Certified API Security Professional CASP

APIs now account for 80% of total Internet traffic, from the cloud to your fridge. While APIs bring new ways of developing and distributing applications, they also introduce new ways for malicious actors to attack enterprise systems.

In this course, you will learn how to identify security issues in your APIs, mitigate them with the proper security measures, and design your APIs for maximum efficiency and minimum exposure to risk. You will reinforce your learning using theoretical lectures, demos, quizzes, and secure design practices with realistic case studies and 40+ hands-on exercises.

You will start the course with API basics, core components of API architecture, and ways to interact with the APIs. Once you learn the fundamentals, you will gain hands-on experience with a series of realistic attack scenarios like Server Side Request Forgery, Broken Authentication, Broken Access Control issues, Injection attacks, Privilege escalation, and Security misconfigurations. 

Developers, architects, and security professionals tasked with designing and building secure APIs will benefit immensely from this course. This course imparts professionals with deep knowledge of API security, adopting modern security practices and automation to secure APIs with appropriate techniques, catching security issues before they become critical, and alerting relevant engineers in real-time.

The course also prepares you for the Practical DevSecOps Certified API Security Professional (CASP), a vendor-neutral certification program designed to assess an IT professional’s API security expertise.

After completing this course, you will be able to:

  1. Identify, exploit, and protect against a wide variety of API security vulnerabilities.
  2. Demonstrate a practical understanding of API Security Testing methodology, tools, and techniques. 
  3. Use the DevSecOps best practices to find and fix API security flaws early and often.
  4. Prove to employers and peers the practical understanding of the API Security Landscape.
  5. Challenge and earn the Certified API Security Testing Professional Certification by passing a 6-hour practical exam.

Prerequisites

  1. Course participants should have a basic understanding of Linux Commands and OWASP Top 10. 
  2. Basic knowledge of application development is preferred but is not necessary.

Learning Objectives

  1. Identify, exploit, and protect against a wide variety of API security vulnerabilities.
  2. Gain a practical understanding of API Security and the tools to automate it.
  3. Understand and implement the modern ways of scaling API Security Testing.

Module 1: Introduction to API Security

  1. Introduction to Application Programming Interface
    1. What is an API?
    2. Need for an API
    3. Why Should You Secure Your APIs?
    4. APIs vs. Web Applications
  2. Understanding API Architecture
    1. Overview of the HTTP protocol
    2. Stateless and Stateful Requests
    3. Overview of API architecture
      1. API Protocols
      2. API Data formats
      3. Different Types of APIs
    4. Simple Architecture
      1. How Are APIs Typically Deployed?
    5. Complex Architecture
  3. Threat Modeling of APIs
    1. Traditional VAPT vs API VAPT
  4. API Defenses
    1. Input Validation
    2. Identification
    3. Authentication
    4. Authorization
    5. Data Encryption
    6. Transport Security
    7. Error Handling and Logging
    8. Supply Chain Security
  5. Hands-on Exercises:
    1. Understanding an API Language (Endpoints, Verbs, and State)
    2. Understanding cURL Command
    3. Performing CRUD Operations Using API

Module 2: API Security Tools of the trade

  1. The Moving Parts in an API
    1. API Gateway
    2. Load Balancer/Reverse Proxy
    3. Message Queues
  2. Critical Toolchain for API Development
    1. Source Code Management
    2. CI/CD Tools
    3. Artifact Management
    4. Cloud Platform
    5. Infrastructure as Code
    6. Monitoring and Logging Tools
    7. Collaboration Tools
  3. Containerization
  4. Ability To Talk to an API
    1. cURL (curl)
    2. Postman
    3. OpenAPI (Swagger)
    4. Python
    5. An MITM Proxy
  5. Hands-on Exercises: 
    1. Setup the Burp Suite for API Security Testing
    2. Understand APIs Using OpenAPI Specifications
    3. Performing Reconnaissance on an API
    4. Enumerate User Accounts From an API
    5. Hunt for Vulnerable APIs

    Module 3: Authentication Attacks and Defenses

    1. Overview of API Authentication
    2. Types of Authentication
      1. No Authentication (Public APIs)
      2. HTTP Basic Authentication
      3. API Token Authentication
      4. OIDC Authentication
      5. JSON Web Tokens (JWTs)
      6. SAML Tokens
      7. Mutual TLS
    3. Authentication Attacks
      1. Brute Force
      2. Weak Password Storage
      3. Password Reset Workflows
      4. Account Lockouts
      5. Insecure OpenID Connect Configuration
      6. Insecure JWTs Validation
    4. Authentication Defenses
      1. Secure Authentication Workflows
      2. Strong Password and Key Validation
      3. Multi-Factor Authentication
      4. Securely Storing the Tokens
        1. Cookies 
        2. Local Storage and Session Storage
        3. Token Storage and XSS
      5. Rate Limiting
      6. CAPTCHA
    5. Hands-on Exercises:
      1. Talking to an API Using Basic, API Token and OAuth and JWTs
      2. Exploring Broken Authentication Using API Token, Oauth and JWTs
      3. Exploiting Weak Passwords
      4. Bruteforcing the passwords
      5. Exploiting misconfigurations in scope
      6. Forging Tokens 
      7. Abusing JSON Web Token

    Module 4: Authorization Attacks and Defenses

    1. Overview of API Authorization
    2. Types of Authorization
      1. No Authorization
      2. Role-Based Access Control (RBAC)
      3. Discretionary Access Control (DAC)
      4. ‚Äč‚ÄčAttribute-Based Access Control (ABAC)
      5. Relationship-Based Access Control (ReBAC)
    3. Authorization Attacks
      1. Misconfigured Permissions
      2. Broken Object Level Authorization
      3. Broken Function Level Authorization
      4. Horizontal Privilege Escalation
      5. Vertical Privilege Escalation
    4. Authorization Defenses
      1. Defending Object & Function Level Access
      2. Attribute-Based Access Control (ABAC) with Roles, and Relations
      3. Implementing RBAC in APIs
      4. Decoupling Authorization Decisions With Policy As Code
    5. Authorizing with OAuth Framework
      1. OAuth Specification
      2. Different Authorization Workflows
      3. Insecure OAuth Configurations
      4. OAuth 2.0 vs OAuth 2.1
      5. Different Types of Tokens
        1. Access Token
        2. Refresh Token
        3. ID Token
    6. Hands-on Exercises:
      1. Bypassing Access Control
      2. Exploiting Broken Object Level Authorization
      3. Exploiting Broken Function Level Authorization
      4. Exploiting Weak/Default Permissions
      5. Finding Another Cell Phone User’s Location

    Module 5: Input validation Threats and Defenses

    1. What Is Input Validation
      1. Implementing Input Validation
      2. Client-Side vs. Server-Side Validation
      3. Whitelisting & Blacklisting
      4. Regular Expressions
    2. Injection Vulnerabilities 
      1. OWASP API Top 10
      2. Cross-Site Scripting (XSS)
      3. SQL Injection
      4. ORM Injection
      5. NoSQL Injection
      6. Server Side Request Forgery
      7. Deserialization Issues
      8. Mass Assignment Issues
    3. Fuzzing
      1. What Is Fuzzing
      2. Fuzzing APIs Using Open Source and Commercial Tools
      3. Tools to Fuzz
        1. Burp Suite Intruder
        2. OWASP ZAP Fuzzer
        3. Wfuzz
        4. FFUF
    4. Injection Defenses
      1. Input Validation
      2. Output Encoding
        1. HTML Encoding
        2. Character Encoding
      3. Prepared Statements
      4. Content Security Policy
      5. Trusted Types
    5. Hands-on Exercises:
      1. Input Validation Using Industry Best Practices
      2. Finding a Way To Get Free Coupons Without Knowing the Coupon Code
      3. Using Vulnerability Assessment Approaches Effectively
      4. Fuzzing APIs Using Ffuf
      5. Fuzzing With Postman for Improper Asset Management
      6. Exploiting Mass Assignment Vulnerabilities

