About the course
APIs are the backbone of modern applications, but their widespread use has made them a prime target for attackers. Insecure APIs can expose sensitive data, lead to significant financial losses, damage reputation, and cause severe regulatory non-compliance. Building and maintaining a robust security posture is no longer optional; it's a critical business imperative.
Our comprehensive OWASP API Security Course is designed to provide developers and technical stakeholders with the knowledge and practical skills needed to build and manage secure APIs. Going beyond theory, this course delivers a hands-on experience, walking you through the entire security development lifecycle and giving you the tools to identify, exploit, and fix the most critical vulnerabilities in your own applications.
Beyond the OWASP Top 10: A secure API requires more than just addressing the top 10 risks. This module expands your knowledge to cover a broader range of crucial topics. You'll learn about Data Protection Mechanisms (including encryption and tokenisation), Auditing and Logging Solutions, and how to identify broader vulnerabilities like Clickjacking and Response Splitting. We will also introduce the CWE/SANS Top 25 Most Dangerous Software Errors to provide a wider context for writing truly secure code.
-
- Explain the fundamental importance of API security and its significant impact on businesses.
- Understand and describe core security practices and activities relevant to APIs within a Security Development Lifecycle (SDL).
- Identify, understand the impact of, and propose mitigation strategies for the OWASP 2023 API Security Top 10 Risks.
- Describe additional API security considerations beyond the OWASP Top 10, including data protection mechanisms, tokenisation solutions, and logging.
- Apply learned API security concepts and mitigation strategies through practical hands-on exercises and real-world examples.
-
This training course is specifically aimed at individuals involved in building and securing APIs and web applications who need to understand and address current API security risks. It is ideal for:
Software Developers building or maintaining APIs and backend services.
Web Developers working with technologies that consume or expose APIs.
Security Testers and Quality Assurance Engineers involved in API security testing.
Technical Leads and Architects making decisions about API design and security.
Anyone involved in web development who needs a practical understanding of current API security vulnerabilities and how to mitigate them.
-
Participants should have:
A foundational understanding of web application concepts, including how clients (browsers) interact with servers using HTTP requests and responses.
Basic software development experience and familiarity with reading or understanding code examples (examples may be provided in languages like JavaScript and SQL, but the principles of the vulnerabilities and fixes are universal).
Familiarity with using a web browser and interacting with web applications.
No prior specific security knowledge or experience with API development is required.
-
This OWASP API Security course is available for private / custom delivery for your team - as an in-house face-to-face workshop at your location of choice, or as online instructor-led training via MS Teams (or your own preferred platform).
Get in touch to find out how we can deliver tailored training which focuses on your project requirements and learning goals.
-
Introduction to API Security
What is API Security and why is it so important?: Define what API security entails and its critical role in protecting sensitive data and systems in modern application architectures and interconnected services.
What does it mean to your business?: Discuss the significant business impact of insecure APIs, including potential data breaches, financial losses, reputational damage, regulatory non-compliance (e.g., GDPR), and service disruption.
Security Development Lifecycle (SDL)
Analysing security and privacy risk: Techniques and methodologies for identifying and assessing potential security and privacy risks throughout the software development lifecycle.
Attack surface analysis: Methods for systematically identifying and mapping all potential points where an attacker could interact with or exploit an API or system.
Threat Modelling: Structured approaches for identifying potential threats, vulnerabilities, and appropriate countermeasures based on the design and architecture of an API or application.
Identifying the right tools: Overview of various types of tools available to support security activities within the development lifecycle, such as static analysis (SAST), dynamic analysis (DAST), interactive analysis (IAST), and vulnerability scanners.
Enforcing banned functions: Strategies and mechanisms for preventing developers from using insecure coding practices or deprecated/vulnerable functions within the codebase.
Static analysis: Using automated tools to analyse source code or compiled code for security vulnerabilities without executing the code.
Dynamic / Fuzz Testing: Testing a running application or API by sending unexpected, malformed, or random inputs (fuzzing) to discover vulnerabilities, alongside other runtime analysis techniques.
Response Plan: Developing a clear plan outlining the steps and procedures to be followed in response to a security incident or data breach.
Final Security Review: Performing a comprehensive security review and testing before deploying an API or application to production to ensure security requirements are met and vulnerabilities are addressed.
Hands-on with the OWASP Top 10 API Security Risks
API1:2023 - Broken Object Level Authorization (BOLA): Learn how attackers exploit APIs by changing the ID of an object in the request URL or body to access resources they are not authorised to. Hands-on labs to identify and exploit this vulnerability.
API2:2023 - Broken Authentication: Explore vulnerabilities related to authentication mechanisms that allow attackers to compromise identity tokens, session cookies, or exploit flaws to assume other users' identities or gain unauthorised access. Hands-on labs focusing on common authentication flaws.
API3:2023 - Broken Object Property Level Authorization: Understand how attackers can manipulate or access object properties (e.g., changing user roles, permissions, internal data) via API requests even if object-level access is authorised. Hands-on labs demonstrating property manipulation attacks.
API4:2023 - Unrestricted Resource Consumption: Learn about vulnerabilities where excessive consumption of CPU, memory, network bandwidth, or database resources can lead to denial of service or increased costs. Hands-on examples of resource exhaustion attacks.
API5:2023 - Broken Function Level Authorization (BFLA): Explore flaws where an attacker can access functionality or administrative endpoints they are not authorised to use, by exploiting weaknesses in access control at the function or endpoint level. Hands-on labs identifying and exploiting function-level access issues.
API6:2023 - Unrestricted Access to Sensitive Business Flows: Understand risks when APIs expose sensitive business processes (e.g., user registration, ordering, password reset, transferring funds) allowing attackers to manipulate or exploit them through lack of proper authorisation, rate limiting, or state management. Hands-on labs exploring business logic flaws.
API7:2023 - Server Side Request Forgery (SSRF): Learn how attackers can trick an API into sending crafted requests from the server-side to an unexpected destination, potentially accessing internal systems or services. Hands-on labs demonstrating SSRF attacks against APIs.
API8:2023 - Security Misconfiguration: Explore vulnerabilities arising from improper configuration of security controls, using default settings, verbose error messages revealing sensitive information, or misconfigured HTTP headers. Hands-on labs identifying and exploiting misconfigurations.
API9:2023 - Improper Inventory Management: Understand the risks associated with inadequate documentation, deprecated API versions, or exposed development/test endpoints that should not be public. Hands-on labs identifying poorly managed API inventories.
API10:2023 - Unsafe Consumption of APIs: Learn about vulnerabilities that occur when your API or application consumes other APIs or services without proper security validation, potentially exposing your system to supply chain attacks or data integrity issues. Hands-on labs demonstrating risks when consuming external services.
Beyond OWASP
Data Protection Mechanisms (crypto and more): Overview of techniques for protecting sensitive data in transit and at rest, including encryption, hashing, secure key management, and other data protection strategies.
Fuzz testing and other tools: Review of automated dynamic testing techniques (fuzzing) and an overview of other relevant security testing tools and methodologies used in conjunction with or beyond static analysis.
Click jacking: Understanding this specific web UI vulnerability where an attacker can trick a user into clicking on a hidden element, and its potential (though indirect) relevance if APIs are consumed or initiated via vulnerable web interfaces.
Response Splitting: Understanding this web vulnerability related to injecting newline characters into data that is included within HTTP headers to manipulate subsequent responses, and its potential (though indirect) relevance in API gateways or client-side API consumption scenarios.
CWE/SANS Top 25 Most Dangerous Software Errors: Introduction to this list of common, critical software weaknesses as broader context for writing secure code that is less susceptible to vulnerabilities, including those relevant to APIs.
Exploiting authentication: Deeper look at various specific techniques and attack vectors attackers use to bypass or compromise authentication systems and credentials, building on API2 concepts.
Language issues: Overview of security pitfalls or vulnerabilities that can arise from specific programming language features, common usage patterns, or standard libraries when building applications and APIs.
o Data devaluation: Understanding security risks related to data integrity, unauthorised modification, or targeted data exfiltration that reduce the value, trustworthiness, or usability of data exposed or processed via APIs.
Tokenisation solutions: Exploring different methods and best practices for using security tokens (e.g., JWTs, opaque tokens) for authentication, authorisation, and potentially data protection in API security contexts.
Auditing and Logging Solutions: Designing and implementing effective logging of security-relevant events within APIs and applications, and setting up auditing mechanisms to detect suspicious activity, investigate incidents, and support compliance.
Summary and next steps
Applying what you’ve learnt in the real world: Consolidating knowledge and discussing strategies for incorporating the learned API security practices and awareness into daily development and operational workflows.
Understanding the business impact of insecure software: Review of the critical importance of building secure software, particularly APIs, from a broader business perspective beyond just technical vulnerabilities.
-
OWASP API Security Top 10 2023: The official page detailing the top ten most critical API security risks. A fundamental reference for this course.
OWASP Cheatsheet Series: Provides practical, concise guidance on various application security topics, many of which are highly relevant to API security.
Troy Hunt's blog: Stay informed on web security breaches, vulnerabilities, and related topics from a leading voice in the security community.
The Hacker News: A popular source for general cybersecurity news, often featuring articles on web vulnerabilities, API attacks, and security trends relevant to developers.
Trusted by
