Course Summary
The API security training prepares you for the Certified API Security Professional (CASP) course, a vendor-neutral APIsec certification designed to assess an IT professional’s API security expertise.
This API security course imparts professionals with deep knowledge of API security, adopting modern security practices and automation to secure APIs with appropriate techniques, catching security issues before they become critical, and alerting relevant engineers in real-time.
You will gain skills like:
• Implementing secure API design principles and best practices to prevent common security vulnerabilities.
• Using authentication and authorization mechanisms (e.g., OAuth, JWT) to secure API endpoints and control access.
• Implementing API rate limiting, throttling, and monitoring to protect against DDoS and brute force attacks.
• Conducting security testing techniques such as fuzzing, penetration testing, and vulnerability scanning on APIs.
• Integrating API security into the DevOps pipeline, including CI/CD automation and security tooling.
Module 1: Introduction to API Security
• Introduction to Application Programming Interface
• What is an API?
• Need for an API
• Why Should You Secure Your APIs?
• APIs vs. Web Applications
• Understanding API Architecture
• Overview of the HTTP protocol
• Anatomy of a HTTP Request
• Anatomy of a HTTP Response
• HTTP Response Codes and Its Significance
• Stateless and Stateful Requests
• Overview of API architecture
• API Protocols
• API Data formats
• Different Types of APIs
• Simple Architecture
• How Are APIs Typically Deployed?
• Complex Architecture
• Strategies To Secure APIs
• Threat Modeling of APIs
• Traditional VAPT vs API VAPT
• API Defenses
• Input Validation
• Identification
• Authentication
• Authorization
• Data Encryption
• Transport Security
• Error Handling and Logging
• Supply Chain SecurityI
Module 2: API Security Tools of the trade
• The Moving Parts in an API
• API Gateway
• Load Balancer/Reverse Proxy
• Message Queues
• Critical Toolchain for API Development
• Source Code Management
• CI/CD Tools
• Artifact Management
• Cloud Platform
• Infrastructure as Code
• Monitoring and Logging Tools
• Collaboration Tools
• Containerization
• Ability To Talk to an API
• cURL (curl)
• Postman
• OpenAPI (Swagger)
• Python
• An MITM Proxy
Module 3: Authentication Attacks and Defenses
• Overview of API Authentication
• Types of Authentication
• No Authentication (Public APIs)
• HTTP Basic Authentication
• API Token Authentication
• OIDC Authentication
• JSON Web Tokens (JWTs)
• SAML Tokens
• Mutual TLS
• Authentication Attacks
• Brute Force
• Weak Password Storage
• Password Reset Workflows
• Account Lockouts
• Insecure OpenID Connect Configuration
• Insecure JWTs Validation
• Authentication Defenses
• Secure Authentication Workflows
• Strong Password and Key Validation
• Multi-Factor Authentication
• Securely Storing the Tokens
• Cookies
• Local Storage and Session Storage
• Token Storage and XSS
• Rate Limiting
• CAPTCHA
Module 4: Authorization Attacks and Defenses
• Overview of API Authorization
• Types of Authorization
• No Authorization
• Role-Based Access Control (RBAC)
• Discretionary Access Control (DAC)
• Attribute-Based Access Control (ABAC)
• Relationship-Based Access Control (ReBAC)
• Authorization Attacks
• Misconfigured Permissions
• Broken Object Level Authorization
• Broken Function Level Authorization
• Horizontal Privilege Escalation
• Vertical Privilege Escalation
• Authorization Defenses
• Defending Object & Function Level Access
• Attribute-Based Access Control (ABAC) with Roles, and Relations
• Decoupling Authorization Decisions With Policy As Code
• Authorizing with OAuth Framework
• OAuth Specification
• Different Authorization Workflows
• Insecure OAuth Configurations
• OAuth 2.0 vs OAuth 2.1
• Different Types of Tokens
• Access Token
• Refresh Token
• ID Token
Module 5: Input validation Threats and Defenses
• Introduction to Input Validation
• Input Validation
• Input Sanitization
• Injection Vulnerabilities
• Cross-Site Scripting (XSS)
• SQL Injection
• ORM Injection
• NoSQL Injection
• Server Side Request Forgery
• Deserialization Issues
• Mass Assignment Issues
• Fuzzing
• Fuzzing 101
• Fuzzing vs Brute Forcing
• Fuzzing APIs Using Open Source and Commercial Tools
• Burp Suite Intruder
• OWASP ZAP Fuzzer
• Wfuzz
• FFUF
• Injection Defenses
• Implementing Input Validation
• Client-Side vs. Server-Side Validation
• Whitelisting & Blacklisting
• Implementing Input Sanitization
• Validating With Regular Expressions
• Output Encoding
• HTML Encoding
• HTML Attribute Encoding
• Javascript Encoding
• CSS Encoding
• Prepared Statements
• Content Security Policy
• Trusted Types
Module 6: Other API Security Threats
• Introduction to OWASP API Top 10
• Broken Object Level Authorization
• Broken Authentication
• Excessive Data Exposure
• Lack of Resources and Rate Limiting
• Broken Function Level Authorization
• Mass Assignment
• Security Misconfigurations
• Injection
• Improper Asset Management
• Insufficient Logging and Monitoring
• Broken Object Property Level Authorization
• Unrestricted Resource Consumption
• Unrestricted Access to Sensitive Business Flows
• Server Side Request Forgery
• Improper Inventory Management
• Unsafe Consumption of APIs
• Attacking Caching Layers (Memcache, Proxies, etc.,)
• Attacking GraphQL APIs
• Attacking SOAP APIs
• Abusing Micro-services, and REST APIs
• Post Exploitation in the API World
Module 7: Other API Security Defenses
• GraphQL API Security Best Practices
• SOAP API Security Best Practices
• REST API Security Best Practices
• Data Security
• Encoding and Decoding
• Escaping
• Hashing
• Encryption and Decryption
• Securing Data at Rest Using Encryption
• Storing Credentials for Service-to-Service Communication
• Password Storage and Its Considerations
• Picking a Secure Algorithm
• Securing Data in Transit Using TLS
• Rate Limiting Best Practices
• Security Headers
• X-XSS-Protection
• HTTP Strict Transport Security (HSTS)
• Cache-Control
• X-Frame-Options
• X-Frame-Options vs frame-ancestors
• Content Security Policy
• Implementing CSP at Scale
• Common Misconfigurations While Using CSP
• Cross-Origin Resource Sharing (CORS)
• Cookie Based Implementations
• Token Based Implementations
Module 8: Implementing API Security Mechanisms
• API Security Design Best Practices
• Authentication Implementation
• Authorization Implementation
• Designing API Permissions
• Designing OAuth Scopes
• Rate-Limiting Implementation and Best Practices at Different Stages
• Reverse Proxy
• Load Balancer
• API Gateways and WAFs
• Request Throttling
• Securely Store Secrets Using Hashicorp Vault
• Data Security Implementation
• Using Transport Layer Security (TLS)
• Implementing Sufficient Logging & Monitoring
• Secure Logging Implementation
• Logging Using Syslog Format
• Using ELK To Capture the Log Data
Module 9: API Security, the DevSecOps Way
• OWASP ASVS Framework
• Understanding OWASP ASVS
• Using ASVS To Secure Applications and APIs
• Creating Checklists With OWASP ASVS
• Automated Vulnerability Discovery
• Finding Insecure Dependencies Using Software Component Analysis
• Finding Vulnerabilities in Code Using Static Application Security Testing
• Automating API Attacks Using Dynamic Application Security Testing
• Addressing API Security Issues at Scale
Other Popular Courses
Executive Cyber Risk Certification (ECRC)
- Duration: 2 Days
- Language: English
- Level: Intermediate
- Exam: ECRC
Mastering Communication & Presentation Te...
- Duration: 4 Days
- Language: Danish
- Level: Intermediate
- Exam: MCPT
Next Generation Mindfulness
- Duration: 1 Days
- Language: English
- Level: Foundation
- Exam: NGM