API Threat Modeling Cheat Sheet

Track: Threat Model
When: Tue PM-1
Where: Kings
Organizers Steven Wierckx Steven Wierckx
Participants Chris Allen Chris Allen , Adam Shostack Adam Shostack , Andrew Johnstone Andrew Johnstone , Aurelijus Stanislovaitis Aurelijus Stanislovaitis , Fabien Thalgott Fabien Thalgott , Imran Chaudhari Imran Chaudhari , Luis Saiz Luis Saiz , Ruben Tronçon Ruben Tronçon , Stuart Winter-Tear Stuart Winter-Tear , Tash Norris Tash Norris
Remote Participants Ethan Schorer Ethan Schorer , Joset Zamora Joset Zamora , Lubo Vikev Lubo Vikev , Salma jalouqa Salma jalouqa


We all love Cheat Sheets. They are great to use when you need it but they are also great to learn because they force us to summarize the most important points.


  • What are the main Threats against an API?
  • Can we find common Threats that apply to APIs?
  • Are there generic Threats we could check for applicability?
  • Could we organize the Threats in Risk Patterns for APIs?
  • Can they be summarized on a Cheat Sheet form?


A Cheat Sheet covering most common threats against APIs.

Register as participant

To register as participant add API Threat Modeling Cheat Sheet to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page

Back to list of all Working Sessions