API Security Study Plan
This page is updated based on jassics/security-study-plan/api-security-study-plan
This study plan is based on milestones. So, check how much you can cover within the timeline. The more you cover the topics, the better candidate you are for the varied job roles which require good knowledge of API security. Also, I assume you have already checked and comfortable with Common Security Skills study plan.
It will cover what you need to learn to excel in API security (part of the Application Security domain). Please keep in mind that it would require knowledge of:
- How websites work
- How API endpoints are defined and their request and response
- Basics of coding to write your own APIs for testing
- OWASP Top 10 for Web
- OWASP Top 10 for API 2023 (latest version) - see the site's own API Security guide for a working summary
Note: Usually it will take you 3-6 months to be good at the API Security fundamentals to get a job at entry level.
ToC
- API Fundamentals - 2 weeks
- API Security Understandings - 2 weeks
- API Security Labs and Practices - 2 weeks
- API Security Tools
- Books
- Videos
- Courses
- Certifications
- Interview Questions
API Fundamentals
Duration: 2 weeks
Week 1: Basics of API & Endpoints
API Endpoints
Imagine you're ordering food from a delivery app. You select items and click "Place Order." Behind the scenes, the app calls a specific API endpoint designated for order submission with your items, address, and instructions. A different endpoint handles order tracking. Endpoints are the specific doors that let systems exchange information for a particular purpose or action.
Types of Microservices
Microservices break an application into small, loosely-coupled, independently deployable services, each owning a business capability. Common types you'll encounter:
- User Service - registration, authentication, profile management
- Product Service - catalog, inventory, pricing, search
- Order Service - order lifecycle, payments, invoices
- Payment Service - payment gateway integration, secure transaction processing
- Notification Service - email/SMS/push notifications
- Analytics Service - usage metrics and monitoring
- Integration Service - adapters/connectors to external APIs and legacy systems
- Image/Video Processing Service - resizing, thumbnails, encoding
Week 2: Microservices & Cloud-Native APIs
Microservices from an API Security Perspective
- Authentication Service - verifies identity (username/password, tokens, MFA)
- Authorization Service - enforces access control policies
- API Gateway - entry point for external requests; enforces rate limiting, auth, encryption
- Logging and Monitoring Service - detects anomalies and security events
- Encryption Service - protects data at rest and in transit
- Threat Intelligence Service - compares traffic against known threat patterns
Cloud-Native API Styles
- RESTful API - stateless, standard HTTP verbs, most common
- Event-Driven APIs - asynchronous, message queues/event brokers
- GraphQL API - flexible querying, single entry point across services
- Serverless APIs - AWS Lambda/Azure Functions, scale automatically
- OpenAPI (Swagger) - machine-readable API contract, docs and mocks
API Security Understandings
Duration: 2 weeks
Week 3: Core Security Concepts
API Security is Not Web Security
They're related but distinct:
| Aspect | Web App Security | API Security |
|---|---|---|
| Focus | UI, server, database | The API and the data it transmits |
| Common attacks | SQLi, XSS, CSRF, file inclusion | Spoofing, parameter manipulation, MitM |
| AuthN/AuthZ | Username/password, sessions | OAuth, API keys, JWTs |
| Interaction model | User-facing UI | Back-end system-to-system |
Why API Security Matters
- Data Protection - APIs often carry sensitive data (credentials, PII, financial data)
- Authorization & Access Control - restrict actions to authenticated/authorized callers
- Trust and Reputation - breaches damage customer trust
- Compliance - GDPR, HIPAA and similar regulations apply to API-transmitted data too
- Attack Prevention - injection, XSS, CSRF, DoS all have API equivalents
- Secure Integration - APIs are the seam between systems, orgs, and third parties
- Monitoring & Auditing - visibility into who called what and when
Week 4: Advanced Concepts (AuthN, AuthZ, Rate Limiting)
AuthN vs AuthZ
- Authentication (AuthN) - proves identity: username/password, token-based auth, MFA (SMS, TOTP, FIDO keys).
- Authorization (AuthZ) - decides what an authenticated identity can do: RBAC (roles), ABAC (attributes), scope-based access (OAuth scopes), and fine-grained per-resource permissions.
Rate Limiting
Caps how often an action can repeat in a window - stops brute force and DoS, and keeps usage fair.
- Token Bucket - tokens refill at a fixed rate; each request consumes one.
- Leaky Bucket - processes requests at a fixed rate, smoothing bursts.
- Fixed Window - counts per window; can be gamed at window edges.
- Sliding Window - smooths out the fixed-window edge case.
- Communicate limits via
X-RateLimit-Limit/X-RateLimit-Remaining/X-RateLimit-Resetheaders and return429 Too Many Requestswhen exceeded.
API Gateway
Sits between clients and backend services as a reverse proxy. Key security functions: centralized AuthN/AuthZ (verifies JWTs, passes user context downstream), rate limiting/throttling, input validation, IP allow/deny lists, TLS termination, and centralized logging.
Popular gateways: Kong, Apigee, AWS API Gateway, Azure API Management, Tyk.
API Security Labs and Practices
Duration: 2 weeks
- OWASP crAPI - "Completely Ridiculous API," a mock microservices app implementing nearly every API security anti-pattern (Identity, Web, Community, Mailhog, Workshop, Postgres, Mongo services).
- vAPI - PHP-based, mimics OWASP API Top 10 scenarios through exercises.
- VAmPI - Vulnerable API built with Python/Flask.
API Security Tools
- Dastardly (Burp Suite, free) - for CI/CD pipeline scanning
- 42Crunch API Security Audit
- Wallarm
- Google Apigee Sense
- Traceable
- Levo
- Beagle Security
- Salt Security
- Cequence
- Neosec (now part of Akamai)
Books
- API Security in Action
- Hacking APIs: Breaking Web Application Programming Interfaces
- Web Application Security
- Advanced API Security
Videos
- API Security: Everything you need to know to protect your APIs
- The 2022 Guide to API Security
- Analysing the OWASP API Security Top 10 for Pen Testers
Courses
- API Security Fundamentals - APISec University (free)
- API Penetration Testing Course - APISec University (free)
- API Security on Google Cloud's Apigee API Platform
- API Fundamentals - Qualys (free)
- Introduction to the OWASP API Security Top 10 - Cybrary (free)
Certifications
Interview Questions
Practice with API Security interview questions, also kept up to date on GitHub alongside the rest of the career roadmap guide.
Practice next: API Security interview questions, and jassics/security-study-plan for the latest updates to this plan.