Skip Hovsmith

A Tour of API Underprotection

April 3, 2018

An OWASP AppSec California 2018 Talk The fifth annual OWASP AppSec California was held in late January 2018 on the beach in Santa Monica. AppSec California is organized and run by an all-volunteer staff, and they put on a great conference — highly recommended. Besides excellent content and a chance to interact with many interesting colleagues, who wouldn’t want to hang out on the beach for a few days? Read Full Story

Strengthening OAuth2 for Mobile

January 3, 2018

Photo by Patrick Metzdorf on Unsplash Read Full Story

Adding OAuth2 to Mobile Android and iOS Clients Using the AppAuth SDK

October 23, 2017

OAuth2, often combined with OpenID-Connect, is a popular authorization framework that enables applications to protect resources from unauthorized access. It delegates user authentication to an authorization service, which then authorizes third-party applications to access the protected resources on the user’s behalf. OAuth 2 provides authorization flows for both web and mobile applications. Read Full Story

API Protection Requires Both User and App Authentication

August 14, 2017

As an API provider, you open your restful back end to those you trust in the hopes of doing something useful, making a profit, or both. You’re quite careful about registering and authenticating your users, and you probably identify the app they are calling from, but is that enough to protect access and your revenue stream from malicious actors? Read Full Story

Hands on Mobile API Security: Pinning Client Connections

May 31, 2017

Add TLS and Certificate Pinning While Removing Client Secrets Read Full Story

Hands on Mobile API Security - Using a Proxy to Protect API Keys

May 11, 2017

(UGC 12591: The Fastest Rotating Galaxy Known. Image Credit:NASA,ESA, Hubble) Read Full Story

Adapting OAuth2 for Internet of Things (IoT) API Security

March 30, 2017

On Friday, 21 October 2016, multiple waves of distributed denial of service (DDoS) attacks shut down major internet services across the United States and Europe. The attacking botnet army consisted mainly of printers, IP cameras, residential gateways, and baby monitors infected with Mirai malware. Mirai targets IoT devices, and though each individual IoT device was not very powerful, taken together these devices did significant damage. For many mainstream internet users, the need for strong IoT security became painfully obvious. Read Full Story

Mobile API Security Techniques Part 3

March 7, 2017

Mobile apps commonly use APIs to interact with backend services and information. In 2016, time spent in mobile apps grew an impressive 69% year to year, reinforcing most companies' mobile-first strategies, while also providing fresh and attractive targets for cybercriminals. As an API provider, protecting your business assets against information scraping, malicious activity, and denial of service attacks is critical in maintaining a reputable brand and maximizing profits. Read Full Story