“New conference in town”

Today was the first day APIsecure API security conference and as it was a free conference I didn’t know what to expect. I actually somehow missed it last year so I didn’t know what to expect. I was expecting a lot of “product coverage”, but it was the opposite, I was pleasantly surprised that that wasn’t the case. One presenter who tried to pitch a product & was actually cut off for it.

My Favorites of the Day

There were quite a few interesting talks, but my favorites of the day were:

  • Michael Taggart-“Beyond Vuln Management: How Adding Offensive Methodology Made Our APIs More Secure.”
  • Antoine Carossio and Tristan Kalos Escape Workshop: “Discovering GraphQL Vulnerabilities in the Wild”
  • Ted Miracco “Enhancing API Security with Runtime Secrets & Attestation”

Michael Taggart had the smoothest and most enjoyable presentation to follow. If the videos are uploaded this is the one I will send to quite a few blue teamers I know. I totally agree with the idea that the blue team must know offensive tactics.

Although “Antoine Carossio and Tristan Kalos” had a lot of technical issues (internet issues) that made the talk a bit hard to follow. Besides the issues, I actually liked it a lot and learned something new. Hadn’t taken too much time previously to go into details on GraphQL vulnerabilities and this talk actually gave me new ideas on what to try when doing an assessment.

Ted Miracco‘s talk on mobile app API security was quite interesting also, proposing some interesting ideas on bettering the security of apps. To be honest, the leak statistics shown in the talk were worse than I thought they would be.

All the talk videos/slides were supposed be uploaded some time after the conference on their website.. Can’t wait to actually be able to go through the slides and “perfect my notes” on GraphQL. The conference website can be found here.