Services
Trainings & Workshops
Apily offers the following trainings and workshops.
- Authentication & Authorization using OAuth2
- OAuth beyond the basics
- API Security
- API Threat Modeling
Authentication & Authorization using OAuth2 - introduction
Approach
In this introductory training the basics of authentication and authorization using OAuth2 are thought. This training is for developers and architects who want a initial introduction to OAuth2, want to know the difference between OAuth2 and OIDC or want to know how to leverage OAuth2 or OIDC in their application landscape.
Intended Audience
- Developers
- Architects
Result
After the training participants know
- An introduction to OAuth2
- The different roles and participants
- The various grant flows
- How to use different scopes
- The difference between OAuth2 and OIDC
- How JWT’s are used
OAuth beyond the basics
Approach
In this deep dive training we are going beyond the basics and look at very detailed security considerations for OAuth2 and OIDC. The addition of PKCE and protective measures around token theft using “dirty dancing”. And various JWT attacks and security considerations. Using the IEFT OAuth2 security best practices as a guide this training provides the current up to date security configurations and mitigations when using OAuth2 or OIDC.
Intended Audience
- Developers
- Security specialists
Result
After the training participants know
- How to use the OAuth2 best practices around security
- How PKCE can protect public clients
- About token theft using “dirty dancing” style attacks and how to mitigate them
- Different JWT attacks
- None attack
- Algorithm switch attack
- JWT Crack attack
API Security
Approach
In this deep dive training we are going beyond authentication & authorization and look at various API specific threats and mitigations. Using the OWASP API top 10 as a guide each threat is going to analyzed by going over possible attack scenarios, tools leveraged and available mitigations.
Intended Audience
- Developers
- Security specialists
Result
After the training participants know
- Techniques for API endpoint discovery
- About authorization vulnerabilities like BOLA and BFLA
- Fuzzing techniques
- Using mass assignment attacks
- Using common web application techniques like Injection, authentication attacks like password spraying and SSRF
API Threat Modeling
Approach
In this interactive workshop the participants will create a threat model for one or more API’s. These can either be existing API’s or API’s that are currently considered for design and implementation. Using the STRIDE methodology different threats are identified forming a solid base for designing and implementing mitigations from the design on up. Resulting in a “secure by design” API.
Intended Audience
- Developers
- Security specialists
- Architects
Result
After the training participants have
- Detailed the architectural setup for the API
- Identified and documented various threats using STRIDE
- Fuzzing techniques
- Using mass assignment attacks
- Identified some high level mitigations to be implemented in the design and implementation of the API