Secure development: Finding and fixing API security vulnerabilities

2021 has been a big year of growth for us. We’ve expanded our team, as well as the number of countries our customers are in.

We never lost sight of our mission though, to bring accessible, inclusive, industry-aligned security skills to all our customers and partners.

And what a great way to wrap up the end of 2021 — by releasing our newest SafeStack Academy Secure Development course: Finding and Fixing API Security Vulnerabilities.

Our Designing Secure Microservice Architectures course, released earlier in 2021, was the beginning of our more focused courses to help anyone involved in microservice or API software product design, delivery, architecture, testing and management, to secure their products. This new course lays out further directions on the journey to securing API platforms, regardless of your role within your organisation.

SafeStack Academy Principal Developer Advocate Christian Frichot shares some of the thoughts that went into creating this course.

Security testing APIs

The benefits of microservices and APIs are gaining in popularity and use. They enable organisations to build and maintain their systems in ways that allow them to scale bigger, deploy faster, and be more resilient than their monolithic counterparts.

While APIs and microservices are becoming the standard pattern used when developing new software projects, the industry overall is also seeing an uptick in use. This relates to the increasing number of organisations that are undergoing digital transformation and leveraging the cloud.

While some of the vulnerability classes may be similar to web applications, the context of API systems, both in how they operate, and how they’re developed, offers different avenues for abuse. This also means securing them is slightly different and requires us to focus more on specific areas like authentication, authorisation, alerting, and resource hardening.

Of all the ways in which organisations secure their software products, security testing is one of the most common activities. The Building Security in Maturity Model (BSIMM) from Synopsys is a framework to measure software security initiatives in the industry.

Their 2021 update highlighted how many organisations leverage security testing to secure their products, with over 86% of surveyed organisations performing penetration testing, and over 78% performing security testing as part of quality assurance.

Historically, security testing was seen as the responsibility of Security Consultants, Penetration Testers, or Quality Assurance engineers. But we believe a sound understanding of API security vulnerabilities provides tremendous value to those that are involved in architecting and designing these solutions too, particularly when it comes to threat modelling.

How testing fits into your securing microservices journey

Securing software is a complex field, and the growth of agile project styles and microservices can be challenging if you haven’t had to build or secure software in such a fast-paced way before. The Finding and Fixing API Security Vulnerabilities course extends the learning pathway for all our members, so they can do their jobs effectively.

Remember though that security testing, while important, shouldn’t be the only pillar your APIs rely on for resilience.

Effectively securing microservices relies on sound security architecture, threat assessment, ongoing education, configuration hardening and so much more. Not only do these other activities help, they can often refine and provide tighter scoping for your security testing, too. For example, threat modelling can help highlight the areas where you should pay closer attention in your security testing.

While all our Secure Development courses inter-relate, and connect with each other in various ways, this new course expands on two of our popular previous courses, Finding and Fixing Application Security Vulnerabilities, and Designing Secure Microservice Architectures. While it’s not a hard requirement to complete these first, the context provided in the earlier courses is a helpful foundation.

Diagram showing learning pathway of secure development courses

About our Finding and Fixing API Security Vulnerabilities course

In this course, we will introduce different ways to apply security concepts and controls to how you build and manage your APIs. We will also take you through common security vulnerability classes that affect APIs and how to identify and avoid them.

This course will help you understand:

  • API security concepts and how they relate to both development and operations
  • Challenges that you may encounter in your journey to secure your API environments
  • How to identify and address API weaknesses, particularly those related to authentication and authorisation, handling sensitive data, throttling and rate-limiting, injection flaws, and misconfiguration.
  • Tips for securely transitioning to microservices or hybrid architectures from legacy environments.

Who is this course for?

This course is for anyone who wants to design and implement secure microservices and API systems, and once you’re done you’ll also get our Secure Developer Level 2 badge!

It can be helpful to finish the Finding and Fixing Web Application Vulnerabilities course beforehand as some overlapping vulnerability classes affect both, and we won’t revisit any previous context we already covered.

While also not required, our Designing Secure Microservice Architectures course is complementary, helping you layer your API security framework from design through to testing.

You can access all these courses by becoming a member of SafeStack Academy.

What you get with a SafeStack Academy Secure Development membership

Our online training is flexible, so you can learn from anywhere at any time, and our ongoing programme means you get up-to-date content released regularly. Our high-quality, people-focused content is created by experts and is relevant for a range of roles in development teams.

As well as our Finding and Fixing API Vulnerabilities course, you’ll get access to our existing courses, including:


You also get these neat benefits:

  • Monthly online seminars hosted by the SafeStack Academy team on a range of application security topics, designed to connect you with a community of like-minded folks. Check out Detecting security attacks in software products for an idea of what to expect.
  • Online office hours, offering a chance to talk with our team about what you’re learning or any particular secure development challenges you’re working through.
  • Access to our hands-on labs, where you can explore concepts and test your knowledge.
  • Digital badges to recognise and share what you’ve learned.

We love to hear from you

We hope this course will give you practical ways to build and manage more secure APIs, and we’d love to hear your feedback. Drop us a line at and let us know what you think.


More Posts

Start your free trial today

Sign up for a 14-day trial of our team plan and invite your whole team. 

No credit card required.