SlideShare a Scribd company logo

apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr Nalin Asanka Gamagedara Arachchilage

apidays
apidays

apidays LIVE Australia 2020 - Building Business Ecosystems Evaluating the usability of security APIs Dr Nalin Asanka Gamagedara Arachchilage, Senior Research Fellow in Cyber Security (DevOpsSec) at La Trobe University

Technology
1 of 14
Download to read offline
Evaluating the usability of security APIs Nalin Asanka Gamagedara Arachchilage, PhD
Secure Coding or Programming issues
What we investigated… • Context: Programmers make mistakes when implementing security APIs. – Introduces security vulnerabilities into applications they develop. • There is no methodology to evaluate the usability of security APIs. • We developed a Cognitive Dimensions Framework (CDF) based usability evaluation methodology to empirically evaluate the usability of security APIs. • We evaluated our CDF through 4 security APIs: – Google authentication API – Bouncy Castle lightweight crypto API – Java Secure Socket Extension (JSSE) API – OWASP Enterprise Security API (ESAPI) • Results: – Identified over 83% of the usability issues – a considerably good validity and reliability. • Recommendation: – Our developed CDF provides a good platform to conduct usability evaluation for security APIs. – API developers can use our CDF to design security APIs that are more usable. 3
Implementing Security into Software ACM Reference Format: Chamila Wijayarathna and Nalin A. G. Arachchilage. 2018. Why Johnny Can’t Store Passwords Securely?: A Usability Evaluation of Bouncycastle Password Hashing. In EASE’18: 22nd International Conference on Evaluation and Assessment in Software Engineering 2018, June 28–29, 2018, Christchurch, New Zealand. ACM, New York, NY, USA, 6 pages. https://doi.org/10.1145/3210459.3210483
What we did? • In this work, we evaluated the usability of SCrypt password hashing functionality of Bouncycastle API. • Programmers to make mistakes (i.e. usability issues) while developing applications that would result in security vulnerabilities. • We conducted a study with 10 programmers where each of them spent around 2 hours for the study and attempted to develop a secure password storage solution using Bouncycastle API. • We identified 63 usability issues that exist in the SCrypt implementation of Bouncycastle API. • Each participant had reported an average of approximately 15 usability issues. • Furthermore, we expect that this work will provide a guidance on how to conduct usability evaluations for security APIs to identify usability issues exist in them.
The issues we identified • Selecting method parameters for SCrypt generate method invocation. • If the programmer uses weak values for these parameters, security of the password storage will be weak and it will be vulnerable to attacks. • Using salt with SCrypt.generate() method • Usage of salt provides protection against dictionary attacks and pre-computed rainbow attacks. • Usage of byte array vs String to store passwords • Strings, password will be stored in the memory for longer and cannot be deleted until garbage collector clears them. • Issues observed about the documentation of Bouncycastle API • Other observed issues (a) Suggestions shown in Integrated Development Environment for method parameters (b) Method parameter names used in Bouncycastle SCrypt source code (c) Java API documentation of SCrypt.generate() method
Issues identified in all 4 APIs 7
We developed: Cognitive Dimensions Framework for security APIs 8
Cognitive Dimensions Framework for security APIs • Abstraction level: The minimum and maximum levels of abstraction exposed by the API, and the minimum and maximum levels usable by a targeted developer. • Learning style: The knowledge about the API and its security background that a programmer needs to have before starting to use the API and how a programmer would gain the knowledge about the API and its security background. • Working framework: The size of the conceptual chunk (developer working set) needed to work effectively. 9
Cognitive Dimensions Framework for security APIs • Work-step unit: How much of a programming task must/can be completed in a single step. • Progressive evaluation: To what extent partially completed code can be executed to obtain feedback on code behavior. • Premature commitment: The amount of decisions that developers have to make when writing code for a given scenario and the consequences of those decisions. • Penetrability: How the API facilitates exploration, analysis and understanding of its components and its security related information, and the way a targeted developer should go about retrieving what is needed. 10
Cognitive Dimensions Framework for security APIs • API elaboration: The extent to which the API must be adapted to meet the needs of a targeted developer. • API viscosity: The barriers to change inherent in the API, and how much effort a targeted developer needs to expend to make a change. • Consistency: How much of the rest of an API can be inferred once part of it is learned. • Role expressiveness: How apparent the relationship is between each component exposed by an API and the program as a whole. 11
Cognitive Dimensions Framework for security APIs • A Domain correspondence: How clearly the API components map to the domain and any special tricks that the developer needs to be aware of to accomplish some functionality. • Hard-to Misuse: How hard it is to make mistakes while using the API and how much help does the API provide to identify mistakes that programmers make. • End-user protection: How much does the security of the end user of an application developed using the API depend on the programmer who developed the application. • Testability: The amount of support that the API provides for the programmer to test the security of an application that was developed using the API. 12
13
Evaluating the usability of security APIs Nalin Asanka Gamagedara Arachchilage, PhD

Recommended

apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...
apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...
apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...
apidays
 
