ASC 2019 - API Specifications Conference

JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT are often mis-used and incorrectly handled. Massive data breaches have occurred in the last 18 months due to token leakage and lack of proper of validation.

This session focuses on best practices and real world examples of JWT usage, where we cover:

- Typical scenarios where using JWT is a good idea
- Typical scenarios where using JWT is a bad idea!
- Principles of Zero trust architecture and why you should always validate
- Best practices to thoroughly validate JWTs and potential vulnerabilities if you don’t.
- Use cases when encryption may be required for JWT

The enterprise use of APIs is growing exponentially. Companies face a difficult choice. They must shift towards a software-based, digital approach to service and product delivery – or get left behind. And to make matters more complicated, the adoption of microservices architectures has multiplied the number of API endpoints that you have to protect.

In this session, API security expert, Philippe Leothaud, will show how OpenAPI allows for making APIs secure by design and enabling DevSecOps for API infrastructures. He will also discuss which aspects of API security are covered today in OpenAPI contracts and what extensions to the specification are foreseen to have all aspects covered.