I’ve been doing a lot of talking about API security recently because frankly, there’s a lot to talk about. Those little web services that sit behind the rich client apps on our devices and increasingly behind our Internet of Things have a nasty habit of having some really serious vulnerabilities in them. I’m talking about everything from leaking data to allowing unauthorised users to perform actions they shouldn’t be allowed to all the way through to entirely useless SSL implementations because certificate validation has been disabled.
Pretty much every time I set out to look at the APIs being called by my devices, I find nasty stuff. Even just yesterday I was involved in reviewing a project that had the most heinous API crimes you can imagine; think along the lines of absolutely zero access controls on a service that processes some serious financial transactions. I didn’t find this through any high-tech means accessible to penetration testers who live in the underworlds, I found it using common dev tools in just a few minutes because I knew where look.
This is an area that I’m convinced is a significant enough threat to online security that I published a Pluralsight course on it just a couple of months ago – Hack Your API First. Further to that, I’m getting around talking about it at various events and last month that meant Microsoft’s TechEd in both Melbourne and Sydney, the former of which is now online for you to view here:
Oh – and if you’d like to watch that Pluralsight course for free, just get on over to this blog post that has a little challenge in it, leave your comment and I’ll get one right over to you!