Certified API Security Professional E-Learning

Participants should have:

• A basic understanding of Linux command line usage
• Familiarity with the OWASP Top 10 vulnerabilities
• Basic application development knowledge is helpful but not mandatory

Target audience

This course is ideal for:

• Application developers integrating APIs into web or mobile apps
• DevOps engineers and security professionals managing API endpoints
• Security architects designing scalable and secure API gateways
• Compliance and risk teams assessing API-related attack vectors

By the end of this course, learners will be able to:

• Detect and prevent OWASP API Top 10 threats across REST, GraphQL, and SOAP
• Implement robust authentication strategies using OAuth, JWT, and mTLS
• Enforce advanced authorisation frameworks including RBAC, ABAC, and ReBAC
• Secure data using input validation, encryption, CSP, and secure headers
• Integrate SAST, DAST, and SCA tools into CI/CD workflows
• Deploy and manage secrets securely using tools like HashiCorp Vault
• Monitor APIs and automate security across deployment pipelines

Introduction to API security

• Overview of API architecture and HTTP protocols
• API protocols, data formats, and deployment models
• Stateless vs stateful API behaviours
• API threat modelling and common attack vectors
• API vs traditional web application testing
• Hands-on: HTTP servers, lab setup, and CI/CD demonstration

Tools of the API security trade

• Role of API gateways, proxies, and message queues
• Essential tools: cURL, Postman, OpenAPI, Burp Suite
• Reconnaissance and enumeration using FFUF and Swagger
• Hands-on: CRUD operations, API exploration, traffic interception

Authentication attacks and defences

• Common methods: Basic Auth, API keys, JWT, OAuth, OIDC, mTLS
• Brute force, insecure reset flows, token storage vulnerabilities
• Defence mechanisms: strong validation, MFA, CAPTCHA, rate limiting
• Hands-on: exploiting and hardening JWTs, password hash cracking

Authorisation attacks and defences

• Access models: RBAC, ABAC, DAC, ReBAC
• Vertical and horizontal privilege escalation
• OAuth 2.0 vs 2.1 and insecure OAuth configurations
• Hands-on: BOLA attacks, JWT privilege escalation

Input validation threats and defences

• Injection attacks: SQLi, XSS, SSRF, NoSQLi, deserialisation
• Validation vs sanitisation, regular expressions, output encoding
• Fuzzing and dynamic API abuse prevention
• Hands-on: mass assignment, SQLMAP, DOM XSS, GraphQL exploits

OWASP API Top 10 and additional threats

• Analysis of common vulnerabilities: BOLA, EDE, misconfigurations
• API abuse through CORS, caching, proxy and GraphQL/SOAP misuse
• Post-exploitation risks and API inventory mismanagement
• Hands-on: CORS abuse, XSS with elevated privileges

Advanced API defences

• Securing REST, GraphQL, and SOAP endpoints
• Data protection: encryption, hashing, escaping
• Secure headers: CSP, HSTS, X-Frame-Options
• Hands-on: Kong Gateway rate limiting, CSP implementation

Implementing API security mechanisms

• Designing secure OAuth scopes and permissions
• Reverse proxy and load balancer configurations
• Logging with ELK stack and syslog formats
• Secrets management using HashiCorp Vault
• Hands-on: secure secrets storage, Docker monitoring with Grafana

API security in DevSecOps

• Applying the OWASP ASVS framework
• Automating SCA, SAST, and DAST in CI/CD pipelines
• Mitigating risks at scale through policy enforcement
• Hands-on: DevSecOps pipeline with API deployment and automated scanning

Exams and assessments

Participants must complete a certification exam to earn the Certified API Security Professional™ credential. The course includes:

• One exam attempt included
• Realistic scenario-based exercises across key attack and defence topics
• Continuous knowledge checks to validate learning outcomes
• The exam is a task-oriented examination in which you will be required to solve 5 challenges within a timeframe of 6 hours, with an additional 24 hours to complete the report and submit it for evaluation.

Hands-on learning

This course with approx. 20hrs of e-learning includes:

• Over 60 interactive labs replicating real-world attack scenarios
• Guided exercises with Burp Suite, cURL, Postman, and HashiCorp Vault
• Vulnerability discovery through SAST, DAST, and SCA integrations
• Continuous deployment pipelines for secure microservices
• Monitoring and defence automation in production environments
• Upon completion of the purchase, learners will have the opportunity to select their preferred commencement date. The course will be provided on the chosen start date.
• 3-years of access to the videos and checklists, 60 days of browser-based labs, PDF Manual.

• Exam included
• Online exam voucher
• Dedicated tutor support via email during your course from expert instructors