Resting on Your Laurels Will Get You Pwned: Effectively Code Reviewing REST Applications to Avoid Getting Pwned

Presented at DEF CON 21 (2013), Aug. 4, 2013, 11 a.m. (45 minutes).

Public REST APIs have become mainstream. It is not just startups such as Facebook and twitter at the fore front of the REST revolution. Now, almost every company that wants to expose services or an application programming interfaces does it using a publicly exposed REST API. Although, many people have given talks about attacking REST APIs from a pen-tester's point of view -little discussion has occurred related to application layer vulnerabilities in REST APIs.

This talk gives code reviewers the skills they need to identify and understand REST vulnerabilities at the application code level. The findings are a result of reviewing production REST applications as well as researching popular REST frameworks.


Presenters:

  • Abraham Kang - Director of R&D at Samsung
    Abraham Kang is fascinated with the nuanced details associated with programming languages and their associated APIs in terms of how they affect security. Abraham has a Bachelor of Science from Cornell University and a J.D. from Lincoln Law School of San Jose. He recently joined Samsung as a Director of R&D helping to drive security across new products and services in development. Prior to joining Samsung, Abraham worked as Principal Security Researcher for HP Fortify in their Software Security Research group. Prior to joining Fortify, Abraham worked with application security for over 10 years, reviewing over 12 million lines of code, and working over 4 years as a dedicated security code reviewer at Wells Fargo. He is focused on application, framework and mobile security and has presented his findings at Black Hat U.S.A., OWASP AppSec U.S.A., Baythreat, RSA, BSIDES, and HP Protect. When he is not finding security vulnerabilities, he is studying the law in relation to information security.
  • Dinis Cruz

Links:

Similar Presentations: