APIs are the visible backbone of any application; it’s where all the data and requests get processed. As a result, the API layer exposes a very large surface area for attacks - as evident in the latest hacks against Google+, Facebook and many others. Hackers are now targeting API-specific vulnerabilities and most companies do not even know that their APIs are leaking data. While technical security vulnerabilities, like SQL injection and cross-site scripting (XSS), are the most widely known flaws stemming from coding errors, the vast majority of API attacks exploit access control and business logic vulnerabilities that cannot be detected with SAST and DAST vulnerability scanning solutions. In this session, you will learn about the best practices to identify, track and fix role-based and attribute-based access control (RBAC & ABAC) vulnerabilities that allow users to accumulate excess permissions granting them unauthorized access to otherwise secure API endpoints and resources. You will also learn about business logic flaws that allow hackers to manipulate legitimate API calls to steal data and interfere with business functions. Such vulnerabilities have contributed to the vast majority of API attacks (including Google+, Facebook, Citi and T-Mobile) and could cost companies extremely high fines for breaching GDPR and other regulatory guidelines.