SlideShare a Scribd company logo

Api days 2018 - API Security by Sqreen

Sqreen
Sqreen

API Security talk at Api days 2018. by Jean-Baptiste Aviat, CTO @ Sqreen

1 of 35
Download to read offline
API security: an insider’s point of view APIDays Paris • 2017/01/30
Jean-Baptiste Aviat CTO & Co-founder at Sqreen Former hacker at Apple (Red Team) jb@sqreen.io @jbaviat Who Am I?
What should I do for security?
You MUST do
 EVERYTHING, NOW!
You do that, right? Don’t you?
Just kidding.
Where should I even start?
The OWASP top 10
Web?! WTF I do APIs dude
No worries. This is security sanity. It works for APIs as well.
•Injection •Broken authentication •Sensitive Data Exposure •XML External Entities (XXE) •Broken Access Control •Security Misconfiguration •Cross Site Scripting (XSS) •Insecure Deserialisation •Using components with known vulnerabilities
•Injection •Broken authentication •Sensitive Data Exposure •XML External Entities (XXE) •Broken Access Control •Security Misconfiguration •Cross Site Scripting (XSS) •Insecure Deserialisation •Using components with known vulnerabilities
•Injection •Broken authentication •Sensitive Data Exposure •XML External Entities (XXE) •Broken Access Control •Security Misconfiguration •Cross Site Scripting (XSS) •Insecure Deserialisation •Using components with known vulnerabilities
•Injection •Broken authentication •Sensitive Data Exposure •XML External Entities (XXE) •Broken Access Control •Security Misconfiguration •Cross Site Scripting (XSS) •Insecure Deserialisation •Using components with known vulnerabilities
An HTTP server with a debugger
(byebug) thread list + 1 #<Thread:/webrick/server.rb:283 run> ... 2 #<WEBrick::TimeoutHandler::Thread/webrick/utils.rb:162 sleep> ... 3 #<Thread:sleep>/webrick/server.rb:174 (byebug) thread switch 3 [168, 177] in 2.2.0/webrick/server.rb 173: begin => 174: if svrs = IO.select([shutdown_pipe[0], *@listeners], …) 175: if svrs[0].include? shutdown_pipe[0] 176: break At first sight
OWASP: injections
SQL injection vulnerability •injection vuln = using data in an other context, without proper preparation
 
 
 
 
 •basically, anything can be retrieved from the database
(byebug) break ActiveRecord::SQLite3Adapter.exec_query [283, 292] in …/active_record/…/sqlite3_adapter.rb 287: => 288: def exec_query(sql, name = nil, …) [...] (byebug) var local […] sql = SELECT * FROM posts WHERE id=3 Database access: from the inside
0 ActiveRecord::SQLite3Adapter.exec_query(sql#String, …) … 7 PostsController.set_post … 27 ActionController.dispatch(request#ActionDispatch::Request, …) … 40 ActionDispatch::ParamsParser.call(env#Hash) … 76 WEBrick::GenericServer.start_thread(sock#TCPSocket, …) Database access: a closer look
(byebug) var local […] sql = SELECT * FROM posts WHERE id=3 UNION SELECT password from users params = { ‘q’ => ‘3 UNION SELECT password from users’} Database access: from the inside
Take aways •Injections vulnerabilities lies in your code •They can be detected at runtime, hooking e.g. SQL drivers •Ruby on Rails: ActiveRecord::ConnectionAdapters::AbstractAdapter::log
OWASP: broken authentication
class SessionsController < ApplicationController def create user = login(params[:email], params[:password]) JWT.encode(user.email, hmac_secret) end end User authentication
Take aways •Authentication related vulnerabilities happen (or lies) in the code •Many can be detected at runtime, hooking authentication frameworks •Ruby on Rails: Devise::Strategies::DatabaseAuthenticatable.authenticate!
OWASP: business vulnerabilities
Stripe::Charge.create( :amount => 2000, :currency => "usd", :description => "Charge for jb@sqreen.io“ ) Payment monitoring
Take aways •Business vulnerabilities… are triggered in your code! •Even if you have no vulnerability •They can be measured during runtime •And analysed (realtime or not) then •What to monitor? You know your business!
OWASP: Components with Known Vulnerabilities
irb(main):001:0> Gem.loaded_specs.map do |k, v| puts "%20st%st%s " % [k, v.version, v.homepage] end rake 10.4.2 erubis 2.7.0 http://www.kuwata-lab.com/erubis/ nokogiri 1.6.6.2 http://nokogiri.org actionview 4.2.3 http://www.rubyonrails.org sqlite3 1.3.10 https://github.com/sparklemotion/sqlite3-ruby execjs 2.6.0 https://github.com/rails/execjs ... CVE-2015-1819 CVE-2015-7941 CVE-2015-7942 CVE-2015-8035 An application dependencies
Take aways •Defined in your code - or in your configuration files anyway •So important even GitHub does it nowadays •Runtime allows to check all deployments are fine
Meta take aways (OMG) •Bug happens •Some of them are security related •Be aware of in-code vulnerabilities •And business vulnerabilities •It will be on you (you, as an API builder) some day
Questions? OWASP top 10 2017: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf CTO security checklist: https://cto-security-checklist.sqreen.io/

