Public REST APIs have become mainstream. It is not just startups such as Facebook and twitter at the fore front of the REST revolution. Now, almost every company that wants to expose services or an application programming interfaces does it using a publicly exposed REST API. Although, many people have given talks about attacking REST APIs from a pen-tester's point of view –little discussion has occurred related to application layer vulnerabilities in REST APIs.
This talk gives code reviewers the skills they need to identify and understand REST vulnerabilities at the application code level. The findings are a result of reviewing production REST applications as well as researching popular REST frameworks.
Abraham Kang is fascinated with the nuanced details associated with programming languages and their associated APIs in terms of how they affect security. Abraham has a Bachelor of Science from Cornell University and a J.D. from Lincoln Law School of San Jose. He recently joined Samsung as a Director of R&D helping to drive security across new products and services in development. Prior to joining Samsung, Abraham worked as Principal Security Researcher for HP Fortify in their Software Security Research group. Prior to joining Fortify, Abraham worked with application security for over 10 years, reviewing over 12 million lines of code, and working over 4 years as a dedicated security code reviewer at Wells Fargo. He is focused on application, framework and mobile security and has presented his findings at Black Hat U.S.A., OWASP AppSec U.S.A., Baythreat, RSA, BSIDES, and HP Protect. When he is not finding security vulnerabilities, he is studying the law in relation to information security.
Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past couple years Dinis has focused on the field of Static Source Code Analysis and Dynamic Website Assessments (aka penetration testing), and is the main developer of the OWASP O2 Platform which is an Open Source project that is focused on 'Automating Security Consultants Knowledge/Workflows' and 'Allowing non-security experts to access and consume Security Knowledge'. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between: the multiple WebAppSec tools, the Security consultants and the final users (from management to developers).