    Module 6: Other API Security Threats

    1. Improper Inventory and asset management
    2. Excessive Data Exposure
    3. Lack of Resources and Rate Limiting
    4. Security Misconfigurations
    5. Insufficient Logging & Monitoring
    6. Attacking Caching Layers (Memcache, Proxies, etc.,)
    7. Abusing Micro-services
    8. Attacking GraphQL APIs
    9. Attacking SOAP APIs
    10. Attacking REST APIs
    11. Attacking SPA Backed by APIs
    12. Post Exploitation in the API World 
    13. Hands-on Exercises:
      1. Bypass the rate-limiting
      2. Extract sensitive data by abusing default API behavior
      3. Find and mitigate the IDOR vulnerability
      4. Exploit the CORS misconfiguration
      5. Exploit the undisclosed API calls
      6. Sensitive information in the server logs

    Module 7: Other API Security Defenses

    1. GraphQL API Security Best Practices
    2. SOAP API Security Best Practices
    3. REST API Security Best Practices
    4. Protecting SPA backed by APIs
    5. Data Security
      1. Encoding and Decoding
      2. Escaping
      3. Hashing
      4. Encryption and Decryption
      5. Encoding vs. Encryption
      6. Securing Data at Rest Using Encryption
        1. Password Storage and Its Considerations
        2. Picking a Secure Algorithm
        3. Storing Credentials for Service-to-Service Communication
        4. Secure File Storage and Access Management
      7. Securing Data in Transit Using TLS
    6. Rate Limiting Best Practices at Different Stages
      1. Reverse Proxy
      2. Load Balancer
      3. API Gateways and WAFs
      4. Request Throttling
    7. Security Headers
      1. Cache-Control
      2. Content Security Policy
        1. Implementing CSP at Scale
        2. Common Misconfigurations While Using CSP
        3. Defending Against Common Security Issues Using CSP
          1. XSS
          2. CSRF
      3. X-Frame-Options
      4. X-XSS-Protection
      5. HTTP Strict Transport Security (HSTS)
      6. Cross-Origin Resource Sharing (CORS)
        1. Cookie Based Implementations
        2. Token Based Implementations
    8. Implement Sufficient Logging & Monitoring
      1. Logging Using Syslog Format
      2. Using ELK To Capture the Log Data
    9. Hands-on Exercises:
      1. Bypassing CSP Header
      2. Configuring HSTS To Prevent MITM Attacks
      3. Finding the Missing Security Headers and Fixing Them
      4. Implementing Rate Limiting Using HAProxy and Nginx

    Module 8: Implementing API Security Mechanisms

    1. API Security Design Best Practices
    2. Authentication Implementation (MFA)
    3. Authorization Implementation
    4. Rate-Limiting Implementation
    5. Securely Store Secrets Using Hashicorp Vault
    6. Secure Logging Implementation
    7. Data Security Implementation
    8. Using Transport Layer Security (TLS)
    9. Hands-On Exercises:
      1. Bypassing WAFs and Security Products
      2. How To Configure TLSv1.2 and Beyond Securely To Achieve A+ on SSLlabs Scans
      3. Adding CSP Header to an API
      4. Second-Order Sensitive Information Leakage

    Module 9: API Security, the DevSecOps Way

    1. OWASP ASVS Framework
      1. What Is ASVS, and How It Is Useful
      2. How To Create Checklists
      3. How To Use ASVS Framework To Secure an Application and Its APIs
    2. Automated Vulnerability Discovery
    3. Finding Insecure Dependencies Using Software Component Analysis
    4. Finding Vulnerabilities in Code Using Static Application Security Testing
    5. Automating API Attacks Using Dynamic Application Security Testing
    6. Fixing API Security Issues at Scale
    7. Hands-on Exercises:
      1. Creating a Simple CI/CD Pipeline
      2. Deploying a Microservice/Docker Container to Production
      3. Exploiting a Microservice Using Docker Misconfiguration
      4. Exploiting a Microservice Using API Vulnerabilities
      5. Finding and Fixing API Security Issues Using SCA, SAST, and DAST in CI/CD Pipelines

    Practical DevSecOps Certification Process

    1. After completing the course, you can schedule the CASP exam on your preferred date.
    2. The process of achieving Practical DevSecOps CASP Certification can be found here.

    API Security Fundamentals

    No email required

    Ready to learn DevSecOps?

    Get in touch, or Register now!