Traditional vs. Modern Web Application

47 views
Skip to first unread message

Ailton da SIlva dos Santos Filhos

unread,
Apr 28, 2020, 1:39:49 PM4/28/20
to API Security Project
Hello everyone, 
I have a question specifically to Erez Yalon and Inon Shkedy. However, as might help other researchers, I'm asking here in the group.

In "API Security Project OWASP Projects Showcase" slides you guys compare Traditional and Modern Web Applications and highlit how API based apps are different. 
I think we all agree with the statements, and empirically we know that they are true. However, I was not able to find any material (books, scientific articles, etc) that confirm those ideas and say the same thing.

So, my question is: do you have the sources that inspire the comparison made in these slides?

PS: I'm particularly interested in the source that confirms that, in API Based Applications, "More parameters are sent in each HTTP request (object ID’s, filters)".

Best regards,
Ailton

Inon Shkedy

unread,
Apr 28, 2020, 11:47:13 PM4/28/20
to Ailton da SIlva dos Santos Filhos, API Security Project

Hi Ailton,


That's a great question, and I'm glad you asked it.

The creation process of the initial version of the OWASP Top 10 for APIs was a ten months process led by Erez, Paulo and me. 


Unfortunately, we had a limited amount of time to spend on the project (we all have full-time jobs). As you can imagine, this type of project requires a lot of research, and there are many ways to do it. We decided to focus our research by using the following inputs:

  • Bug Bounty reports from the last 4-5 years.
  • Blog posts from pen-testers and security researchers that talk about recent API breaches.
  • White papers and documents from companies in the field of API security and next-generation firewalls.
  • Reports from advisory firms.
  • A lot of feedback and input from software developers, security engineers, and pen-testers from the amazing OWASP community.


Our goal was to create a useful and practical list for engineers who want to learn about API Security, not to write an academic paper. I'm positive that if we spend time reviewing technical books and theoretical documents from universities, we can find more scientific evidence for our hypothesis.

I would be more than happy to see that, but we preferred to invest our time on reviewing more practical inputs and on consulting with many experts in the industry.


I'm sorry I can't provide you with what you asked for, but here are two "non-scientific" resources that shed some light on the "More Parameters" aspect:


  1. My Medium article ("Why is it so common in modern applications?" section):  
  2. I attached a document I wrote a while ago for internal discussion with Erez (I didn't plan to publish it, so I'm sorry for any grammatical or spelling mistakes :) )


Thanks,

Inon



--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/843fa706-f6c6-4ab1-a701-875084f4f9bd%40owasp.org.
APIs as data sources.pdf

Adam Fisher

unread,
Apr 29, 2020, 2:15:33 AM4/29/20
to Inon Shkedy, Ailton da SIlva dos Santos Filhos, API Security Project
Great article Inon.  Thanks for the insight.

Kind regards,
Adam

 
Adam Fisher | Principal Security Engineer |
CISSP, CCSP,  AWS Solutions Architect, MCP - Azure
Ad...@salt.security| o: +1 801-616-9031


From: Inon Shkedy <in...@traceable.ai>
Sent: Tuesday, April 28, 2020 9:47 PM
To: Ailton da SIlva dos Santos Filhos
Cc: API Security Project
Subject: Re: [api-security-project] Traditional vs. Modern Web Application

Ailton da SIlva dos Santos Filhos

unread,
Apr 29, 2020, 12:00:18 PM4/29/20
to Inon Shkedy, API Security Project
Hi Inon,

Thank you for your prompt reply and for the material that you are sharing with us.
I'm pretty sure that it is going to be useful to me and the community.
I'm confident that it's a matter of time to popping up scientific works that address these topics.

And congrats for your, Erez's, and Paulo's hard work in the  OWASP API Security project. It's an important project.

Best regards,
Ailton
--
Att. Ailton da Silva dos Santos Filho
Mestre em Ciência da Computação
Engenheiro da Computação

P J

unread,
May 5, 2020, 12:32:13 AM5/5/20
to Ailton da SIlva dos Santos Filhos, Inon Shkedy, API Security Project
Hey Everyone, 

I am interested in doing a presentation on API security. I am teaming up with my partner APISec and would like to do a demo of how their tool can be used to provide visibility into vulnerabilities for an API. Based on what I am trying to accomplish can you please provide some suggestions on which meetup or group would best work? This tool has the ability to identify RBAC and ABAC vulnerabilities and I think it is really cool. Thanks in advance for your help!


-Peter

Adam Fisher

unread,
May 5, 2020, 12:51:00 AM5/5/20
to P J, Ailton da SIlva dos Santos Filhos, Inon Shkedy, API Security Project
Peter,

I would suggest you look for your local Bsides security group(http://www.securitybsides.com/).  I just presented on the OWASP API Top 10 in my local virtual BSides conference in SLC in February.  

After that start looking at ISACA and ISSA security chapters.

Kind regards,

Adam





Adam Fisher
Principal Security Engineer
CISSP, CCSP, AWS Solutions Architect

prjam...@gmail.com

unread,
May 5, 2020, 2:34:42 AM5/5/20
to Adam Fisher, Ailton da SIlva dos Santos Filhos, Inon Shkedy, API Security Project
Thanks Adam. Where can I find your latest talk?

-Peter

On May 4, 2020, at 11:50 PM, Adam Fisher <ad...@salt.security> wrote:



Adam Fisher

unread,
May 5, 2020, 10:00:17 AM5/5/20
to P J, Ailton da SIlva dos Santos Filhos, Inon Shkedy, API Security Project

Kind regards,

Adam





Adam Fisher
Principal Security Engineer
CISSP, CCSP, AWS Solutions Architect
MCA - Azure


Dmitry Sotnikov

unread,
May 5, 2020, 12:59:20 PM5/5/20
to Adam Fisher, P J, Ailton da SIlva dos Santos Filhos, Inon Shkedy, API Security Project
Local OWASP meetups and DevSecOps events can also be good. Lots of them are now gone online.

Here's my OWASP API Sec Top 10 talk from DevSecOps Days in Austin a few months ago: https://www.youtube.com/watch?v=xAKcE15fxdA

Dmitry



--

Dmitry Sotnikov

Chief Product and Marketing Officer
42Crunch
Cell: +1.949.303.9653, Skype: DSotnikov, TwitterLinkedIn




Reply all
Reply to author
Forward
0 new messages