On January 15, 2025, the OWASP London chapter hosted an engaging in-person meetup featuring two prominent cybersecurity experts, Dr. Katie Paxton-Fear and Tanya Janca. Held at the Just Eat headquarters, the event delved into cutting-edge topics like API security and application security (AppSec), offering valuable insights for both beginners and professionals in the field. OWASP (Open Web Application Security Project) events are known for fostering collaboration and education in the cybersecurity community, and this event did not disappoint.
Dr. Katie Paxton-Fear: Demystifying API Hacking
Dr. Katie Paxton-Fear, a cybersecurity content creator, lecturer, and principal security researcher at Traceable, shared her expertise on API hacking. With her approachable style and passion for teaching, Katie simplified the often intimidating world of hacking APIs, making it accessible even for newcomers. Her talk, titled “Go Hack Yourself: API Hacking for Beginners”, emphasized the importance of APIs in modern software and their potential vulnerabilities.
Katie described APIs as “the waiters of the web,” a metaphor that resonated with the audience. She explained how APIs act as intermediaries, facilitating communication between applications. She encouraged aspiring hackers to focus on understanding JSON (JavaScript Object Notation), the foundational data format for most APIs, and explore various API types such as RESTful, GraphQL, SOAP, and gRPC. Katie particularly highlighted RESTful APIs as the most common and fundamental starting point for API hacking due to their widespread adoption.
One of the standout moments was her anecdote about hacking a flight booking API. Using the browser’s developer console, she identified the API request responsible for seat selection. By tweaking the request, she managed to bypass broken application logic and book the seat she wanted. This real-life example showcased how seemingly minor issues in API implementation can expose vulnerabilities.
Katie emphasized that API security can become overwhelming as APIs grow in complexity. As organizations expand their API ecosystems, they often overlook securing every endpoint, creating opportunities for attackers. She shared practical advice for beginners, such as:
• Exploring public APIs: Many developer APIs are freely available and ideal for practice.
• Using simple tools: Katie relies on Burp Suite’s free community edition and manual exploration, like “clicking all the buttons,” to discover APIs.
• Focusing on common vulnerabilities: Broken access control and authentication flaws are frequent API security issues.
Katie also introduced the audience to OWASP’s API Security Top 10, which highlights the most critical API vulnerabilities. She recommended using resources like the Kite Runner wordlist for testing but stressed that reconnaissance often requires creativity and persistence more than complex tools.
Despite some technical issues with a concluding quiz, Katie captivated the audience with her approachable and engaging style. Her advice demystified the process of API hacking and encouraged attendees to start exploring APIs with confidence.
Tanya Janca: Elevating AppSec Programs
Tanya Janca, an experienced AppSec specialist, author, and founder of We Hack Purple, shifted the conversation to application security program maturity. Drawing on her extensive experience advising over 400 companies, Tanya explored why traditional AppSec models like OWASP SAMM, BSIMM, and NIST often fail and how organizations can do better.
One of Tanya’s key points was the disconnect between company investments and actual implementation. She shared an example of a company that spent $160,000 on a solution but only utilized 9% of its capabilities. This highlighted the importance of aligning AppSec tools with organizational needs and ensuring they are practical for developers to use.
Tanya emphasized that security programs should be tailored to the organization, rather than blindly adopting standard models. She advocated for fostering collaboration between security teams and developers, ensuring that security becomes an integral part of the development lifecycle. Her pragmatic approach focused on:
• Identifying gaps in existing security programs.
• Communicating effectively with developers to understand their challenges.
• Adopting cost-effective, efficient tools that teams will actually use.
Tanya also addressed the misconception that “no one cares about security.” While individuals might overlook security in personal contexts, organizations handling sensitive data must prioritize it. She reminded the audience that even small AppSec improvements can significantly reduce risk.
Despite technical difficulties during her presentation, Tanya demonstrated her expertise with ease, leveraging visual cues to deliver a memorable talk. Her ability to adapt and engage the audience underscored her professionalism and passion for improving AppSec programs.
Key Takeaways from the OWASP London Meetup
The OWASP London meetup offered attendees a wealth of insights and practical advice. Some key takeaways included:
1. API Security is a High-Stakes Frontier: Katie emphasized that APIs form the backbone of modern software, making them a prime target for attackers. Understanding JSON, exploring public APIs, and focusing on RESTful APIs are essential steps for anyone interested in API security.
2. Simple Tools Can Be Powerful: Both speakers advocated for using accessible tools and techniques. Katie’s reliance on free tools like Burp Suite and Tanya’s emphasis on practical solutions demonstrated that impactful security work doesn’t always require expensive software.
3. AppSec Needs Continuous Improvement: Tanya reminded the audience that security programs must evolve with company needs. Engaging with developers and tailoring solutions to their workflows can greatly enhance security effectiveness.
4. Real-World Examples Resonate: Both Katie and Tanya used relatable stories and practical advice to make complex topics approachable. Their ability to connect with the audience ensured that attendees left with actionable insights.