Recommended

Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
WSO2
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
WSO2
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
Eldert Grootenboer
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
WSO2
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your application
VMware Tanzu
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
 

Recommended

Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
WSO2
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
WSO2
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
Eldert Grootenboer
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
WSO2
 
Building layers of defense for your application
Building layers of defense for your applicationBuilding layers of defense for your application
Building layers of defense for your application
VMware Tanzu
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
42Crunch
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
inovia
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
OAuth based reference architecture for API Management
OAuth based reference architecture for API ManagementOAuth based reference architecture for API Management
OAuth based reference architecture for API ManagementWSO2
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
42Crunch
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
Bertrand Carlier
 
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and UmrahHow WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
WSO2
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
Isuru Samaraweera
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
Mike Schwartz
 
Advanced API Security Patterns
Advanced API Security PatternsAdvanced API Security Patterns
Advanced API Security Patterns
42Crunch
 
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays LIVE New York 2021 - Solving API security through holistic obervabili...apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays
 
Using a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API ManagerUsing a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API Manager
WSO2
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?
WSO2
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
Minded Security
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
42Crunch
 
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Mike Schwartz
 
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation UpdateOIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OpenIDFoundation
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
jaxconf
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 

More Related Content

What's hot

API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
42Crunch
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
inovia
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
OAuth based reference architecture for API Management
OAuth based reference architecture for API ManagementOAuth based reference architecture for API Management
OAuth based reference architecture for API ManagementWSO2
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
42Crunch
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
Bertrand Carlier
 
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and UmrahHow WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
WSO2
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
Isuru Samaraweera
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
Mike Schwartz
 
Advanced API Security Patterns
Advanced API Security PatternsAdvanced API Security Patterns
Advanced API Security Patterns
42Crunch
 
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays LIVE New York 2021 - Solving API security through holistic obervabili...apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays
 
Using a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API ManagerUsing a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API Manager
WSO2
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?
WSO2
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
Minded Security
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
42Crunch
 
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Mike Schwartz
 
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation UpdateOIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OpenIDFoundation
 

What's hot (20)

API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
 
OAuth based reference architecture for API Management
OAuth based reference architecture for API ManagementOAuth based reference architecture for API Management
OAuth based reference architecture for API Management
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
 
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and UmrahHow WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
 
Advanced API Security Patterns
Advanced API Security PatternsAdvanced API Security Patterns
Advanced API Security Patterns
 
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays LIVE New York 2021 - Solving API security through holistic obervabili...apidays LIVE New York 2021 - Solving API security through holistic obervabili...
apidays LIVE New York 2021 - Solving API security through holistic obervabili...
 
Using a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API ManagerUsing a Third Party Key Management System with WSO2 API Manager
Using a Third Party Key Management System with WSO2 API Manager
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
 
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
 
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation UpdateOIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
 

Similar to Api days 2018 - API Security by Sqreen

Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
jaxconf
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
Francisco Ribeiro
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
Duo Security
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
SQL Injection in JAVA
SQL Injection in JAVASQL Injection in JAVA
SQL Injection in JAVA
Hossein Yavari
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
Dakiry
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
Coverity
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
OmprakashVerma56
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
Katy Anton
 

Similar to Api days 2018 - API Security by Sqreen (20)

Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
SQL Injection in JAVA
SQL Injection in JAVASQL Injection in JAVA
SQL Injection in JAVA
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
Owasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwcOwasp top-ten-mapping-2015-05-lwc
Owasp top-ten-mapping-2015-05-lwc
 

More from Sqreen

Protecting against injections at scale
Protecting against injections at scaleProtecting against injections at scale
Protecting against injections at scale
Sqreen
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
Sqreen
 
Writing a Python C extension
Writing a Python C extensionWriting a Python C extension
Writing a Python C extension
Sqreen
 
NoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBNoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDB
Sqreen
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASP
Sqreen
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)
Sqreen
 
Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing
Sqreen
 
Ruby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous IntegrationRuby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous Integration
Sqreen
 

More from Sqreen (8)

Protecting against injections at scale
Protecting against injections at scaleProtecting against injections at scale
Protecting against injections at scale
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 
Writing a Python C extension
Writing a Python C extensionWriting a Python C extension
Writing a Python C extension
 
NoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDBNoSQL Injections in Node.js - The case of MongoDB
NoSQL Injections in Node.js - The case of MongoDB
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASP
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)
 
Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing Instrument Rack to visualize
 Rails requests processing
Instrument Rack to visualize
 Rails requests processing
 
Ruby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous IntegrationRuby on Rails security in your Continuous Integration
Ruby on Rails security in your Continuous Integration
 

Recently uploaded

Orion Air Quality Monitoring Systems - CWS
Orion Air Quality Monitoring Systems - CWSOrion Air Quality Monitoring Systems - CWS
Orion Air Quality Monitoring Systems - CWS
Columbia Weather Systems
 
Structural Classification Of Protein (SCOP)
Structural Classification Of Protein (SCOP)Structural Classification Of Protein (SCOP)
Structural Classification Of Protein (SCOP)
aishnasrivastava
 
GBSN - Microbiology (Lab 4) Culture Media
GBSN - Microbiology (Lab 4) Culture MediaGBSN - Microbiology (Lab 4) Culture Media
GBSN - Microbiology (Lab 4) Culture Media
Areesha Ahmad
 
Cancer cell metabolism: special Reference to Lactate Pathway
Cancer cell metabolism: special Reference to Lactate PathwayCancer cell metabolism: special Reference to Lactate Pathway
Cancer cell metabolism: special Reference to Lactate Pathway
AADYARAJPANDEY1
 
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
Sérgio Sacani
 
platelets_clotting_biogenesis.clot retractionpptx
platelets_clotting_biogenesis.clot retractionpptxplatelets_clotting_biogenesis.clot retractionpptx
platelets_clotting_biogenesis.clot retractionpptx
muralinath2
 
role of pramana in research.pptx in science
role of pramana in research.pptx in sciencerole of pramana in research.pptx in science
role of pramana in research.pptx in science
sonaliswain16
 
What is greenhouse gasses and how many gasses are there to affect the Earth.
What is greenhouse gasses and how many gasses are there to affect the Earth.What is greenhouse gasses and how many gasses are there to affect the Earth.
What is greenhouse gasses and how many gasses are there to affect the Earth.
moosaasad1975
 
The ASGCT Annual Meeting was packed with exciting progress in the field advan...
The ASGCT Annual Meeting was packed with exciting progress in the field advan...The ASGCT Annual Meeting was packed with exciting progress in the field advan...
The ASGCT Annual Meeting was packed with exciting progress in the field advan...
Health Advances
 
Leaf Initiation, Growth and Differentiation.pdf
Leaf Initiation, Growth and Differentiation.pdfLeaf Initiation, Growth and Differentiation.pdf
Leaf Initiation, Growth and Differentiation.pdf
RenuJangid3
 
Comparative structure of adrenal gland in vertebrates
Comparative structure of adrenal gland in vertebratesComparative structure of adrenal gland in vertebrates
Comparative structure of adrenal gland in vertebrates
sachin783648
 
filosofia boliviana introducción jsjdjd.pptx
filosofia boliviana introducción jsjdjd.pptxfilosofia boliviana introducción jsjdjd.pptx
filosofia boliviana introducción jsjdjd.pptx
IvanMallco1
 
GBSN - Biochemistry (Unit 5) Chemistry of Lipids
GBSN - Biochemistry (Unit 5) Chemistry of LipidsGBSN - Biochemistry (Unit 5) Chemistry of Lipids
GBSN - Biochemistry (Unit 5) Chemistry of Lipids
Areesha Ahmad
 
NuGOweek 2024 Ghent - programme - final version
NuGOweek 2024 Ghent - programme - final versionNuGOweek 2024 Ghent - programme - final version
NuGOweek 2024 Ghent - programme - final version
pablovgd
 
Nucleic Acid-its structural and functional complexity.
Nucleic Acid-its structural and functional complexity.Nucleic Acid-its structural and functional complexity.
Nucleic Acid-its structural and functional complexity.
Nistarini College, Purulia (W.B) India
 
Lab report on liquid viscosity of glycerin
Lab report on liquid viscosity of glycerinLab report on liquid viscosity of glycerin
Lab report on liquid viscosity of glycerin
ossaicprecious19
 
