Secure development: Finding and fixing API security vulnerabilities

2021 has been a big year of growth for us. We’ve expanded our team and the number of countries our customers are in.

We never lost sight of our mission to bring accessible, inclusive, industry-aligned security skills to all our customers and partners.

And what a great way to wrap up the end of 2021 — by releasing our newest SafeStack Academy Secure Development course: Finding and Fixing API Security Vulnerabilities.

Our Designing Secure Microservice Architectures course, released in 2021, began our more focused courses to help anyone involved in microservice or API software product design, delivery, architecture, testing, and management to secure their products.

This new course lays out further directions on securing API platforms, regardless of your role within your organization.SafeStack Principal Developer Advocate Christian Frichot shares some of the thoughts that went into creating this course.

Security testing APIs

The benefits of microservices and APIs are gaining in popularity and use. They enable organizations to build and maintain their systems in ways that allow them to scale bigger, deploy faster, and be more resilient than their monolithic counterparts.

While APIs and microservices are becoming the standard pattern used when developing new software projects, the industry overall is also seeing an uptick in use. This relates to the increasing number of organisations that are undergoing digital transformation and leveraging the cloud.

While some vulnerability classes may be similar to web applications, the context of API systems, both in how they operate and are developed, offers different avenues for abuse. This also means securing them is slightly different and requires us to focus more on specific areas like authentication, authorization, alerting, and resource hardening.

Of all how organisations secure their software products, security testing is one of the most common activities. The Building Security in Maturity Model (BSIMM) from Synopsys is a framework to measure software security initiatives in the industry.

Their 2021 update highlighted how many organizations leverage security testing to secure their products, with over 86% of surveyed organizations performing penetration testing and over 78% performing security testing as part of quality assurance.

Historically, security testing was considered the responsibility of Security Consultants, Penetration Testers, or Quality Assurance engineers. However, we believe a sound understanding of API security vulnerabilities provides tremendous value to those architecting and designing these solutions, particularly regarding threat modelling.

How testing fits into your securing microservices journey

Securing software is a complex field, and the growth of agile project styles and microservices can be challenging if you haven’t had to build or secure software in such a fast-paced way before. The Finding and Fixing API Security Vulnerabilities course extends the learning pathway for all our members so they can do their jobs effectively.

Remember though that security testing, while important, shouldn’t be the only pillar your APIs rely on for resilience.

Effectively securing microservices relies on sound security architecture, threat assessment, ongoing education, configuration hardening, and more. These other activities help, and they can often refine and provide tighter scoping for your security testing, too. For example, threat modeling can help highlight the areas where you should pay closer attention in your security testing.

While all our Secure Development courses inter-relate and connect in various ways, this new course expands on two popular previous courses, Finding and Fixing Application Security Vulnerabilities, and Designing Secure Microservice Architectures. While completing these first’s not a hard requirement, the context provided in the earlier courses is a helpful foundation.

About our Finding and Fixing API Security Vulnerabilities course

This course will introduce different ways to apply security concepts and controls to how you build and manage your APIs. We will also take you through common security vulnerability classes that affect APIs and teach you how to identify and avoid them. This course will help you understand:

• API security concepts and how they relate to both development and operations

• Challenges that you may encounter in your journey to secure your API environments

• How to identify and address API weaknesses, particularly those related to authentication and authorization, handling sensitive data, throttling and rate-limiting, injection flaws, and misconfiguration.

• Tips for securely transitioning to microservices or hybrid architectures from legacy environments.

Who is this course for?

This course is for anyone who wants to design and implement secure microservices and API systems, and once you’re done, you’ll also get our Secure Developer Level 2 badge! It can be helpful to finish the Finding and Fixing Web Application Vulnerabilities course beforehand as some overlapping vulnerability classes affect both, and we won’t revisit any previous context we have already covered.

While also not required, our Designing Secure Microservice Architectures course is complementary, helping you layer your API security framework from design to testing. You can access all these courses by becoming a member of SafeStack Academy.

What do you get with a SafeStack membership?

Our online training is flexible so that you can learn from anywhere at any time, and our ongoing program means you get up-to-date content released regularly. Experts create our high-quality, people-focused content which is relevant for a range of roles in development teams.

As well as our Finding and Fixing API Vulnerabilities course, you’ll get access to our existing courses, including:

• Security Foundations for Software Testing

• Security Fundamentals for Software Development

• Finding and Fixing Web Application Security Vulnerabilities

• Threat Assessment for Software Development

• Designing Secure Microservice Architectures

• And new courses are released each quarter.

You also get these neat benefits:

• Monthly online seminars hosted by the SafeStack team on various application security topics designed to connect you with a community of like-minded folks.

• Online office hours offer a chance to talk with our team about what you’re learning or any secure development challenges you’re working through.

• Access our hands-on labs, where you can explore concepts and test your knowledge.

• Digital badges to recognize and share what you've learned.