OWASP Global AppSec Lisbon 2024

APIs are now the main attack vector against websites and organizations are growing concerned about how APIs affect their security posture. Sadly, APIs can easily expose vulnerabilities in unexpected ways. For example, unconstrained query parameters can be leveraged for SQL injection and reusing schemas for input and output models opens the door for mass assignment.


The good news is, there’s a lot we can do to improve our API security posture by shifting left on security and tackling vulnerabilities at design time. And that’s the goal of this talk! We’ll begin with a few examples that show how common design and implementation patterns expose major vulnerabilities, and then we’ll proceed to analyse a battery of API design anti-patterns that make our applications vulnerable. I’ll show you how those vulnerabilities relate to the OWASP top 10 API Threats and how we can resolve them by applying security-by-design principles.

We’ll conclude with an overview of the tools we can use to automate the process of discovering and addressing vulnerabilities in our APIs. I’ll show examples of using linters to identify vulnerabilities at design time and fuzzy testers to identify vulnerabilities at runtime.


By the end of this talk, you’ll be aware of the most important threats to our APIs and you’ll know how to discover and address them effectively. You’ll also get familiar with the concepts of API Security by Design, Shift-Left API Security, and Zero Trust APIs.