guide to building fault-t...
Devoxx Ukraine 2018 "Break me if you can: practical guide to building fault-t...Alex Borysov
 
Threat Modeling for Dummies
Threat Modeling for DummiesThreat Modeling for Dummies
Threat Modeling for DummiesAdam Englander
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASPchadtindel
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
Yan Cui - How to build observability into a serverless application - Codemoti...
Yan Cui - How to build observability into a serverless application - Codemoti...Yan Cui - How to build observability into a serverless application - Codemoti...
Yan Cui - How to build observability into a serverless application - Codemoti...Codemotion
 
Simple Tips to Secure your WordPress
Simple Tips to Secure your WordPressSimple Tips to Secure your WordPress
Simple Tips to Secure your WordPressFiroz Sabaliya
 
Serverless observability - a hero's perspective
Serverless observability - a hero's perspectiveServerless observability - a hero's perspective
Serverless observability - a hero's perspectiveYan Cui
 
Atlrug intermodal - sep 2011
Atlrug intermodal - sep 2011Atlrug intermodal - sep 2011
Atlrug intermodal - sep 2011hosheng
 
Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Adam Englander
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Mohammed Adam
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
Rails 3 and OAuth for Barcamp Tampa
Rails 3 and OAuth for Barcamp TampaRails 3 and OAuth for Barcamp Tampa
Rails 3 and OAuth for Barcamp TampaBryce Kerley
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTAdam Englander
 
Threat Modeling for Dummies - Cascadia PHP 2018
Threat Modeling for Dummies - Cascadia PHP 2018Threat Modeling for Dummies - Cascadia PHP 2018
Threat Modeling for Dummies - Cascadia PHP 2018Adam Englander
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhamzaaqqa7
 
Symfony Live San Franciso 2017 - BDD API Development with Symfony and Behat
Symfony Live San Franciso 2017 - BDD API Development with Symfony and BehatSymfony Live San Franciso 2017 - BDD API Development with Symfony and Behat
Symfony Live San Franciso 2017 - BDD API Development with Symfony and BehatAdam Englander
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017Adam Englander
 

More Related Content

What's hot

20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASPchadtindel
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
Yan Cui - How to build observability into a serverless application - Codemoti...
Yan Cui - How to build observability into a serverless application - Codemoti...Yan Cui - How to build observability into a serverless application - Codemoti...
Yan Cui - How to build observability into a serverless application - Codemoti...Codemotion
 
Simple Tips to Secure your WordPress
Simple Tips to Secure your WordPressSimple Tips to Secure your WordPress
Simple Tips to Secure your WordPressFiroz Sabaliya
 
Serverless observability - a hero's perspective
Serverless observability - a hero's perspectiveServerless observability - a hero's perspective
Serverless observability - a hero's perspectiveYan Cui
 
Atlrug intermodal - sep 2011
Atlrug intermodal - sep 2011Atlrug intermodal - sep 2011
Atlrug intermodal - sep 2011hosheng
 

What's hot (8)

20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
Yan Cui - How to build observability into a serverless application - Codemoti...
Yan Cui - How to build observability into a serverless application - Codemoti...Yan Cui - How to build observability into a serverless application - Codemoti...
Yan Cui - How to build observability into a serverless application - Codemoti...
 
Simple Tips to Secure your WordPress
Simple Tips to Secure your WordPressSimple Tips to Secure your WordPress
Simple Tips to Secure your WordPress
 
Serverless observability - a hero's perspective
Serverless observability - a hero's perspectiveServerless observability - a hero's perspective
Serverless observability - a hero's perspective
 
Atlrug intermodal - sep 2011
Atlrug intermodal - sep 2011Atlrug intermodal - sep 2011
Atlrug intermodal - sep 2011
 

Similar to Practical API Security - Midwest PHP 2018

Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Adam Englander
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Mohammed Adam
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
Rails 3 and OAuth for Barcamp Tampa
Rails 3 and OAuth for Barcamp TampaRails 3 and OAuth for Barcamp Tampa
Rails 3 and OAuth for Barcamp TampaBryce Kerley
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTAdam Englander
 
