Get your ticket or log in to build your agenda.

PRO WORKSHOP (API): API’s Dark Side: Addressing AppSec’s Biggest Challenge


Erez Yalon
Checkmarx, Director of Security Research

Erez Yalon, Director of Security Research and co-founder of the OWASP API Security Top 10 list, oversees Checkmarx’s research team comprising analysts, pen-testers, secure developers, and bug bounty hunters. He brings vast experience to his position, and his efforts empower today’s developers and organizations to deliver more secure software, applications, and devices. Erez is the co-founder of the DEF CON AppSec Village. Over the years, he has been invited to speak at prominent events including RSA Conference USA, RSA Conference APJ, Infosecurity Europe, Black Hat Asia, DEF CON, API World, and OWASP’s AppSec USA, among others, while also being featured in news outlets such as Fortune, Forbes, WIRED, TechCrunch, and Dark Reading.


While APIs have clear and obvious benefits, they’re also creating a rapidly-growing attack surface that isn’t widely understood and is sometimes completely overlooked by developers and software architects. With recent reports suggesting that by 2022, API abuses will be the most responsible vector for data breaches within enterprise web applications, securing them is a top challenge and must be a bigger priority.

The first step in accomplishing this goal is generating awareness around the most critical API-related vulnerabilities and ways of protecting these programs.

This significant gap in knowledge drove me to spearhead the development of the OWASP API Security Top 10 list, which was officially published at the end of 2019, to inform organizations, developers, and security professionals about the top issues impacting API-based applications. Since deploying, it has been adopted as the de-facto standard by many organizations and security specialists.

In this talk, I'll emphasize the uniqueness of API-centric design from the security angle, highlight the risks presented by API use, and show why an increased level of awareness is required to mitigate the risks. From there, I'll dive into the top security risks presented in the OWASP API Top 10 list, and provide example attack scenarios for each. Finally, I will share what we can expect to see when it comes to API exploitation moving forward as modern software is increasingly targeted by adversaries