Abusing Web APIs: The Mobile and Server Side Dilemma for the Enterprise
Thursday, December 5, 2013
900 HRS PST/1200 HRS EST • FREE
60 MINUTES INCLUDING Q&A
Brought to you by:
Abusing Web APIs Through Scripted Android Applications by Daniel Peck
Enterprise API Security Choices by Blake Dournaee
Enterprise security teams are dealing with a deluge of API deployments from internal SOA, B2B partner APIs, corporate BYOD initiatives, and open developer community API innovation. Applying consistent threat protection, authentication, rate limits, security standards, and general corporate visibility into API security vulnerabilities from device to the server side is a complex endeavor.
To illustrate the issues, we dive into an example of abusing web application APIs through the use of associated Android apps. We'll demonstrate using the JVM based scripting language JRuby to load, modify, and run code from targeted APKs in an easily scriptable way. We'll leverage this to demonstrate attacks against web APIs that have reduced their security requirements in order to allow for a frictionless mobile experience, such as removing the need for captchas, email validation, and other usage restrictions.
Blake Dournaee is currently the Sr. Product Manager responsible for Intel Expressway line of API Gateway and Data Protection software products. Blake was a specialist in applied cryptography applications at RSA Security and is frequent speaker at API and PCI-DSS conferences. Blake co-authored the first book on XML security "SOA Demystified" from Intel press. Blake blogs at Intel’s Application Security site.
Intel Expressway Software for API Management & Compliant Data Protection Intel delivers a portfolio of enterprise-class data center software products designed to help expose app APIs and data across on-prem, cloud, hybrid, and mobile environments. Includes on-prem and SaaS API management portal solutions seamlessly integrated with an API Gateway for security. Visit cloudsecurity.intel.com for more.