Synopsys Software Integrity Group is now operating as Black Duck Software, Inc., a subsidiary of Synopsys. Click to learn more.

close search bar

Sorry, not available in this language yet

close language selection

Essential API Security

Course Description

This course covers the most common and devastating API security vulnerabilities of the OWASP Top 10. Throughout this course, you will learn about real-world authentication and authorization failures and potential solutions. Topics include API authentication, authorization decisions, and handling state with tokens.

Learning Objectives

  • Identify different API authentication strategies
  • Assess which API authentication technique fits your use case
  • Explain how to handle user authentication state in APIs
  • Identify current cookie security best practices
  • Configure the API to handle JWTs securely
  • Identify common authorization pitfalls in API
  • Audit and improve an API authorization policy

Details

Delivery Format: eLearning

Duration: 1 hour 45 minutes

Level: Intermediate

Intended Audience

  • Architects
  • Back-end Developers
  • Enterprise Developers

Prerequisites

  • None

 

Course Outline

Introduction

  • Authentication and Authorization
  • Course Overview

Simple API Authentication Mechanisms

  • Including a Secret in the Request
  • Pros and Cons of Sending Secrets
  • Signing Requests with an HMAC
  • Pros and Cons of Using HMACs

Advanced Client Authentication

  • The Concept of Key-Based Client Authentication
  • Strategies for Handling Keys
  • Client Authentication with JWTs
  • Client Authentication with mTLS
  • Comparing JWTs and mTLS

User Authentication Strategies

  • Traditional Server-Side Sessions
  • Client-Side State
  • Using OAuth 2.0

Cookie Security Best Practices

  • The Use Case for Cookies
  • A Secure Cookie Configuration
  • Handling Cross-Site Request Forgery
  • Mitigating CSRF in APIs

Securely Handling JSON Web Tokens

  • Using JWTs for Authentication State
  • Using the Correct Signing Mechanism
  • Do Not Rely on Unverified Token Metadata
  • Reject Unsigned Tokens
  • Verify Reserved Claims
  • Using Explicit Typing
  • Handling Key Distribution

Common Authorization Pitfalls

  • Excessive Data Exposure
  • Mass Assignment
  • Broken Authorization

Building a Robust Authorization Strategy

  • The Issue with Complex Authorization Logic
  • Centralizing Authorization
  • Offloading Authorization to a Policy Decision Point

Course Wrap-Up

 

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster