Finding and Fixing API Security Vulnerabilities
Description
With the rise in popularity of microservices and more organizations moving towards API-focused architectures, understanding common vulnerability classes for APIs is becoming increasingly important. Identifying these weaknesses in our existing environment and knowing what design and build decisions caused them to happen can help us make more secure APIs.
In this course, we will introduce different ways to apply security concepts and controls to how you build and manage your APIs. We will also take you through common security vulnerability classes that affect APIs and how to identify and avoid them.
It can be helpful to finish the Finding and Fixing Web Application Vulnerabilities course beforehand as some overlapping vulnerability classes affect both, and we won’t revisit any previous context we already covered. In addition, while not required, the Designing Secure Microservice Architectures course is very complimentary as well, helping you layer your API security framework from design through to testing.
Duration
Takes approximately 1 hour to complete
Certification
Course Objectives
Review and discover common microservice and API security vulnerabilities.
Learn approaches to apply security concepts and controls to reduce risk.
Discover further resources applying these security concepts to specific technologies and contexts.
Syllabus
Module 1: Applying security concepts to development and operations
How to apply procedural security controls in practice.
How to apply configurable security controls in practice.
The challenges and trade-offs we face when implementing these controls.
Module 2: Broken authorization
What causes broken authorization weaknesses.
How to identify them and understand their impact.
How to protect your application from this vulnerability.
Module 3: Broken authentication
What causes broken authentication weaknesses.
How to identify them and understand their impact.
How to protect your application from this vulnerability.
Module 4: Data exposure
What are common causes of data exposure.
How to identify them and understand their impact.
How to protect your application from this vulnerability.
Module 5: Resource limitations
What are common resource limitation weaknesses for APIs.
How to identify them and understand their impact.
How to protect your application from this vulnerability.
Module 6: Mass assignment
What is mass assignment and what causes this vulnerability.
How to identify them and understand their impact.
How to protect your application from this vulnerability.
Module 7: Injection
What is an injection vulnerability in the context of an API (compared to the web application weaknesses we learned about before).
How to identify them and understand their impact.
How to protect your application from this vulnerability.
Module 8: Misconfiguration and mismanagement
What are the commonly misconfigured or mismanaged components of an API system (including improper asset management, insufficient logging and monitoring, and security misconfiguration).
How to identify them and understand their impact.
How to protect your application from this vulnerability.
Module 9: Transitioning to microservices or hybrid architectures
Tips on building microservices in existing and legacy environments.