APIs have become the de facto standard in software development around the world. Every organization creates and publishes their own APIs, even banks and e-commerce sites. They are developed when organizations want to share their services without exposing sensitive information like their database structure. But what about the security of these services? Are they well protected? Even RSAC, one of the most prominent information security conferences in the world, had an API vulnerability in their mobile app in 2018 that leaked the first and last names of some users. In this talk, we'll show some basic steps you can take today to start looking for vulnerabilities in APIs. From the level of exposure to information sensitivity to the ability to modify data, there are several things you can check and look for when testing an API. We'll demonstrate some not-so-standard tools for testing APIs and some common vulnerabilities you can find by using them.

Moderator: Magno Logan, Information Security Specialist, Trend Micro
https://www.sans.org/profiles/magno-logan/

Check out the upcoming summits: http://www.sans.org/u/DuS
Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE

Please take the opportunity to connect with your friends and family and share this video with them if you find it useful.