Zero Trust APIs with Python — Jose Haro Peralta

Python Testing Security

Learn essential API security strategies using Python, from preventing BOLA attacks to implementing zero trust principles, data validation, and proper authorization controls.

Key takeaways

BOLA (Broken Object Level Authorization) is one of the most common API vulnerabilities, allowing unauthorized access to other users’ data
~80% of API attacks come from authenticated users, making proper authorization critical
Key API security principles:
- Don’t trust any request regardless of source
- Validate and sanitize all input/output data
- Use strict data models and explicit access controls
- Implement proper pagination limits
- Parameterize database queries to prevent SQL injection
Common API vulnerabilities:
- Mass assignment attacks
- SQL injection
- Pagination attacks exposing too much data
- Schema enumeration revealing internal properties
- Insufficient input validation
Protection strategies:
- Use tools like Pydantic for data validation
- Implement proper model constraints and enumerations
- Test APIs at both design time and runtime
- Use parameterized queries for database operations
- Limit maximum page sizes and implement proper pagination
Modern APIs face extensive attack surfaces:
- Microservices interactions
- Third-party integrations
- Database operations
- User input/output flows
- Authentication/authorization
Testing tools recommended:
- Schema Thesis for runtime testing
- Spectral for design-time testing
- API Threads for vulnerability discovery

Zero Trust APIs with Python — Jose Haro Peralta

More talks