Pada tanggal 29 November -1 December 2022 telah dilaksanakan pelatihan dengan topik REST API Security. Peserta dari pelatihan ini adalah software architect dari department Strategic Information System, PT Pamapersada Nusantara. Pelatihan ini dilangsungkan di Actual Training, Yogyakarta.
Dengan semakin popular nya aplikasi mobile, backend services, dan penerapan arsitektur microservices maka pengetahuan tentang bagaimana cara mengamankan aplikasi khususnya REST API semakin dibutuhkan, sehingga dapat meminimalkan serangan yang mungkin terjadi pada aplikasi backend yang kita kembangkan.
Tujuan dari pelatihan ini adalah membahas berbagai macam serangan dan ancaman keamanan pada aplikasi backend berbasis REST API.
Adapun materi yang disampaikan pada pelatihan REST API Security ini adalah sebagai berikut:
- The Age of the API
- The Hidden Nature of API Security
- What Exactly Is an API?
- What’s the Scope of This Course?
- Introducing Supercar Showdown
- Introducing the Vulnerable Mobile App
- Discovering Device Communication With APIs
- Who Are We Protecting Our APIs From?
- Proxying Device Traffic Through Fiddler
- Interpreting Captured Data in Fiddler
- Intercepting Mobile App Data in Fiddler
- Discovering More About Mobile Apps via Fiddler
- Filtering Traffic in Fiddler
- Alternate Traffic
- Interception Mechanisms
- Discovering Leaky APIs
- Securing a Leaky API
- Discovering Hidden APIs via Documentation Pages
- Discovering Hidden APIs via robots.txt
- Discovering Hidden APIs via Google
- Securing Hidden API
- Defining Untrusted Data
- Modifying Web Traffic in Fiddler
- Manipulating App Logic by Request Tampering
- Response Tampering
- API Authentication and Authorization Vulnerabilities
- Introduction
- Identifying Authentication Persistence
- The Role of Tokens
- An Auth Token in Practice
- An Overview of Authorization Controls
- Identifying Client Controls vs. Server Controls
- Circumventing Client Authorization Controls
- Testing for Insufficient Authorization
- Testing for Brute Force Protection
- OWASP API Security Top 10 goals
- Broken Object Level Authorization
- Broken User Authentication
- Excessive Data Exposure
- Lack of Resources and Rate Limiting
- Broken Function Level Authorization
- Mass Assignment
- Security Misconfiguration
- Injection Module Watched
- Improper Assets Management
- Insufficient Logging and Monitoring
- Secure Coding with OWASP Resources
- OWASP ASVS
- Authentication
- Session Management
- Access Control
- Securely Handling Input and Output Data
- Protecting Sensitive Data
- Secure Error Handling and Logging
- Managing Vulnerable Dependencies
- Protecting the Business Logic
- Handling Untrusted Files
- Hardening Configuration
Actual Training 