Black Hat – ATTACKING AND SECURING APIS 2021-8

ATTACKING AND SECURING APIS course. This intensive, hands-on training course focuses on security and attacks against API-based websites and cloud infrastructure. Today, APIs are everywhere: web applications, embedded systems, enterprise applications, cloud environments, and even the Internet of Things (IoT), and learning how to defend, secure, and attack API implementations and infrastructure is becoming more and more essential. This course is designed to teach how to build modern and secure APIs, while demonstrating new and old attack methods.

What you will learn:

• Attacking and defending web APIs (REST, GraphQL, SOAP):
• Learn AJAX, REST and GraphQL security best practices.
• Building APIs that are easy to use securely and difficult to use insecurely.
• Techniques and tools for designing, testing and attacking APIs and microservices.
• Mitigate and defend against XSS, CSRF, JSONP and CORS security vulnerabilities in APIs.
• Implement secure webcast channels and webcast theft defense between websites.
• Attacking and Securing Amazon Cloud Infrastructure and APIs (AWS):
• Building custom tools based on the Amazon API.
• Attack and defend against serverless and Amazon problems such as S3 buckets exposure, EC2 vulnerabilities, Amazon confidential information, serverless event injection, etc.
• Conduct post-attack exploitation and pivot attacks against AWS environments.
• Perform modern injection attacks:
• Attack and defend against injection vulnerabilities such as template injection, SQL injection, NoSQL injection, pickle and YAML serialization, object injection, etc.
• Applied cryptography for APIs:
• Knowing when to use signing, when to use encryption, and when to use both.
• Implementation of secure and functional cryptography that has been tested in practice.
• Implement secure communication channels with API consumers such as web browsers and mobile apps.
• Securing passwords and confidential information in APIs:
• Learn how to effectively solve the credential storage problem.
• Using cloud credential management solutions.
• Use open source and platform independent credential management solutions.
• Implementation of safe password storage and management.
• API authentication and authorization techniques:
• Understanding the complex details of authentication and authorization frameworks and technologies.
• Gain practical knowledge and experience in using secure tokens, cookies, keys and tickets for authentication and authorization.
• Proficiency in OAuth2, OpenIDC, JWT/JWS and other authentication technologies.
• Attacking and fixing insecure JWT and cookie implementations.
• Attacking insecure implementations of session management, input validation, output encryption, and low-reliability components.
• Implement and attack multi-factor authentication for APIs.
• Designing a secure API architecture:
• API security architecture and microservices.
• Secure file management by allowing authorized downloads even in a partitioned microservices architecture.
• Learn and understand cache security and what threats and vulnerabilities can arise from insecure cache configurations and methods.
• Attacking and securing cache implementations and infrastructure.
• Building a secure multi-layered infrastructure for modern applications.
• Securing development environments:
• Secure source code using secure Git configurations and live monitoring.
• Securing software dependency and supply chain.
• Secure development and management access using SSH, multi-factor authentication, and secure database hosts
• And …

Who is this course suitable for?

• This course is suitable for software developers, security engineers, system architects, researchers, bug hunters, system administrators, students and interested security professionals who want to expand their skills.
• Overall, this course will be useful for anyone interested in maintaining up-to-date knowledge and skills in the world of cloud, API and application security.

Details of the ATTACKING AND SECURING APIS course

• Publisher: Black Hat
• Lecturer: Mohammed Aldoub
• Training level: beginner to advanced
• Training duration: more than 10 hours

Course headings

Day 1:

• Introduction to the modern web
• Security Architecture for APIs
• Data and File attacks against APIs and clients
• Injection attacks against APIs and clients:
• Cache Security
• Credential handling and storage

Day 2:

• HTTP Security
• Token Security
• Authentication and authorization in APIs
• Cryptography
• Securing Development Environments

Images of the ATTACKING AND SECURING APIS course

Sample video of the course