Application Programming Interfaces (APIs) play a large role in modern businesses enabling development teams to exchange data across multiple applications. The majority of businesses are either consuming APIs or building their own APIs for other businesses or internal teams to consume.

Although the use of APIs can unlock almost futuristic functionality to businesses it is often the fundamentals of securing APIs that are overlooked which lead to not only negative outcomes for the business but often individuals who’s data is being handled/consumed by these APIs.

In this tutorial we will take a step back and cover the key areas of API security including:

• Types of APIs and how they function
• Various authentication/authorisation mechanisms
• Object authorisation
• Preventing injection attacks (SQL/NoSQL/Command)
• General security misconfigurations

The tutorial will be delivered in a format where a brief introduction to the topic is delivered then attendees will be guided through the identification and implications of the relevant security issues. Following that a deeper discussion will be had about the best practices relating to that topic and time permitting implementing live changes to fix the issues identified.

During the tutorial attendees will be:

• Hands on interacting with various types of APIs using common tools including bash/PowerShell, Postman/Thunder Client
• Working with AWS cloud services (RDS, DynamoDB, CloudWatch, S3 etc)
• Modifying the APIs to change their intended behaviour
• Inspecting the types of traffic sent and received by the APIs
• Investigating application/network logs

The key takeaways for attendees will be:

• Understanding the different types of APIs
• Being able to identify API security issues
• Provide recommendations on how to secure APIs against common security issues