BSides Vancouver 2026

APIs are now the primary attack surface of modern applications. They expose sensitive data, control business logic, and connect services, partners, and users. When APIs fail, attackers gain direct access to the core of your system.

The OWASP API Security Top Ten identifies the most critical risks facing modern APIs. However, most developers are never taught how to actually fix these vulnerabilities in real code.

This hands-on workshop is taught by an OWASP Top Ten 2025 project leader and author, bringing direct insight into modern vulnerability patterns, secure coding practices, and how these risks manifest across applications and APIs.

Participants will work through all ten OWASP API Security Top Ten vulnerability categories using a structured, practical progression. For each category, attendees will learn what the vulnerability is, why it exists in APIs, and the real-world risk it creates. They will review vulnerable API implementations, fix them themselves, and examine progressively stronger implementations using the Bad / Better / Best method.

This method helps participants develop real-world secure coding judgment by showing how insecure APIs evolve into robust, production-grade secure implementations through layered mitigations and defense-in-depth.

Attendees will work hands-on in VS Code with vulnerable API code, identifying security flaws, implementing mitigations, and hardening endpoints against attack.

Participants will leave with practical experience securing APIs, a deep understanding of the OWASP API Security Top Ten, a best practices cheat sheet, and the skills to build and review secure APIs in modern distributed systems, including those built or assisted by AI.