Threat Modeling for Dummies - Cascadia PHP 2018
Threat Modeling for Dummies - Cascadia PHP 2018Threat Modeling for Dummies - Cascadia PHP 2018
Threat Modeling for Dummies - Cascadia PHP 2018Adam Englander
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhamzaaqqa7
 
Symfony Live San Franciso 2017 - BDD API Development with Symfony and Behat
Symfony Live San Franciso 2017 - BDD API Development with Symfony and BehatSymfony Live San Franciso 2017 - BDD API Development with Symfony and Behat
Symfony Live San Franciso 2017 - BDD API Development with Symfony and BehatAdam Englander
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017Adam Englander
 
Secure Your Mobile Apps
Secure Your Mobile AppsSecure Your Mobile Apps
Secure Your Mobile Appsprimomh
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
IoT Lock Down - Battling the Bot Net Builders
IoT Lock Down - Battling the Bot Net BuildersIoT Lock Down - Battling the Bot Net Builders
IoT Lock Down - Battling the Bot Net BuildersAdam Englander
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptSilverGold16
 

Similar to Practical API Security - Midwest PHP 2018 (20)

Practical API Security - PyCon 2018
Practical API Security - PyCon 2018Practical API Security - PyCon 2018
Practical API Security - PyCon 2018
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
Rails 3 and OAuth for Barcamp Tampa
Rails 3 and OAuth for Barcamp TampaRails 3 and OAuth for Barcamp Tampa
Rails 3 and OAuth for Barcamp Tampa
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
 
Threat Modeling for Dummies - Cascadia PHP 2018
Threat Modeling for Dummies - Cascadia PHP 2018Threat Modeling for Dummies - Cascadia PHP 2018
Threat Modeling for Dummies - Cascadia PHP 2018
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
 
Symfony Live San Franciso 2017 - BDD API Development with Symfony and Behat
Symfony Live San Franciso 2017 - BDD API Development with Symfony and BehatSymfony Live San Franciso 2017 - BDD API Development with Symfony and Behat
Symfony Live San Franciso 2017 - BDD API Development with Symfony and Behat
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
 
Secure Your Mobile Apps
Secure Your Mobile AppsSecure Your Mobile Apps
Secure Your Mobile Apps
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
IoT Lock Down - Battling the Bot Net Builders
IoT Lock Down - Battling the Bot Net BuildersIoT Lock Down - Battling the Bot Net Builders
IoT Lock Down - Battling the Bot Net Builders
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Online Authentication
Online AuthenticationOnline Authentication
Online Authentication
 

More from Adam Englander

Making PHP Smarter - Dutch PHP 2023.pptx
Making PHP Smarter - Dutch PHP 2023.pptxMaking PHP Smarter - Dutch PHP 2023.pptx
Making PHP Smarter - Dutch PHP 2023.pptxAdam Englander
 
ZendCon 2018 - Cryptography in Depth
ZendCon 2018 - Cryptography in DepthZendCon 2018 - Cryptography in Depth
ZendCon 2018 - Cryptography in DepthAdam Englander
 
Dutch PHP 2018 - Cryptography for Beginners
Dutch PHP 2018 - Cryptography for BeginnersDutch PHP 2018 - Cryptography for Beginners
Dutch PHP 2018 - Cryptography for BeginnersAdam Englander
 
php[tek] 2108 - Cryptography Advances in PHP 7.2
php[tek] 2108 - Cryptography Advances in PHP 7.2php[tek] 2108 - Cryptography Advances in PHP 7.2
php[tek] 2108 - Cryptography Advances in PHP 7.2Adam Englander
 
php[tek] 2018 - Biometrics, fantastic failure point of the future
php[tek] 2018 - Biometrics, fantastic failure point of the futurephp[tek] 2018 - Biometrics, fantastic failure point of the future
php[tek] 2018 - Biometrics, fantastic failure point of the futureAdam Englander
 
Biometrics: Sexy, Secure and... Stupid - RSAC 2018
Biometrics: Sexy, Secure and... Stupid - RSAC 2018Biometrics: Sexy, Secure and... Stupid - RSAC 2018
Biometrics: Sexy, Secure and... Stupid - RSAC 2018Adam Englander
 
Cryptography for Beginners - Sunshine PHP 2018
Cryptography for Beginners - Sunshine PHP 2018Cryptography for Beginners - Sunshine PHP 2018
Cryptography for Beginners - Sunshine PHP 2018Adam Englander
 
ConFoo Vancouver 2017 - Biometrics: Fantastic Failure Point of the Future
ConFoo Vancouver 2017 - Biometrics: Fantastic Failure Point of the FutureConFoo Vancouver 2017 - Biometrics: Fantastic Failure Point of the Future
ConFoo Vancouver 2017 - Biometrics: Fantastic Failure Point of the FutureAdam Englander
 
ZendCon 2017 - Cryptography for Beginners
ZendCon 2017 - Cryptography for BeginnersZendCon 2017 - Cryptography for Beginners
ZendCon 2017 - Cryptography for BeginnersAdam Englander
 
ZendCon 2017: The Red Team is Coming
ZendCon 2017: The Red Team is ComingZendCon 2017: The Red Team is Coming
ZendCon 2017: The Red Team is ComingAdam Englander
 
ZendCon 2017 - Build a Bot Workshop - Async Primer
ZendCon 2017 - Build a Bot Workshop - Async PrimerZendCon 2017 - Build a Bot Workshop - Async Primer
ZendCon 2017 - Build a Bot Workshop - Async PrimerAdam Englander
 
Coder Cruise 2017 - The Red Team Is Coming
Coder Cruise 2017 - The Red Team Is ComingCoder Cruise 2017 - The Red Team Is Coming
Coder Cruise 2017 - The Red Team Is ComingAdam Englander
 
Build a bot workshop async primer - php[tek]
Build a bot workshop async primer - php[tek]Build a bot workshop async primer - php[tek]
Build a bot workshop async primer - php[tek]Adam Englander
 
Concurrent Programming in Python
Concurrent Programming in PythonConcurrent Programming in Python
Concurrent Programming in PythonAdam Englander
 
Biometrics - Fantastic Failure Point of the Future
Biometrics - Fantastic Failure Point of the FutureBiometrics - Fantastic Failure Point of the Future
Biometrics - Fantastic Failure Point of the FutureAdam Englander
 
PHP UK 2017 - Don't Lose Sleep - Secure Your REST
PHP UK 2017 - Don't Lose Sleep - Secure Your RESTPHP UK 2017 - Don't Lose Sleep - Secure Your REST
PHP UK 2017 - Don't Lose Sleep - Secure Your RESTAdam Englander
 
SunshinePHP 2017: Tales From The Crypt - A Cryptography Primer
SunshinePHP 2017: Tales From The Crypt - A Cryptography PrimerSunshinePHP 2017: Tales From The Crypt - A Cryptography Primer
SunshinePHP 2017: Tales From The Crypt - A Cryptography PrimerAdam Englander
 
Py Vegas - Tales from the crypt
Py Vegas - Tales from the cryptPy Vegas - Tales from the crypt
Py Vegas - Tales from the cryptAdam Englander
 
Node.js interactive NA 2016: Tales From the Crypt
Node.js interactive NA 2016: Tales From the CryptNode.js interactive NA 2016: Tales From the Crypt
Node.js interactive NA 2016: Tales From the CryptAdam Englander
 

More from Adam Englander (20)

Making PHP Smarter - Dutch PHP 2023.pptx
Making PHP Smarter - Dutch PHP 2023.pptxMaking PHP Smarter - Dutch PHP 2023.pptx
Making PHP Smarter - Dutch PHP 2023.pptx
 
ZendCon 2018 - Cryptography in Depth
ZendCon 2018 - Cryptography in DepthZendCon 2018 - Cryptography in Depth
ZendCon 2018 - Cryptography in Depth
 
Dutch PHP 2018 - Cryptography for Beginners
Dutch PHP 2018 - Cryptography for BeginnersDutch PHP 2018 - Cryptography for Beginners
Dutch PHP 2018 - Cryptography for Beginners
 
php[tek] 2108 - Cryptography Advances in PHP 7.2
php[tek] 2108 - Cryptography Advances in PHP 7.2php[tek] 2108 - Cryptography Advances in PHP 7.2
php[tek] 2108 - Cryptography Advances in PHP 7.2
 
php[tek] 2018 - Biometrics, fantastic failure point of the future
php[tek] 2018 - Biometrics, fantastic failure point of the futurephp[tek] 2018 - Biometrics, fantastic failure point of the future
php[tek] 2018 - Biometrics, fantastic failure point of the future
 
Biometrics: Sexy, Secure and... Stupid - RSAC 2018
Biometrics: Sexy, Secure and... Stupid - RSAC 2018Biometrics: Sexy, Secure and... Stupid - RSAC 2018
Biometrics: Sexy, Secure and... Stupid - RSAC 2018
 
Cryptography for Beginners - Sunshine PHP 2018
Cryptography for Beginners - Sunshine PHP 2018Cryptography for Beginners - Sunshine PHP 2018
Cryptography for Beginners - Sunshine PHP 2018
 
ConFoo Vancouver 2017 - Biometrics: Fantastic Failure Point of the Future
ConFoo Vancouver 2017 - Biometrics: Fantastic Failure Point of the FutureConFoo Vancouver 2017 - Biometrics: Fantastic Failure Point of the Future
ConFoo Vancouver 2017 - Biometrics: Fantastic Failure Point of the Future
 
ZendCon 2017 - Cryptography for Beginners
ZendCon 2017 - Cryptography for BeginnersZendCon 2017 - Cryptography for Beginners
ZendCon 2017 - Cryptography for Beginners
 
ZendCon 2017: The Red Team is Coming
ZendCon 2017: The Red Team is ComingZendCon 2017: The Red Team is Coming
ZendCon 2017: The Red Team is Coming
 
ZendCon 2017 - Build a Bot Workshop - Async Primer
ZendCon 2017 - Build a Bot Workshop - Async PrimerZendCon 2017 - Build a Bot Workshop - Async Primer
ZendCon 2017 - Build a Bot Workshop - Async Primer
 
Coder Cruise 2017 - The Red Team Is Coming
Coder Cruise 2017 - The Red Team Is ComingCoder Cruise 2017 - The Red Team Is Coming
Coder Cruise 2017 - The Red Team Is Coming
 
Build a bot workshop async primer - php[tek]
Build a bot workshop async primer - php[tek]Build a bot workshop async primer - php[tek]
Build a bot workshop async primer - php[tek]
 
Python and Docker
Python and DockerPython and Docker
Python and Docker
 
Concurrent Programming in Python
Concurrent Programming in PythonConcurrent Programming in Python
Concurrent Programming in Python
 
Biometrics - Fantastic Failure Point of the Future
Biometrics - Fantastic Failure Point of the FutureBiometrics - Fantastic Failure Point of the Future
Biometrics - Fantastic Failure Point of the Future
 
PHP UK 2017 - Don't Lose Sleep - Secure Your REST
PHP UK 2017 - Don't Lose Sleep - Secure Your RESTPHP UK 2017 - Don't Lose Sleep - Secure Your REST
PHP UK 2017 - Don't Lose Sleep - Secure Your REST
 
SunshinePHP 2017: Tales From The Crypt - A Cryptography Primer
SunshinePHP 2017: Tales From The Crypt - A Cryptography PrimerSunshinePHP 2017: Tales From The Crypt - A Cryptography Primer
SunshinePHP 2017: Tales From The Crypt - A Cryptography Primer
 
Py Vegas - Tales from the crypt
Py Vegas - Tales from the cryptPy Vegas - Tales from the crypt
Py Vegas - Tales from the crypt
 
Node.js interactive NA 2016: Tales From the Crypt
Node.js interactive NA 2016: Tales From the CryptNode.js interactive NA 2016: Tales From the Crypt
Node.js interactive NA 2016: Tales From the Crypt
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Recently uploaded (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Practical API Security - Midwest PHP 2018