Track 2
5 Feb 2022 10:00 AM - 11:00 PM

While APIs have clear and obvious benefits, they’re also creating a rapidly-growing attack surface that isn’t widely understood and is sometimes completely overlooked by developers and software architects. With recent reports suggesting that by 2022, API abuses will be the most responsible vector for data breaches within enterprise web applications, securing them is a top challenge and must be a bigger priority.

The first step in accomplishing this goal is generating awareness around the most critical API-related vulnerabilities and ways of protecting these programs.

This significant gap in knowledge drove me to spearhead the development of the OWASP API Security Top 10 list, which was officially published at the end of 2019, to inform organizations, developers, and security professionals about the top issues impacting API-based applications. Since deploying, it has been adopted as the de-facto standard by many organizations and security specialists.

In this talk, I'll emphasize the uniqueness of API-centric design from the security angle, highlight the risks presented by API use, and show why an increased level of awareness is required to mitigate the risks. From there, I'll dive into the top security risks presented in the OWASP API Top 10 list, and provide example attack scenarios for each. Some offensive tips and tricks will be mentioned to get you hacking APIs.
Finally, I will share what we can expect to see when it comes to API exploitation moving forward as modern software is increasingly targeted by adversaries.

Erez Yalon
Head of Security Research at Checkmarx | Co-Founder of DEF CON's AppSec Village | Co-Leader of OWASP API Security Project
@erezyalon

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table.
Erez is also leading the OWASP API Security Project and a founder of the AppSec Village in DEF CON.