Synopsys Software Integrity Group is now operating as Black Duck Software, Inc., a subsidiary of Synopsys. Click to learn more.

close search bar

Sorry, not available in this language yet

close language selection

Hardening Your APIs

Course Description

APIs are an attractive target for attackers. It is crucial to harden your APIs to prevent bad guys from gaining a foothold. In this course, we investigate how attackers deploy offensive techniques to attack your APIs, and how you can apply defensive security techniques to counter these attacks. By course end, you will have a list of best practices to increase the security of your APIs.

Learning Objectives

  • Identify areas with potential weaknesses in APIs
  • Explain best practices to secure APIs
  • Formulate defense-in-depth strategies to secure APIs

Details

Delivery Format: eLearning

Duration: 1 hour 15 mins

Level: Intermediate

Intended Audience

  • Architects
  • Back-end Developers
  • Enterprise Developers

Prerequisites

Course Outline

Introduction

  • API Security and the OWASP Top 10
  • Securing Your APIs

The Client's Role in Security

  • Enforcing Restrictions on the Client
  • The Real Attack Surface of Your APIs
  • Using the Client for Better Security

Using Rate Limiting and Abuse Protection

  • The Need for Enforcing Limits
  • Overview of Defensive Strategies
  • Implementing Rate Limiting in an API Gateway

Mitigating Server-Side Request Forgery (SSRF)

  • Introducing SSRF
  • The Consequences of SSRF
  • Restricting IP Addresses
  • Restricting Domains
  • Restricting URLs
  • Additional Guidelines
  • Defense-in-Depth Strategies

Deploying CORS for APIs

  • A Brief Introduction to CORS
  • The Relevance of CORS to APIs
  • CORS for Public Endpoints
  • CORS for APIs Using Cookies
  • CORS for APIs Using Authorization Headers

Configuring Security Headers for APIs

  • Overview of Security-Related Response Headers
  • Forcing the Use of HTTPS
  • Restricting Framing
  • Dealing with Content Sniffing
  • Restricting Undesired Behavior
  • Using the Fetch Metadata Headers

Conclusion

  • Security and the Client
  • Rate Limiting and Abuse Protection
  • Server-Side Request Forgery
  • Cross-Origin Resource Sharing
  • Security Headers

Wrap Up

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster