Our last APUSECU Live session of the year. I'm joined here today to talk about something super exciting, which is a brand new course that we are just dropping, this afternoon, and it was written and taught by our special guest, Teresa. And I hope I don't ruin your last name. Is it Pereira? Pereira.Yeah, yeah, exactly. So yeah, everybody say hello. Tell us where you're from.
I can see everyone saying hello in the chat. Hi, Manuela. Let us know where you're coming in from. Feel free to, you know, to drop your LinkedIn in the chat as well.
If you guys want to connect with each other. Hi, I see people from Argentina, Kenya, Illinois. Wow. All over the world.
So yeah, we've got some exciting content today. Before we dive in to Teresa's, Teresa's new course, I wanted to just let everyone know, I'm sure most of you probably saw it on either our LinkedIn posts or on the email from Dan, but we have a very special giveaway at the end. You have to stay all the way until the end, but you don't have to do anything to get the prize. We're giving away one sort of big prize at the end of today's session, we'll pick just randomly from everyone who's on the session and in the chat. So definitely stay around till the end if you can. With that, let's jump in.
I'm gonna share a couple of slides here so that you guys can see. and register for Teresa's course. One sec here.
Can everyone see these slides? Great. The course is titled Getting Started in API Pen Testing. It should be live now. You should be able to enroll now. And it's out on APIsec University.
The link is right here. Let me also pop a live link so that you guys can see it. Can you guys see the live link? There we go. All right, so you can register now. And we have a special promotion around Teresa's course, just to make sure that you guys don't just register, but we really want you to actually dive into the content. It's phenomenal.
I will say I'm almost finished with the course, although I will not be eligible for the prize, but I have one more part to go, one more quiz to take, and I'll get my certificate, of completion. But the first part, 25 people who complete this course will either get a CASA voucher or an APIsecU merch gift certificate. If you happen to already have your CASA certificate, and you'd prefer to get some merch from our APIsecU store, we will hook you up with a gift certificate for that. So with that, welcome, Teresa.
Thank you for joining us today. Thank you so much, Christine. Thank you for having me. I'm really happy to be here. Me I'm so excited to talk to you about this. So we were, you know, I had to cap our pre session talk.
Cause I was like, Oh my gosh, I'm asking her all the questions that I want everyone else to hear about. But let's start with. One of the things that we were talking about is this course and the content of this course. And one thing that I think is really special about it, and that I'm excited about, is that we've got a lot of great content on APIsecU that's, very kind of baseline, introductory content that will help you understand what APIs are.
You know, we've got our fundamentals course, our OWASP, if you want to learn about what the OWASP top 10 is. And then we have a super sophisticated hands on pen testing course. Obviously that Corey authored, that was our anchor course.
The first thing that we launched It's phenomenal content, but especially for someone like me or someone getting started in this industry or getting started with pen testing, or even just getting started with API pen testing, that course can be a little bit intimidating. And so what I'm really excited about here is that I think we finally have this. bridge this incredible course that can help take that baseline introductory knowledge and really get you into actually testing APIs without maybe the time commitment or, you know, a higher level of sophistication that you would need to take that, that pen testing hacking APIs course.
So what. Help me understand, like, where did your journey start and what made you excited about writing this content or where did you get the idea for it? Yeah, so it all started two years ago. At the time I was still working in consulting and we had this project that emerged in a client and they wanted an API, a pen test in specific. And at the time, The team was pretty small. We were like two or three people in the team. And yeah, I was the chosen one to perform the API pen test in that client.
At the time, I had experience in web application pen tests, but in API pen test, I had no experience at all. So I had two months. to dive in this world, to learn everything about API pen tests. And yeah, that's how I found API at APISEC University two years ago.
APISEC University at the time was just a little baby, so it was pretty easy. And you born in the world, I also found a Cory's book, which is, which was pretty, pretty new to the world as well. And yeah, that's how all started about the course. I work in consulting for almost three years and I know how hard it is to manage time. in those type of projects.
So I decided to create this course to help people not only getting started in API security, API pentesting, but also from a more of a consulting perspective, because you have a, sometimes short deadlines. You don't have a lot of time to think about what tools can I use or a plan where should I start methodologies. That's why I decided to create this course basically. Yeah, great. And we just had a question.
So this question's, what's the difference between the API pen testing course. So Corey's course, I'm assuming is what they're asking about the hacking APIs course and this new, getting started into API pen testing course. I think this one is more introductory. So for example, you have a lot of people that might be interested in API pen test, but they don't want to dive in too much. They only want to know the basics or they are only lacking something, for example, a method, a methodology or, tools for to test a specific thing in APIs. And I think that's the biggest difference between this course and Corey's course.
Yeah. And I would agree with that. I would echo that, right? I've spent time in both courses. I have not completed Corey's course. It's a little, it's a little advanced for me personally.
I'm not an API security professional. I, I work in an API security company, but I don't do pen testing myself. But what I would say From my experience, just personally, I think that this is a great way to level set on understanding how APIs are structured, what you should be looking for, what are those attack vectors? How do you test for them? Let's talk, let's talk a little bit as we do that. And I think it's a bridge, right? As I look at it, I think that if you were someone who was going in to take Corey's course and It's too advanced for you. I consider that like a master's level course, right? It's a hands on lab. If you liken this to a regular university or college experience, that would be your senior year, Master course, and I consider this would be more of your fundamental baseline education around how you start in pen testing.
So more of a 101 to 200 level course versus a 400 level course yeah. And I think that maybe, not everyone will need that, but a lot of people do. And we see that every day, even in the people that, that use, our free scanner or come into the APIsec University and they get a little lost and they're like, wow, where do I get started? I'm not quite there yet. So to me, that's the difference between the two. I think this is a great bridge between basic security fundamental knowledge. and advanced level penetration testing.
This gives you all the tools that you would need to actually start pen testing APIs, and to understand what you're doing and understand the results that you're getting back. So let's talk a little bit about, cause one of the things that I really appreciated is how the course is structured. You know, I, there's different sections to it and I love, it has, for those of you, you'll see it when you register for the course. There's a, before you start testing, there's like basics before you start testing, while you're testing, when you're done testing, and then what, what do you do as the wrap up? And I really appreciated that because I think it helps not just understand how to test, but how to do it in a logical flow.
And really even run the do the course and do what you're telling me to do at the same time. I could be doing that right on the side. And you'll walk me through it. So talk to me a little bit about how you structured the course. And you know, what are the, let's dive in a second into that middle section, cause I love how you broke down.
specific attack vectors or attack, scenarios and how you would test for those. Yeah. So for the attack vectors, when you register for the course, you'll see, but we have authentication and authorization, excessive data exposure, mass assignment, and rate limiting.
And I decided to include these four attack vectors because I think they are the more like common during penetration testing assessments for APIs. Okay. It doesn't mean that we'll find these four in every project or can find at least one of them.
Okay. Especially the rate limiting. But that's why I decided to include those four, tests. And for the structure of the course yeah so we have the before testing, during testing and after testing.
I created that guideline, that path based on the projects that I did during my consulting time. Okay. So the first part is, What questions should you ask to the client or to the owner of the API? And in here it's what's the API architecture. Okay. Because nowadays you have a lot of graph QL out there and it's not that easy to test as it is for a rest API.
And another type of question is what kind of testing will be okay to define the. what you can and you cannot do during the project. So for the during part during testing what kind of tools you can use, right? Some tips as well. And these silks, they were created in order to save you some time, or in order to give you some guidance during the process, okay? Some of them are not too technical.
For example, the last one is, have the mindset of an attacker. And, It's like easier said than done. I know that, but that really makes the difference. If you think like an attacker, it's easier for you to find vulnerabilities in the APIs.
Okay. And for the last part the report section, of course, this is really important. And in here you have all the chapters that I think are important to include in the pen testing report, not only for APIs, but in this case for APIs.
Okay. So veering away from the course for just a second, when you're top six in Triacme, so you probably do more just than your corporate pen testing, right? It sounds like you do a lot of pen testing just on the side too. What are, one of the things that you share in the course are resources and tips and tricks.
What are some of your The things that you bumped into that you still think are big hurdles. What are some of your go to that you pull up time and time again, in terms of resources or, other people's tutorials what are some of the, if we could share some of those tips with people? Yeah. So at the last section, you have like additional resources and I basically he more important resources are a top 10 or 9. I don't know how many resources I have in there, but, for example, you can find Dana App Newsletter in there.
It's released every Tuesday, so I think that's a great start. It can be too technical if you are really a newbie into in API pen testing, but it's a great resource anyway. For tutorials you have InsiderPhD, Dr. Katie, she has, some videos on YouTube but more for, let's say a basic level, You have confidence stably.
I think I can say her name. So she has API kitchen. I think that's the name. Yeah.
And she covers more like basic concepts, how things work. Sorry. Yeah, no problem.
O include that one because I know that probably a lot of people are not or don't work in or might not have a default template for the projects. And I decided to include this one to help you like have some chapters that you can, Use in real life or you can adapt or maybe something that you are missing in the report and it's probably important for the client. So yeah. Oh, and then he's here. Hi, Dan. Yeah.
Dan's here by the way, everyone, but Dan's he's in a place where he can't be on camera today. So I got the pleasure of talking to Teresa. But Dan sends his love.
You can message him. And he'll, he'll respond over there. It does sound like, there is a couple, I think, I'll say me a couple on that. I think there's a couple issues with the quizzes.
I probably missed a setting where I needed to click a button that says you can, that it requires more than one correct answer. So if you're in there already, which is great. I'm seeing a bunch of people that are like, this quiz question has a problem.
That's awesome. That means people are already in the course and they're already looking around. But don't just jump straight to the quizzes, people.
You have to actually watch the content as well. Yeah. No so we will get those fixed as quickly as we can, I promise. I obviously can't do it while we're live on this call right now, but as soon as this session's over, I'll go in and I'll fix the quizzes.
So, So they should be fixed within a couple of minutes of us wrapping today's session. So I, I think, one of the things that Corey mentioned in building his course was that like the reason that hacking APIs book existed and the reason that it became a course was just highlighting a lot of what you've said, back then, I guess that was probably three years ago now, three and a half years ago, he started to be asked, or they Moss Adams started to be asked to pen test APIs, which they hadn't done before, right? They had applications, that they were testing and he was the one who raised his hand or else got tapped this to say, you're the one that's going to figure out how to test APIs. There weren't a lot of resources, right? So that's where his book and his course, grew out of. And I think.
When I look at your course, it's, as I said, for anyone who wasn't here at the top of the hour, it's a great introduction to Cori's course. This is a great place. I still think that there was a gap, before this course and this content of, in how do you get started in really that one level, pen testing APIs, even with Corey's course, his is great, but it does require a certain amount of technical knowledge to be able to follow, and or time, right? It's definitely one of the biggest, comments that I get from people is just that they don't have the time to commit to it.
I think you probably as a security professional and anyone who's on this session, who's also a security professional can attest that they are, very overworked and understaffed. And having the time to commit to a, even a 12 hour, course like Corey's is, it's a lot, it's a big undertaking. Not that people don't do it. Thousands and thousands have done it, but this is a great way to, if you have something, a project that's in front of you and you need to get started quickly, this, I think, is the perfect place to help you do that. Yeah.
Which made me think of, so in your course, was I just lost my train of thought, in your course, in that kind of getting started and part one section, I think that there were, there was a lot of good information just around what the attack vectors are, what to look for. Talk to us a little bit about like patterns that you're seeing as you test things. Are there things that you would say listen if you're, If you are being contracted to test something and you're time bound or resource constraint what are the areas that you should absolutely focus on first? If you don't have time to really comprehensively test an API, like if it's just not allowed by the sources, right? Yeah, I think and I think I say this in the course. So the first thing before I start testing.
is I highly recommend you to use the API as it is designed so that you can get familiar with the flow. And this way, if you have time constraints, if you have a tight deadline, you can choose what are the more juicy things to test for. For example, I had these One project where the client they gave us the open API specification. And I think that 90 percent of the EPI in points were get gets to the API.
So in there, what I started was I did all the flow. So I started by signing up and did all the rest. And then I choose and Yeah, it depends on the get, sometimes they are juicy, sometimes they are not. But, uh, I think that's like a more, subjective thing. It really depends on the API, on the project. There are a few, OWASP API top ten vulnerabilities that, Always exists such as security misconfigurations like there is a header is missing or, rate limiting.
Okay. Companies, they really struggle to define like, how many requests you can doing like a specific timeframe. And yeah, that's one of the struggles. Another thing that I, see a lot is using incremental IDs.
Okay. And yeah, in the past, the client was like, yeah, but that's not a vulnerability. It depends if you combine it with something else. Yeah. It might become a vulnerability.
Yeah. And that's another thing that I mentioned in the course, sometimes. You have one thing that you think it's not important at all, but if you join that thing with another thing, you can, it can become something bad bigger, something dangerous, something that you can use and exploit and cause a lot of damage.
Yeah, I think that's you bring up a great point, right? It's not necessarily. just knowing how to test, but it's also understanding how to interpret test results so that you can communicate properly in the report, right? Why was this flagged? No, it's not a false, like it's not a false negative, or it's not an incorrect finding and here's why. And I think we, we just had a question about that, about the, the, The pen test.
So the question was I think he's just asking, does the course contain, report creation best practices? How do you debrief, on those reports, right? Yeah, it includes ces. So it has like the chapters that I recommend having in a report. And then for each one of those chapters chapters, I kind of, Give you best practices or how you can like for example, offer positive insights, right? That's not like a chapter, but it's something that I really believe should be included in the report because Not everything is bad in the API, right? You have good things as well, and it's worth mentioning that.
So it's not really best practices like a top 10, but you can find a few tips in there that you can use. And, one of the things that I thought was really valuable about that portion of the course was just, the notion of how to, How do you structure a report in a way that it's going to be useful to the people that need it to be useful to them, right? That it's not, you can produce a report just to say it's a report and it's a stamp and somebody says, yep, this has been tested and here's the report. That's not the real value of what you're doing. So I think that. You're coaching on how to structure and create a report in a way that, somebody can actually take that information in and then act on it and do what they need to do. You know, to improve the security of their API is was super insightful and helpful.
And I think it's something that's missed a lot of times. Right. Yeah. And people are auto generating reports or generating reports. It's, There's a lot of time that goes into what you're doing anyway, and I think that, creating the report and making sure that it's comprehensive and usable is a really important part that I think oftentimes gets falls to the wayside because most of the time is dedicated to the testing versus how to communicate the findings, right? Yeah, I think you need to adapt to your audience, the report, so probably a lot of reports will not be delivered to the pen testing team in that company, right? Sometimes these reports go to the board, or to the CISO, or to the audit section of the company, and it's important to keep it simple. To use a non technical language.
Because they need to understand what is in there. They are the ones that will do the bridge of what is written in there to the teams inside the company so that they can fix the vulnerabilities. Yeah.
Yep. That makes sense. So I want to talk a little bit about, because we, yes, for everyone who's asking the, in the, chat, we are going to get to a demo in just a minute of the free scanner. And this is a great lead into that because one of the tools that Teresa talks about in her, in her course, actually, let me take this question first, and then we can talk about the free scanner and the tip or, and the tools. So the correct, the question from Wolfram is, do you have any tips? for building up trust to your clients so that your insights will have effects. Like we'll say the clients will actually fix the issues that you found and accept that those really are issues instead of just, again, like I think the tendency with a lot of clients, is just to brush things aside, as you said, for like incremental IDs and say, that's not a vulnerability.
It's fine. So what are the things that, tips that you would share that says, here's how we get clients on board and convince them these are things worth responding to or reacting. Yeah.
I struggled a lot with that in the past. So I had a lot of clients saying it's not a vulnerability or it's not that important. And it really depends on the vulnerability. So for example, if it's something that it's more of like internal, that it's something that it's not, directly external face to the Internet, something that you found because of other vulnerability. And, I think that one thing that you can do is, Schedule a meeting with them.
Okay, show them the vulnerability, how you exploit it and how simple it is to exploit the vulnerability because sometimes they see the print screens or they read the description and sometimes they don't understand or they don't have the full technical, Knowledge to understand or to know how easy it is to exploit that, or sometimes they have other work to do, and they just want to, don't want to fix that right away. Yeah, first, I will I highly recommend to schedule a meeting with the team, with the person, If they don't accept it, you can escalate, okay? You can try to book a meeting with the manager. Or you can try to find a way like we were talking before. You can try to find a way to join that vulnerability with another one and show them how dangerous it can become.
if it's joined with another thing. Okay. And yeah, I think that's, it's not easy.
It's not an easy thing to deal with. But those are the things that I would recommend you to do. Yeah. And we have one more question and then I think we will shift gears and then we'll answer some more questions at the end and anyone who's got questions for Teresa, I will drop her LinkedIn Profile link in here in just a minute and you guys can connect with Teresa directly, or you can always hit Dan and I up and we'll get you to Teresa as well. If you've got questions that we don't get to today, but this question, is from Shane and he says, do you run into scenarios where teams are caught off guard? And, or, and, or unaware that they're even using APIs, right? Which I think is probably does happen.
And when, when that happens, or if that happens, how do you handle that type of scenario? Or do you have any kind of tips or best practices for what if they're, like just unaware or unwilling to look at APIs. Well that, that case in specific. Because I had two type of projects when I work in consulting. So I had the API pen tests and then I had normal pen tests, web applications, pen tests, and actually the biggest vulnerability that I ever found that included an API, it was not an API pen test. Okay. It was a web pen test.
And, They knew they had APIs. Okay. I never encountered that scenario before. Actually, I think one of the things that companies have more and more is, API awareness, okay.
API security awareness. So they are more shaped to, develop not only secured software, but also secured APIs. So yeah, I never, Encounter that scenario in particular in the past, but do in the future, or, one thing that I would recommend is, security awareness, first thing.
Okay. Probably they are lacking that part and that's really important. And that really, is related to API inventory. Okay. API discovery, API inventory, all the governance stuff before going into testing. And yeah, I think a lot of companies, they.
They are, they consider they are pretty mature, but when it comes to the assets that they have, I know it's not easy for a big company to know all the assets that they have, but you can like on a daily basis or a monthly basis or a weekly basis, it really depends on your workload, but you can do some API discovery or update your API inventory in this case, uh, or software inventory in general, okay? Not only for APIs, but everything that you own. And, another thing that's very important, who owns each one of the APIs or each one of the applications. That's another thing. And I think all of that together it's a mitigation or a fix for that scenario to happen in the future. That makes sense. And I think back to your example of the client, where like the biggest issue you found was in their web app and that And using the API is a way to help illustrate to people why they need to be right? These are all the things that sit behind your web app.
And if you're not also testing these things, you're not really testing, you know, at least not to the level that you think you are. Yeah. So I'm going to share, I'm going to share a drop up a quick Quick slide here. So one of the things that you actually there's a full demo that Teresa goes into how she uses our free testing tool.
If any of you aren't familiar with it, I know a lot of the people on this call probably are. And thank you. If you have already tested it and given us feedback, we really appreciate it.
And it's helping us to rapidly iterate and improve on this product. Teresa, do you want to just talk about how you are leveraging. This free scanner and I'm also inviting Raj. Who is our head of, and she's our VP of engineering and AI and Raj and his team are, the, they are the brain children behind our free scanner.
And they're the ones that are rapidly iterating and taking your feedback. Raj will run us through in a minute, some of the, how to get the most out of the tool and, what's new and what's coming. But in the meantime, Teresa, do you want to talk a little bit about how you use it and what you're finding with the tool? Yes. Sm, in the course you have a quick tour of the scan itself. At the time when I started, I only used Bubsweet and Postman, right? At the time there were no scanners.
And one of the things that I also mentioned in the course is you should combine always automated tools and manual validation, okay? In order to manage your efforts and the time that you have for the project. And this can it's really great. And you can see in the screen, so on the right side you have the A guide that you can follow. Once you sign up for the, for the scan, you can also test without being unauthenticated, being authenticated.
You can configure parameters for, the endpoints you can test for BOS for whole base access control. Okay. So I think it's really comprehensive. And another important section that I think it's really important. is the reports part, right? And you have a mitigations section in there. So that's a must have in every, report.
And yeah, for the sources, as you can see on the screen as well, you have different sources, so you can use Postman, OpenAPI specification, MuleSoft et cetera. So it's very comprehensive and I think it's really easy to use even if you're not an expert. Okay. Awesome. Thank you for sharing all of that.
And like I said, Teresa's got a great demo, just to kind introduce you to how you would use this in the context of how to get started in testing APIs. And Raj, if you're out there listening, do you want to come? Oh, there's Raj. Hey Raj. So as I said, thank you so much to everyone in the community and all the people that are on.
I know, I recognize tons of names, so I know a lot of you are the people that have been in there. As, as with you, Teresa, testing out our testing capabilities and providing great feedback on what we can do to improve. And so Raj, do you want to share a little bit, you know, about your perspective on how people can get the most out of the tool And then what's coming, what are some of the new improvements that we're just getting ready to drop? Yeah, sounds good. Thanks for having me here, everyone. And hello to everybody.
I keep reading most of the feedback that keeps coming in from, I think, a lot of people here who have been using our product. So first of all, tremendous amount of thanks from me and my team because we do read those very carefully and it gives us a lot of insights as to how we should, improve the product and what really matters and, Prioritize and do all those good things. I just want to thank Teresa for for doing that, using a product to do her thing on the consulting work that she's doing.
And also the the whole feedback that she's been sharing with us, which is great. Now in terms of where they come from, I think they come a long way in terms of building the product. It's been it's been a few months now since we started building this.
And I think the whole concept around this is like, there's, I was seeing To demystify the complexity that is that kind of revolves around testing APIs and their applications for security, right? Which is why I think some of the fundamental principle of what we are trying to put in the product is like, how do we make it super simple? And and how do we actually make it more guided so that so people are not like, figuring out what to do next. And on the other tenant that we use in the product, as you all see, is we are constantly you. Improving the attack vectors that are that are evolving, in the whole landscape, and there's a separate team of mine who's focusing just on that and including that into the product on a, a daily, weekly basis. And we since we use all about teaching people, we also take that philosophy a little bit.
And and use that in the product. So our intention is not to just give you some data, but it's really about how we present information that's going to be useful. For the usable tool. So you can find a lot of verbosity and a lot of summarizations that are there in the product in terms of, you find a vulnerability, what does it really mean? How did we find it? What are the requests that we gave and what are the responses we got? And what's our assertion around it? All those, we try to exemplify and make it deliberately, readable and, human readable and simplified so that people can understand what to do, in a very practical way. Rather than keeping it pretty buzzwordy, right? So those are some of the principles that we have put in the product.
Now in terms of where you want to go next, I think a lot of the feedback is around how do I delete applications that I already onboarded, right? That's a very common ask. That's coming very soon, that's not very far, probably in January mid to end, we will have that launched. Now before we before we do that, there are a lot of other interesting things that are also coming up this month. Like GraphQL is something that we plan to launch next week. Then we're also planning to launch BOLA test, much more deeper iterative of BOLA tests very soon, by the end of this month. We plan to launch Kong integrations, a few more sources from where we can get specs to test.
And And then the next big things you're looking into next, next quarters and, coming months and weeks is getting more deeper into going beyond server conflict test, going beyond how APS are configured and getting into the business logic side of the world, right? Like Bola is probably a start, but then there are a lot of other places where they have, the attacks really happen. And my team is really. Going through and analyzing those very deeply and trying to invent categories and vectors that can help prevent, those kind of attacks in the real world scenario. Makes sense. So when you look at we had a question and I'm not sure which one of you wants to tackle this, but it was a question about specific vulnerable vulnerabilities in GraphQL and how to find them.
