API security

API Security Study Plan

A milestone-based API security roadmap for AppSec roles and security engineers who need strong API design, testing, and defense knowledge.

Use this after Common Security Skills. API security needs web fundamentals, endpoint design, request/response understanding, coding basics, OWASP Web Top 10, and OWASP API Top 10.

Expected pace

3-6 months

Entry-level API security readiness.

Prerequisites

How websites work.

How API endpoints are defined, including request and response flow.

Basic coding comfort to write your own APIs for testing.

OWASP Top 10 for Web.

OWASP Top 10 for API 2023.

OWASP API Top 10 2023

API Fundamentals API Security Understandings API Security Labs and Practices API Security Tools Books Videos Courses Certifications Interview Questions

Section 1

API Fundamentals

2 weeks

Learn endpoints, microservices, cloud-native APIs, and how API request/response flows map to business actions.

Week 1: Basics of API and Endpoints

API endpoints are specific communication channels between systems. Each endpoint receives requests and returns responses for a particular action.

Understand API endpoints through request, action, and response flow.

Map endpoints to business actions such as submit order, get menu, and track order.

User Service: registration, authentication, profile management, and access control.

Product Service: catalog, inventory, pricing, and search.

Order Service: order creation, status, payment flow, and invoice generation.

Payment Service: payment gateway integration and secure transaction processing.

Notification Service: email, SMS, and push notification delivery.

Analytics Service: metrics, behavior, performance, and data-driven decisions.

Integration Service: external APIs, third-party services, adapters, and connectors.

Image/Video Processing Service: resizing, thumbnails, filters, encoding, and decoding.

Week 2: Microservices and Cloud Native APIs

Study microservices from an API security perspective, then learn how APIs are designed for cloud-native systems.

Authentication Service: identity, login, logout, registration, and token validation.

Authorization Service: policies, permissions, and resource access enforcement.

API Gateway: routing, load balancing, caching, protocol translation, rate limits, auth, and encryption.

Logging and Monitoring Service: API traffic, logs, metrics, anomalies, and security events.

Encryption Service: keys, data at rest, data in transit, encryption, and decryption.

Threat Intelligence Service: known threats, suspicious requests, alerts, and mitigation.

RESTful APIs: stateless APIs using HTTP methods like GET, POST, PUT, and DELETE.

Event-driven APIs: asynchronous communication through events, queues, brokers, or streams.

GraphQL APIs: flexible client-driven data queries across services.

Serverless APIs: APIs built with cloud functions and provider-managed infrastructure.

OpenAPI: machine-readable API specification for docs, testing, mocks, and code generation.

Section 2

API Security Understandings

2 weeks

Learn why API security differs from web security, then study AuthN, AuthZ, rate limits, and API gateways.

Week 3: Core Security Concepts

API security is not web security: API security protects API behavior and transmitted data.

Web security focuses on UI, server, database, and web content delivery.

API attack vectors include spoofing, parameter manipulation, MitM, and exposed backend behavior.

API authentication often uses OAuth, API keys, and JWTs.

Encryption: protect transmitted API data with HTTPS and similar mechanisms.

Authentication: verify user or application identity.

Authorization: decide what authenticated users or systems can do.

Rate limiting: reduce DoS risk and resource abuse.

Study examples such as Google Maps API, Stripe API, and Twilio API.

Understand API security drivers: data protection, access control, trust, compliance, attack prevention, secure integration, monitoring, and auditing.

Week 4: Advanced Concepts

Go deeper into authentication, authorization, rate limiting, and API gateway security controls.

Username/password authentication.

Token-based authentication.

Two-factor authentication.

Role-based access control (RBAC).

Attribute-based access control (ABAC).

Scope-based access control.

Fine-grained resource-level access control.

Rate limiting for DoS/DDoS prevention, brute force protection, and resource management.

Rate limit algorithms: token bucket, leaky bucket, fixed window, and sliding window.

Rate limit headers: X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset.

Return 429 Too Many Requests when limits are exceeded.

API Gateway security: AuthN/AuthZ, rate limiting, throttling, input validation, IP allow/deny lists, TLS termination, logging, and monitoring.

Know API gateway products: Kong, Apigee, AWS API Gateway, Azure API Management, and Tyk.

Section 3

API Security Labs and Practices

2 weeks

Practice API vulnerabilities in purpose-built vulnerable API labs and microservice-style environments.

OWASP crAPICompletely Ridiculous API

crAPI Identity service: user and authentication endpoints.

crAPI Web service: main ingress service.

crAPI Community service: community blogs and comments endpoints.

crAPI Mailhog service: mail service.

crAPI Workshop service: vehicle workshop endpoints.

crAPI Postgres SQL database.

crAPI Mongo NoSQL database.

vAPIVulnerable Adversarial Programmable Interface VAmPIVulnerable API made with Python/Flask

Section 4

API Security Tools

Know API security tooling for CI/CD scanning, API discovery, enterprise API security, and gateway protections.

Dastardly from Burp SuiteFree, CI/CD use API Security Audit from 42Crunch Wallarm Advanced API Security Platform Google Apigee Sense Traceable Levo Beagle Security Salt Security Cequence NeosecNow part of Akamai

Section 5

Books

Use API security books to deepen design, attack, and defense understanding.

API Security in Action Hacking APIs Web Application Security Advanced API Security

Section 6

Videos

Use videos to reinforce API threats, OWASP API Top 10, and API protection patterns.

API Security: Everything You Need to Know to Protect Your APIs The 2022 Guide to API Security Analysing the OWASP API Security Top 10 for Pen Testers

Section 7

Courses

Use focused API security courses for structured fundamentals and hands-on testing.

API Security Fundamentals from APISec UniversityFree API Penetration Testing Course from APISec UniversityFree API Security on Google Cloud's Apigee API Platform API Fundamentals from QualysFree Introduction to the OWASP API Security Top 10 - CybraryFree

Section 8

Certifications

Use certifications to show baseline knowledge, but prioritize hands-on API security practice.

CSSLP API Security Architect Certification Certified API Security Professional

Section 9

Interview Questions

Prepare API security interview stories around auth, authorization failures, BOLA, rate limits, gateways, and lab findings.

Practice explaining AuthN vs AuthZ with API examples.

Practice explaining API gateway security controls.

Practice explaining rate limiting algorithms and 429 behavior.

Practice explaining how API security differs from web security.

Practice explaining OWASP API Top 10 2023 risks.