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...
apidays
 
Executing on API Developer Experience
Executing on API Developer Experience Executing on API Developer Experience
Executing on API Developer Experience
SmartBear
 
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays
 
apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty
apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty
apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty
apidays
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
SmartBear
 
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
apidays
 
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays
 

Recommended

apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...
apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...
apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...
apidays
 
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...
apidays
 
Executing on API Developer Experience
Executing on API Developer Experience Executing on API Developer Experience
Executing on API Developer Experience
SmartBear
 
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays
 
apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty
apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty
apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty
apidays
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
SmartBear
 
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
apidays
 
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays
 
Rest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbookRest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbook
Katy Slemon
 
Api clarity webinar
Api clarity webinarApi clarity webinar
Api clarity webinar
LibbySchulze
 
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays
 
Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020
Alianna Inzana
 
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays
 
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
apidays
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIsAPI Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays
 
Mobile - Your API Security Blindspot by David Stewart, Approov
Mobile - Your API Security Blindspot by David Stewart, Approov Mobile - Your API Security Blindspot by David Stewart, Approov
Mobile - Your API Security Blindspot by David Stewart, Approov
apidays
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
apidays
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays
 
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays
 
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays
 
Open Event API
Open Event APIOpen Event API
Open Event API
Avi Aryan
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays
 
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays
 
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgirapidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays
 
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
apidays
 
Pure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrationsPure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrations
José Haro Peralta
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
42Crunch
 
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Chamila Wijayarathna
 

More Related Content

What's hot

Rest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbookRest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbook
Katy Slemon
 
Api clarity webinar
Api clarity webinarApi clarity webinar
Api clarity webinar
LibbySchulze
 
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays
 
Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020
Alianna Inzana
 
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays
 
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
apidays
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIsAPI Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays
 
Mobile - Your API Security Blindspot by David Stewart, Approov
Mobile - Your API Security Blindspot by David Stewart, Approov Mobile - Your API Security Blindspot by David Stewart, Approov
Mobile - Your API Security Blindspot by David Stewart, Approov
apidays
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
apidays
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays
 
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays
 
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays
 
Open Event API
Open Event APIOpen Event API
Open Event API
Avi Aryan
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays
 
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays
 
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgirapidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays
 
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
apidays
 
Pure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrationsPure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrations
José Haro Peralta
 

What's hot (20)

Rest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbookRest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbook
 
Api clarity webinar
Api clarity webinarApi clarity webinar
Api clarity webinar
 
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
 
Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020
 
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
 
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIsAPI Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIs
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
 
Mobile - Your API Security Blindspot by David Stewart, Approov
Mobile - Your API Security Blindspot by David Stewart, Approov Mobile - Your API Security Blindspot by David Stewart, Approov
Mobile - Your API Security Blindspot by David Stewart, Approov
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
 
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
 
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
 
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
 
Open Event API
Open Event APIOpen Event API
Open Event API
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
 
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
 
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgirapidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
 
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
 
Pure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrationsPure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrations
 

Similar to apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr Nalin Asanka Gamagedara Arachchilage

Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
42Crunch
 
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Chamila Wijayarathna
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Kyle Lai
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
Apigee | Google Cloud
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
Apigee | Google Cloud
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPA
DiemShin
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
Shelly Megan
 
Pain Points In API Development? They’re Everywhere
Pain Points In API Development? They’re EverywherePain Points In API Development? They’re Everywhere
Pain Points In API Development? They’re Everywhere
Nordic APIs
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
apidays
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
Outpost24
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs
WSO2
 
Comprehensive Guide on API Automation Testing
Comprehensive Guide on API Automation TestingComprehensive Guide on API Automation Testing
Comprehensive Guide on API Automation Testing
Expeed Software
 
Extend soa with api management spoug- Madrid
Extend soa with api management spoug- MadridExtend soa with api management spoug- Madrid
Extend soa with api management spoug- Madrid
Vinay Kumar
 

Similar to apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr Nalin Asanka Gamagedara Arachchilage (20)

Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPA
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
 
Pain Points In API Development? They’re Everywhere
Pain Points In API Development? They’re EverywherePain Points In API Development? They’re Everywhere
Pain Points In API Development? They’re Everywhere
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs
 
Comprehensive Guide on API Automation Testing
Comprehensive Guide on API Automation TestingComprehensive Guide on API Automation Testing
Comprehensive Guide on API Automation Testing
 
Extend soa with api management spoug- Madrid
Extend soa with api management spoug- MadridExtend soa with api management spoug- Madrid
Extend soa with api management spoug- Madrid
 

More from apidays

Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
apidays
 
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
apidays
 
Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...
apidays
 
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
apidays
 
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
apidays
 
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
apidays
 
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
apidays
 
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
apidays
 
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
apidays
 
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, OsaangoApidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
apidays
 
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
apidays
 
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, ZuploApidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
apidays
 
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
apidays
 
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss AdamsApidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
apidays
 
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
apidays
 
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
apidays
 
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
apidays
 
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, DanoneApidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
apidays
 
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
apidays
 
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
apidays
 

More from apidays (20)

Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
 
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
 
Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...
 