If I can get back up to the question. Uh, sorry. Oh, here it is. How feasible. There we go. We'll put it up.
How feasible is it to find the broken object property level authorization in regards to t to take it or should I? I never tested GraphQL before, so maybe it's yeah, you can go. All right. So this is something we are actually investigating into how to do that. It all depends on how the structure is laid out for your GraphQL overall, right? So this is something that we will it is feasible, but it depends on the specific case that you are, trying to attack and How it's how the STL files are orchestrated and how is it laid up.
So this is probably done better once we launch the GraphQL capabilities, in the coming weeks, mostly next week we'll be out. And then we can probably have a separate side conversation to demonstrate it, the details of it. Because it can be a big topic of its own. Yeah, let me just, I've got one more question here. How do you, this is probably for you, Teresa, how do you prioritize which API vulnerabilities, oh, oh, that are discovered? Okay, so this is probably back to the report. How do you prioritize vulnerabilities that you discover during? Like in, in terms of reporting or in terms of I think probably reporting just like, how do you, when you're communicating out and you, or you find vulnerabilities, how do you prioritize those? And Raj, you can pipe in after her as well and just talk about how we prioritize them in the tool.
But I think both are interesting perspectives. Yeah. So I typically use the CVS Yes.
Score. Okay. You have a calculator online that you can use in order to find the correct score for the vulnerability. You can also use CWE, but I highly recommend the CVS.
Yes, the for do zero. I think it's the last version available. That's right.
Yes. And yeah, I was gonna say the exact same thing. We automatically use the CVSs four standards to determine and kind of score and rank the criticality of the vulnerabilities. And it's on a scale of one to 10, nine and above is critical and we do shape that very clearly in the product. And enroll and highlight those ones.
Now down the lane we are also looking at how do we, support different CVSS versions to use a scoring model and to give the flexibility because there are some customers who do want a different type of CVSS scoring for scoring based pattern for their for their needs. So that flexibility will come in down the lane. But as of now, we are on CVSS 4.
So So I put up a link here for any of you who have not already gotten that be sec free. You can go to this link and get, a download of it. And I wanted to just throw this out there. I know we're running short on time, so I'm going to wrap it in a second.
But for any of you who are listening that, that you're in the free tool, and you want to better understand how to use it or what you're seeing in there, or you don't have something to test, but you really want to play with it. Anyway, you can always feel free to hit Dan or myself. Up. We love, uh, jumping into sessions and helping people learn the tool. There's tons of free content that we're, that's out there already.
And Dan's furiously making lots and lots of, how to videos and tutorials, that, you cover each of the different sections of the product. But beyond that, if you want a really deep dive and just play around with it and understand how to get the most out of it. Definitely hit us up. We'll do a private session with you, and we'll talk through, you know, how different people are using it, how you might best use it based on whatever your use cases are and, and if necessary, Raj and our CS team are amazing. They're great.
Both teams are amazing when we hit stuff that we're like, wait, I don't know how this works. Or we've got, something that's a brand new use case that we haven't seen before. How would we best do this? They will always jump in as well. So definitely don't hesitate to reach out to us. If you've got questions, I'm going to, I'm going to shift into wrap up mode. Thank you, Raj.
I think you, did you cover, I think I heard you. I think I heard all the exciting stuff that's coming. Was there anything else that you want to share about what to watch for in the next couple of weeks? I think GraphQL is the main thing, right? You got to launch it out and then and then we will make the bullet test a bit more rigorous in terms of how it's doing. So do play around with that. And a bunch of other usability improvements that we are working on, justh, in the UI side of the world, how we are, there are a lot of UI related items that will just improve with with all the coming weeks and you will start seeing it more and Probably on a daily basis.
