Room 6 

09:00 - 17:00 


2 Days

Bulletproof APIs: Hands-On API Security

As APIs become a big part of our tech world, making sure they're secure is key. The 2023 version of the OWASP API Security top 10 shows us that API security needs our attention. Building secure APIs isn't easy, though. It needs developers and architects to really get API security, from the big picture down to the nitty-gritty details.


This workshop is here to give you the skills you need to make your APIs secure. We're going to think like an attacker to test APIs and like a defender to figure out the best ways to protect them. With deep-dive talks, real-world demos, fun quizzes, and hands-on labs, you'll learn how to lock down your APIs.
During this hands-on training, we'll explore:

  • The security model of API-based web applications
  • Recognizing and addressing authorization failures
  • Understanding Broken Object Property Level Authorization (BOPLA)
  • Fixing Broken Object Level Authorization (BOLA)
  • Testing the security of APIs that use JWTs
  • Best practices for making JWTs secure in modern APIs
  • Identifying, exploiting, and fixing Server-Side Request Forgery (SSRF) issues
  • Understanding Cross-Origin Resource Sharing (CORS)
  • Configuring secure CORS policies for various use cases
  • Tracking user authentication securely with sessions or tokens
  • Relying on OAuth 2.0/2.1 for securing APIs
  • Advanced OAuth 2.x scenarios
  • Quizzes and labs to make learning stick
  • Q & A throughout the workshop to clear up any doubts

This workshop is about more than theory. We're all about giving you practical security tips you can use right away as an API developer. We dig into the root causes of API threats and how to handle them. We don't just skim the surface of problems and solutions - we get into the why's and how's, looking at common fixes, why some fall short, and which ones are currently the best way to go.
By the end of this workshop, you'll be up-to-speed on the best practices for API security. You'll also leave with a handy list of steps to check and boost the security of your applications.

Who should attend?
This training is perfect for developers and architects who work a lot with APIs. If your role involves building, testing, or designing modern apps, this workshop will give you a thorough, up-to-date understanding of the best ways to keep things secure. We'll often use NodeJS, Flask, and Spring Boot in our code examples and demos, but you'll easily be able to apply what you learn to other languages and frameworks.

These testimonials from previous workshops give you a good idea of what to expect:

  • Trainer is great and an expert in the domain. All of the topics are very relevant. Practical examples for most of the topics. Excellent communication and addressing of questions.
  • Even though the topic is broad, there was no single moment where my focus went astray. Philippe talks in a way to keep you interested to listen to him.
  • I liked the the pleasant and relaxed way of speaking and the fresh style of presentation of this kind of dry stuff :)
  • Philippe is a friendly and knowledgable trainer and delivered an interesting course that was well presented. Questions were answered promptly and in a detailed way.

To participate in this training, you should have some experience with building API-based applications. Knowledge of application security can be helpful, but is not required.

Computer setup
To participate in the lab sessions, participants need a computer with a full-featured modern browser installed (preferably Chrome).

Philippe De Ryck

Philippe De Ryck specializes in making web security accessible to developers and architects, leveraging his Ph.D. from KU Leuven to inform his comprehensive understanding of security challenges. As the founder of Pragmatic Web Security, he provides practical security training and consulting services to organizations worldwide.

His online course platform offers a self-paced approach to learning about security. Philippe also actively helps shape OAuth 2.0 best practices as the co-author of the best practices for browser-based apps specification.

Philippe is recognized as a Google Developer Expert, acknowledging his contributions to web application and API security. He also organizes SecAppDev, an annual week-long application security course in Belgium.