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
 
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
 
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
 
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
 
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
 
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
 
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, OsaangoApidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
 
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
 
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, ZuploApidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
 
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
 
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss AdamsApidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
 
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
 
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
 
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
 
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, DanoneApidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
 
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
 
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
 

Recently uploaded

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 

Recently uploaded (20)

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 

apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr Nalin Asanka Gamagedara Arachchilage

  • 1. Evaluating the usability of security APIs Nalin Asanka Gamagedara Arachchilage, PhD
  • 2. Secure Coding or Programming issues
  • 3. What we investigated… • Context: Programmers make mistakes when implementing security APIs. – Introduces security vulnerabilities into applications they develop. • There is no methodology to evaluate the usability of security APIs. • We developed a Cognitive Dimensions Framework (CDF) based usability evaluation methodology to empirically evaluate the usability of security APIs. • We evaluated our CDF through 4 security APIs: – Google authentication API – Bouncy Castle lightweight crypto API – Java Secure Socket Extension (JSSE) API – OWASP Enterprise Security API (ESAPI) • Results: – Identified over 83% of the usability issues – a considerably good validity and reliability. • Recommendation: – Our developed CDF provides a good platform to conduct usability evaluation for security APIs. – API developers can use our CDF to design security APIs that are more usable. 3
  • 4. Implementing Security into Software ACM Reference Format: Chamila Wijayarathna and Nalin A. G. Arachchilage. 2018. Why Johnny Can’t Store Passwords Securely?: A Usability Evaluation of Bouncycastle Password Hashing. In EASE’18: 22nd International Conference on Evaluation and Assessment in Software Engineering 2018, June 28–29, 2018, Christchurch, New Zealand. ACM, New York, NY, USA, 6 pages. https://doi.org/10.1145/3210459.3210483
  • 5. What we did? • In this work, we evaluated the usability of SCrypt password hashing functionality of Bouncycastle API. • Programmers to make mistakes (i.e. usability issues) while developing applications that would result in security vulnerabilities. • We conducted a study with 10 programmers where each of them spent around 2 hours for the study and attempted to develop a secure password storage solution using Bouncycastle API. • We identified 63 usability issues that exist in the SCrypt implementation of Bouncycastle API. • Each participant had reported an average of approximately 15 usability issues. • Furthermore, we expect that this work will provide a guidance on how to conduct usability evaluations for security APIs to identify usability issues exist in them.
  • 6. The issues we identified • Selecting method parameters for SCrypt generate method invocation. • If the programmer uses weak values for these parameters, security of the password storage will be weak and it will be vulnerable to attacks. • Using salt with SCrypt.generate() method • Usage of salt provides protection against dictionary attacks and pre-computed rainbow attacks. • Usage of byte array vs String to store passwords • Strings, password will be stored in the memory for longer and cannot be deleted until garbage collector clears them. • Issues observed about the documentation of Bouncycastle API • Other observed issues (a) Suggestions shown in Integrated Development Environment for method parameters (b) Method parameter names used in Bouncycastle SCrypt source code (c) Java API documentation of SCrypt.generate() method
  • 7. Issues identified in all 4 APIs 7
  • 9. Cognitive Dimensions Framework for security APIs • Abstraction level: The minimum and maximum levels of abstraction exposed by the API, and the minimum and maximum levels usable by a targeted developer. • Learning style: The knowledge about the API and its security background that a programmer needs to have before starting to use the API and how a programmer would gain the knowledge about the API and its security background. • Working framework: The size of the conceptual chunk (developer working set) needed to work effectively. 9
  • 10. Cognitive Dimensions Framework for security APIs • Work-step unit: How much of a programming task must/can be completed in a single step. • Progressive evaluation: To what extent partially completed code can be executed to obtain feedback on code behavior. • Premature commitment: The amount of decisions that developers have to make when writing code for a given scenario and the consequences of those decisions. • Penetrability: How the API facilitates exploration, analysis and understanding of its components and its security related information, and the way a targeted developer should go about retrieving what is needed. 10
  • 11. Cognitive Dimensions Framework for security APIs • API elaboration: The extent to which the API must be adapted to meet the needs of a targeted developer. • API viscosity: The barriers to change inherent in the API, and how much effort a targeted developer needs to expend to make a change. • Consistency: How much of the rest of an API can be inferred once part of it is learned. • Role expressiveness: How apparent the relationship is between each component exposed by an API and the program as a whole. 11
  • 12. Cognitive Dimensions Framework for security APIs • A Domain correspondence: How clearly the API components map to the domain and any special tricks that the developer needs to be aware of to accomplish some functionality. • Hard-to Misuse: How hard it is to make mistakes while using the API and how much help does the API provide to identify mistakes that programmers make. • End-user protection: How much does the security of the end user of an application developed using the API depend on the programmer who developed the application. • Testability: The amount of support that the API provides for the programmer to test the security of an application that was developed using the API. 12
  • 13. 13
  • 14. Evaluating the usability of security APIs Nalin Asanka Gamagedara Arachchilage, PhD