Great. And we will have another session. We'll do a deep dive session, probably either late January or early February. We're talking about having, you know, maybe even an APISEC minicon around penetration testing. Maybe like an intro level, Track and and then advanced track. But even if we don't do that, we'll definitely get back on, with either Raj or Mohsen, and Jose people from the product team to really deep dive into these, all these great new features and the graph QL in particular.
And we'll talk about how to use them. And we'll, we'll introduce them to you guys formally and let you ask questions. In the meantime, watch for them. Cause you I think one of the most exciting things that I've seen with this tool is just how rapidly Raj and his team are iterating. And a lot of that is thanks to you, the community for, for providing your feedback and helping guide where we take things next and how we prioritize what features we're going to launch based on real need in the market.
So thank you all for that. Thanks Raj for joining us today. I've got more announcements that I want to share before everybody drops off.
Again, if you didn't have a chance, I'm going to pop it up one more time. If you didn't have a chance to to Sign up for the, let me see if I can do it. Sure. If you didn't get a chance to sign up for the course already, go out and sign up for it now. It looks like tons of you did, which is awesome, but I think that course is out there available. I know Dan's working in the background to fix the quizzes.
We'll make sure that those are, that everything's in good working order, in the next couple of minutes and then beyond the course. Again, the 25. First finishers.
I think a couple of you said that you already finished the course. I do know a few people saw it. We published it last night.
So a few people were already in there. They must've been watching our website and caught it early and had already signed up and were in it. But yeah, for the first 25 finishers, we'll reach out to you after you finish and just ask whether you want the CASA voucher or the merch gift certificate. So there's that. This is something super exciting and we're going to announce it in a January webinar, but we are announcing the first ever API security person of the year.
It's a new award, our ASPI award. And so we've opened nominations for this. Those nominations will keep open until December 30th. And then at the beginning of next year, we'll announce The winner. So you can go to this link. I'll try and put this link in the chat as well.
Dan already put it in the chat. He beat me to it. Thanks, Dan. So you can go nominate, your peers, or it could just be people like Teresa that you follow that, maybe you don't work with, but that you definitely think are deserving of this award.
And we'll have two awards that we, that we give one that will be, Selected by the university board. So we actually have an API security professionals that help guide the content and the community and what we do here. And then the other will be selected and voted by you, The Api Sec U community. So we'll announce this publicly on our, on our LinkedIn later today. You're the first ones hearing about it, but we're super excited about this. And I think it's well deserved recognition, for a lot of people who are contributing.
a tremendous amount to the API security community and the cyber security community at large, but specifically in API security. So super excited about that. Definitely get those nominations in.
And then this is our big giveaway for today. So for everyone who's on here, we will randomly pick one of you to get a custom AppiSecU backpack. And I will reach out to you specifically, and you can work with me to customize this the way that you want. This is, yes, someone can give a seven minute rambling speech when they get the Aspie Award, for sure. We'll just cut them off with music like they do at the Oscars.
Alright, so, Dan's gonna randomly select one of you to win this, ApisekU backpack. It doesn't have to be customized the way I customized it, like I did this myself. But I'll reach out to you and I'll work with you to make it exactly what you want. If you want your name on it, you can have your name on it. If you want the APIsecU badge instead of the name, you can put that. You can even customize these as different colors if you want to.
This was just how I would pick it if I were getting the bag. But we will definitely, it is one of a kind. Dan just said it's definitely one of a kind. You guys get to pick exactly what you want. So, we will send out follow up emails in probably by the end of the day, maybe early tomorrow with a link to today's session and links to all the stuff that we announced and talked about today. And in that we'll announce who won the backpack, and we'll, we'll reach out to them separately.
Thank you all so much for joining us. Have an amazing end of the year, everyone. Enjoy your holiday season. Hopefully everyone gets some rest and relaxation. And thank you, Teresa, for this incredible course and for joining us today. It was such a pleasure talking to you.
Thank you so much, Christine. And thank you also, Dan, and thanks a lot, guys. Thank you, everyone. Yeah. Thank you, everyone.
Great holiday. Bye. Bye.
2025-01-07 21:57