Skip to content

API Security Study Plan

This page is updated based on jassics/security-study-plan/api-security-study-plan

This study plan is based on milestones. So, check how much you can cover within the timeline. The more you cover the topics, the better candidate you are for the varied job roles which require good knowledge of API security. Also, I assume you have already checked and comfortable with Common Security Skills study plan.

It will cover what you need to learn to excel in API security (part of the Application Security domain). Please keep in mind that it would require knowledge of:

  1. How websites work
  2. How API endpoints are defined and their request and response
  3. Basics of coding to write your own APIs for testing
  4. OWASP Top 10 for Web
  5. OWASP Top 10 for API 2023 (latest version) - see the site's own API Security guide for a working summary

Note: Usually it will take you 3-6 months to be good at the API Security fundamentals to get a job at entry level.

ToC

  1. API Fundamentals - 2 weeks
  2. API Security Understandings - 2 weeks
  3. API Security Labs and Practices - 2 weeks
  4. API Security Tools
  5. Books
  6. Videos
  7. Courses
  8. Certifications
  9. Interview Questions

API Fundamentals

Duration: 2 weeks

Week 1: Basics of API & Endpoints

API Endpoints

Imagine you're ordering food from a delivery app. You select items and click "Place Order." Behind the scenes, the app calls a specific API endpoint designated for order submission with your items, address, and instructions. A different endpoint handles order tracking. Endpoints are the specific doors that let systems exchange information for a particular purpose or action.

Types of Microservices

Microservices break an application into small, loosely-coupled, independently deployable services, each owning a business capability. Common types you'll encounter:

  1. User Service - registration, authentication, profile management
  2. Product Service - catalog, inventory, pricing, search
  3. Order Service - order lifecycle, payments, invoices
  4. Payment Service - payment gateway integration, secure transaction processing
  5. Notification Service - email/SMS/push notifications
  6. Analytics Service - usage metrics and monitoring
  7. Integration Service - adapters/connectors to external APIs and legacy systems
  8. Image/Video Processing Service - resizing, thumbnails, encoding

Week 2: Microservices & Cloud-Native APIs

Microservices from an API Security Perspective

  1. Authentication Service - verifies identity (username/password, tokens, MFA)
  2. Authorization Service - enforces access control policies
  3. API Gateway - entry point for external requests; enforces rate limiting, auth, encryption
  4. Logging and Monitoring Service - detects anomalies and security events
  5. Encryption Service - protects data at rest and in transit
  6. Threat Intelligence Service - compares traffic against known threat patterns

Cloud-Native API Styles

  1. RESTful API - stateless, standard HTTP verbs, most common
  2. Event-Driven APIs - asynchronous, message queues/event brokers
  3. GraphQL API - flexible querying, single entry point across services
  4. Serverless APIs - AWS Lambda/Azure Functions, scale automatically
  5. OpenAPI (Swagger) - machine-readable API contract, docs and mocks

API Security Understandings

Duration: 2 weeks

Week 3: Core Security Concepts

API Security is Not Web Security

They're related but distinct:

Aspect Web App Security API Security
Focus UI, server, database The API and the data it transmits
Common attacks SQLi, XSS, CSRF, file inclusion Spoofing, parameter manipulation, MitM
AuthN/AuthZ Username/password, sessions OAuth, API keys, JWTs
Interaction model User-facing UI Back-end system-to-system

Why API Security Matters

  1. Data Protection - APIs often carry sensitive data (credentials, PII, financial data)
  2. Authorization & Access Control - restrict actions to authenticated/authorized callers
  3. Trust and Reputation - breaches damage customer trust
  4. Compliance - GDPR, HIPAA and similar regulations apply to API-transmitted data too
  5. Attack Prevention - injection, XSS, CSRF, DoS all have API equivalents
  6. Secure Integration - APIs are the seam between systems, orgs, and third parties
  7. Monitoring & Auditing - visibility into who called what and when

Week 4: Advanced Concepts (AuthN, AuthZ, Rate Limiting)

AuthN vs AuthZ

  • Authentication (AuthN) - proves identity: username/password, token-based auth, MFA (SMS, TOTP, FIDO keys).
  • Authorization (AuthZ) - decides what an authenticated identity can do: RBAC (roles), ABAC (attributes), scope-based access (OAuth scopes), and fine-grained per-resource permissions.

Rate Limiting

Caps how often an action can repeat in a window - stops brute force and DoS, and keeps usage fair.

  • Token Bucket - tokens refill at a fixed rate; each request consumes one.
  • Leaky Bucket - processes requests at a fixed rate, smoothing bursts.
  • Fixed Window - counts per window; can be gamed at window edges.
  • Sliding Window - smooths out the fixed-window edge case.
  • Communicate limits via X-RateLimit-Limit/X-RateLimit-Remaining/X-RateLimit-Reset headers and return 429 Too Many Requests when exceeded.

API Gateway

Sits between clients and backend services as a reverse proxy. Key security functions: centralized AuthN/AuthZ (verifies JWTs, passes user context downstream), rate limiting/throttling, input validation, IP allow/deny lists, TLS termination, and centralized logging.

Popular gateways: Kong, Apigee, AWS API Gateway, Azure API Management, Tyk.

API Security Labs and Practices

Duration: 2 weeks

  1. OWASP crAPI - "Completely Ridiculous API," a mock microservices app implementing nearly every API security anti-pattern (Identity, Web, Community, Mailhog, Workshop, Postgres, Mongo services).
  2. vAPI - PHP-based, mimics OWASP API Top 10 scenarios through exercises.
  3. VAmPI - Vulnerable API built with Python/Flask.

API Security Tools

  1. Dastardly (Burp Suite, free) - for CI/CD pipeline scanning
  2. 42Crunch API Security Audit
  3. Wallarm
  4. Google Apigee Sense
  5. Traceable
  6. Levo
  7. Beagle Security
  8. Salt Security
  9. Cequence
  10. Neosec (now part of Akamai)

Books

  1. API Security in Action
  2. Hacking APIs: Breaking Web Application Programming Interfaces
  3. Web Application Security
  4. Advanced API Security

Videos

  1. API Security: Everything you need to know to protect your APIs
  2. The 2022 Guide to API Security
  3. Analysing the OWASP API Security Top 10 for Pen Testers

Courses

  1. API Security Fundamentals - APISec University (free)
  2. API Penetration Testing Course - APISec University (free)
  3. API Security on Google Cloud's Apigee API Platform
  4. API Fundamentals - Qualys (free)
  5. Introduction to the OWASP API Security Top 10 - Cybrary (free)

Certifications

  1. CSSLP
  2. API Security Architect Certification
  3. Certified API Security Professional

Interview Questions

Practice with API Security interview questions, also kept up to date on GitHub alongside the rest of the career roadmap guide.

Practice next: API Security interview questions, and jassics/security-study-plan for the latest updates to this plan.