Fortify APIs Mastering Penetration Testing for Robust Application SecurityOctober 4th & 5th, 2023
Grand Hyatt, Kochi, India
Fortify APIs Mastering Penetration Testing for Robust Application Security
The objective of this course is to empower penetration testers and security professionals with the knowledge and skills needed to effectively identify and address vulnerabilities in APIs, ensuring robust application security. By the end of the course, participants will be able to:
- Understand the unique challenges and approaches to API security testing.
- Master automation techniques and tools for API penetration testing.
- Develop comprehensive checklists and methodologies for discovering API insecurities.
- Identify and mitigate common API vulnerabilities such as broken object level authorization, injection, and misconfigurations.
- Gain practical experience in conducting API security assessments through hands-on exercises.
- Enhance their ability to perform thorough API security testing within the context of application penetration testing.
- Apply best practices for securing APIs and preventing potential security breaches.
- Stay updated with the latest trends and techniques in API security testing.
Overall, this course aims to equip participants with the necessary skills, techniques, and knowledge to effectively assess and fortify API security, ultimately enhancing the overall security posture of applications.
Course Content (ToC):
- Intro to API Security
- Different Approach to API Security Testing
- Challenges in API Security Testing
- Traditional API testing v/s API Security Testing
- Standards in API Development
- OWASP Top 10 API attacks
- Automation in API Testing
- Role of automation in API pen-testing
- Deep dive with postman for API pen-testing
- Automation in API fuzzing with Open Source Tools
- Discovering API Insecurities
- Building API Security Testing Checklists
- Discovering the API hidden endpoints
- Common API endpoints for quick wins
- Testing for unhandled HTTP methods
- Sensitive data disclosed with API OSINT
- API Pentesting OWASP Top 10
- Broken Object Level Authorization
- Broken User Authentication
- Excessive Data Exposure
- Lack of Resources & Rate Limiting
- Broken Function Level Authorization
- Mass Assignment
- Security Misconfiguration
- Improper Assets Management
- Insufficient Logging & Monitoring
This course has no specific knowledge prerequisites, as it is designed to accommodate students with different skills.
- Laptop with atleast 8GB RAM, 50GB Disk space, and Virtualization turned on (In case of Non-unix OS)
- Internet connection
Who should attend
Mobile and Web Application Developers, Penetration testers, anyone who are interested in getting an exposure to API Security
What to expect
Gain exclusive, lifetime access to meticulously curated slides and immersive, hands-on material covering the most cutting-edge topics in API Security, unlimited email support and access to private groups to communicate with other participants.
Practical course on API Security that will boost your knowledge and career regardless of the skill level and experience you have. Top tips and tricks that you can use on the go and apply practically as you go back to your workplace.
What not to expect:
This is a course unlike any other, where you will be getting access to all the slides and lab exercises for lifetime.
This course however does not cover any sort of 0 days, OS level exploits (MacOS, Windows, Linux), binary exploitation etc.
Do not expect the instructors to be always going through the slides, as this is a more practical approach to learning rather than a theoretical course. In this highly hands-on workshop, the trainers will guide and assist you in exploiting real life simulated scenarios to enhance your practical skills, rather than simply going through the slides.
Ashwin ShenoiLead Security Engineer , CRED , India
Ashwin Shenoi is a Lead Security Engineer at CRED with an avid passion for application security. He is highly skilled in application penetration testing and automation. Ashwin is a core member of team bi0s, a top-ranked Capture The Flag (CTF) team according to CTFTime. In his role as head of the Web Security team at team bi0s, he also serves as the core challenge setter and organizer for various editions of InCTF and other CTFs organised by team bi0s. Ashwin is also a Security Trainer with 7ASecurity, and has presented talks and security trainings in various security conferences such as BlackHat Asia, BlackHat USA, BlackHat Europe, Nullcon, and ThreatCon. Ashwin has a strong background in identifying and exploiting vulnerabilities in open source applications, and he has been awarded multiple CVEs for his contributions to the security community.
Aswin M GupthaSenior Security Engineer , Traboda CyberLabs , India
Aswin M Guptha is a Security Researcher at Traboda who has over 8 years of expertise in Web Application Security. He has extensively participated in various penetration testing activities on infrastructure ranging from CMSs to hospitals over the past few years. He is also involved in testing various mobile applications. He has also delivered talks and training for students, working professionals and government authorities on various advanced topics.