hack api

How to hack your APIs  Are you doing all you can to ensure that your APIs are secure? If you haven’t started security testing yet, now is the time. It is estimated that by 2020 there will be more than 50 billion objects connected to the Internet, and most of those objects will be using APIs. Not sure where to start?

Troy Hunt, author of the Pluralsight course Hack Your API First, shares all you need to know about the basics of API security testing, including the tools and techniques you’ll need to quickly get started. Troy’s motto is, “Hack yourself before you get hacked!”

About Troy Hunt

TroyHunt

Troy is a Software Architecture Lead for a Fortune 50 healthcare company, Microsoft MVP for Developer Security and ASPInsider who's been building software for browsers since the very early days of the web. He blogs regularly about web security at troyhunt.com and is the author of the OWASP Top 10 for .NET developers series and the free eBook of the same name. He's also a frequent conference speaker and the creator of the Automated Security Analyzer for ASP.NET Websites (ASafaWeb) at asafaweb.com. Away from electronic devices, Troy is an avid snowboarder, windsurfer, tennis player and regular motor sport participant.

Quotes & Insights from this Test Talk

  • The earlier we can find security issues in the APIS we’re developing, the better.
  • It’s a good idea to have a dedicated security professional on your team.
  • The life of an app doesn’t end after we release; ongoing, continuous monitoring is always a good idea.
  • Never get lulled into thinking your API/Application is safe; it’s kind of like saying your car is safe. Validation is needed on the client and the server.
  • Just look at the HTTP request and forget about the client, and see what you can find.
  • You’ve got to assume that an attacker owns the device and the connection, and he can manipulate anything on either the client or server side.
  • Not expecting your services to be discoverable is a common blind spot in API security.
  • Returning excessive data is a common issue with Rest service security.

Resources

Tools

Connect with Troy

May I Ask You For a Favor? Thanks again for listening to the show. If it has helped you in any way, shape or form, please share it using the social media buttons you see on the page. Additionally, reviews for the podcast on iTunes are extremely helpful and greatly appreciated! They do matter in the rankings of the show and I read each and every one of them.

4comments
Review – How to Hack Your API-Security Testing | Joe Colantonio - Selenium-UFT-QTP-SoapUI-ALM-LoadRunner & more - October 4, 2014

[…] sneak peak of some of the security testing awesomeness Troy shares in his course, take a listen to episode 21 of TestTalks, where I interview Troy about this course and much, much […]

Reply
Joe - October 10, 2014

Thank you very much Joe for the great work that you are doing for the testing community.
This particular episode opened my eyes to ways to detect software security loopholes and i would definitely recommend listeners to listen to it.
Keep up the good work, Joe

Reply
    Joe Colantonio - October 10, 2014

    Thanks Joe – I agree Troy’s pluralsight courses really opened my eyes to security holes too.

    Reply
Testing Podcast » Blog Archive » 21: Troy Hunt: Hack Your API-Security Testing - February 9, 2015

[…] Show notes: 21: Troy Hunt: Hack Your API-Security Testing […]

Reply
Click here to add a comment

Leave a comment: