Finding and Fixing API Security Vulnerabilities

Description

With the rise in popularity of microservices and more organizations moving towards API-focused architectures, understanding common vulnerability classes for APIs is becoming increasingly important. Identifying these weaknesses in our existing environment and knowing what design and build decisions caused them to happen can help us make more secure APIs.

In this course, we will introduce different ways to apply security concepts and controls to how you build and manage your APIs. We will also take you through common security vulnerability classes that affect APIs and how to identify and avoid them.

It can be helpful to finish the Finding and Fixing Web Application Vulnerabilities course beforehand as some overlapping vulnerability classes affect both, and we won’t revisit any previous context we already covered. In addition, while not required, the Designing Secure Microservice Architectures course is very complimentary as well, helping you layer your API security framework from design through to testing.

Duration

Takes approximately 1 hour to complete

Certification

Secure Developer Level 2

Course Objectives

• Review and discover common microservice and API security vulnerabilities.

• Learn approaches to apply security concepts and controls to reduce risk.

• Discover further resources applying these security concepts to specific technologies and contexts.

Syllabus

Module 1: Applying security concepts to development and operations

• How to apply procedural security controls in practice.

• How to apply configurable security controls in practice.

• The challenges and trade-offs we face when implementing these controls.

Module 2: Broken authorization

• What causes broken authorization weaknesses.

• How to identify them and understand their impact.

• How to protect your application from this vulnerability.

Module 3: Broken authentication

• What causes broken authentication weaknesses.

• How to identify them and understand their impact.

• How to protect your application from this vulnerability.

Module 4: Data exposure

• What are common causes of data exposure.

• How to identify them and understand their impact.

• How to protect your application from this vulnerability.

Module 5: Resource limitations

• What are common resource limitation weaknesses for APIs.

• How to identify them and understand their impact.

• How to protect your application from this vulnerability.

Module 6: Mass assignment

• What is mass assignment and what causes this vulnerability.

• How to identify them and understand their impact.

• How to protect your application from this vulnerability.

Module 7: Injection

• What is an injection vulnerability in the context of an API (compared to the web application weaknesses we learned about before).

• How to identify them and understand their impact.

• How to protect your application from this vulnerability.

Module 8: Misconfiguration and mismanagement

• What are the commonly misconfigured or mismanaged components of an API system (including improper asset management, insufficient logging and monitoring, and security misconfiguration).

• How to identify them and understand their impact.

• How to protect your application from this vulnerability.

Module 9: Transitioning to microservices or hybrid architectures

• Tips on building microservices in existing and legacy environments.