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Ana Luísa Pinho
 
extra-chromosomal-inheritance[1].pptx.pdfpdf
extra-chromosomal-inheritance[1].pptx.pdfpdfextra-chromosomal-inheritance[1].pptx.pdfpdf
extra-chromosomal-inheritance[1].pptx.pdfpdf
DiyaBiswas10
 
Structures and textures of metamorphic rocks
Structures and textures of metamorphic rocksStructures and textures of metamorphic rocks
Structures and textures of metamorphic rocks
kumarmathi863
 
Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...
Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...
Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...
Sérgio Sacani
 

Recently uploaded (20)

Orion Air Quality Monitoring Systems - CWS
Orion Air Quality Monitoring Systems - CWSOrion Air Quality Monitoring Systems - CWS
Orion Air Quality Monitoring Systems - CWS
 
Structural Classification Of Protein (SCOP)
Structural Classification Of Protein (SCOP)Structural Classification Of Protein (SCOP)
Structural Classification Of Protein (SCOP)
 
GBSN - Microbiology (Lab 4) Culture Media
GBSN - Microbiology (Lab 4) Culture MediaGBSN - Microbiology (Lab 4) Culture Media
GBSN - Microbiology (Lab 4) Culture Media
 
Cancer cell metabolism: special Reference to Lactate Pathway
Cancer cell metabolism: special Reference to Lactate PathwayCancer cell metabolism: special Reference to Lactate Pathway
Cancer cell metabolism: special Reference to Lactate Pathway
 
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...
 
platelets_clotting_biogenesis.clot retractionpptx
platelets_clotting_biogenesis.clot retractionpptxplatelets_clotting_biogenesis.clot retractionpptx
platelets_clotting_biogenesis.clot retractionpptx
 
role of pramana in research.pptx in science
role of pramana in research.pptx in sciencerole of pramana in research.pptx in science
role of pramana in research.pptx in science
 
What is greenhouse gasses and how many gasses are there to affect the Earth.
What is greenhouse gasses and how many gasses are there to affect the Earth.What is greenhouse gasses and how many gasses are there to affect the Earth.
What is greenhouse gasses and how many gasses are there to affect the Earth.
 
The ASGCT Annual Meeting was packed with exciting progress in the field advan...
The ASGCT Annual Meeting was packed with exciting progress in the field advan...The ASGCT Annual Meeting was packed with exciting progress in the field advan...
The ASGCT Annual Meeting was packed with exciting progress in the field advan...
 
Leaf Initiation, Growth and Differentiation.pdf
Leaf Initiation, Growth and Differentiation.pdfLeaf Initiation, Growth and Differentiation.pdf
Leaf Initiation, Growth and Differentiation.pdf
 
Comparative structure of adrenal gland in vertebrates
Comparative structure of adrenal gland in vertebratesComparative structure of adrenal gland in vertebrates
Comparative structure of adrenal gland in vertebrates
 
filosofia boliviana introducción jsjdjd.pptx
filosofia boliviana introducción jsjdjd.pptxfilosofia boliviana introducción jsjdjd.pptx
filosofia boliviana introducción jsjdjd.pptx
 
GBSN - Biochemistry (Unit 5) Chemistry of Lipids
GBSN - Biochemistry (Unit 5) Chemistry of LipidsGBSN - Biochemistry (Unit 5) Chemistry of Lipids
GBSN - Biochemistry (Unit 5) Chemistry of Lipids
 
NuGOweek 2024 Ghent - programme - final version
NuGOweek 2024 Ghent - programme - final versionNuGOweek 2024 Ghent - programme - final version
NuGOweek 2024 Ghent - programme - final version
 
Nucleic Acid-its structural and functional complexity.
Nucleic Acid-its structural and functional complexity.Nucleic Acid-its structural and functional complexity.
Nucleic Acid-its structural and functional complexity.
 
Lab report on liquid viscosity of glycerin
Lab report on liquid viscosity of glycerinLab report on liquid viscosity of glycerin
Lab report on liquid viscosity of glycerin
 
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...
 
extra-chromosomal-inheritance[1].pptx.pdfpdf
extra-chromosomal-inheritance[1].pptx.pdfpdfextra-chromosomal-inheritance[1].pptx.pdfpdf
extra-chromosomal-inheritance[1].pptx.pdfpdf
 
Structures and textures of metamorphic rocks
Structures and textures of metamorphic rocksStructures and textures of metamorphic rocks
Structures and textures of metamorphic rocks
 
Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...
Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...
Observation of Io’s Resurfacing via Plume Deposition Using Ground-based Adapt...
 

Api days 2018 - API Security by Sqreen