F5 API Security Lab Day

The F5 team hosted an interactive Capture the Flag competition where attendees worked with their peers to hunt for API vulnerabilities.



In this lab and Capture the Flag exercise, attendees learned how to identify and mitigate: 

  • Hard-Coded Secrets: Many applications exchange user credentials for a hard-coded token or key.
  • Broken Authorization: Providing blanket access to the API keys has proven detrimental to multiple mobile and web applications.
  • Data Access Control on User Interface (UI): APIs can pull more data from a server than an app is authorized to share.
  • Security Check for User Interface (UI): Checks are built into the UI, but they can be circumvented with man-in-the-middle tools or API tools.
  • Weak Tokens: JSON Web Token (JWT) without a proper cryptographic signing mechanism can lead to privilege escalation.
  • Credential Stuffing: Bots can be used to scrape APIs for data or used to validate stolen credentials.
  • Version Troubles: APIs are often changed to add functionality or remove unused features.

Speaker Details

Peter Scheffler, Senior Solutions Architect, F5

 

Arnulfo Hernandez, Solutions Architect, F5

Event Topic

IT, Mobile, Security

Relevant Audiences

All State and Local Government, All Federal Government

Other Agency

Other Federal Agencies
F5 API Security Lab Day
Event Type
On-Demand
Event Subtype
Webinar / Webcast
Registration Cost
Complimentary
Website
Click here to view event website
Organizers
Carahsoft Technology Corp.
F5 Government Team at Carahsoft