Course description

Building secure APIs and microservices is hard, really hard. Not only do you have to make the right architectural security decisions, but you also have to be aware of various implementation vulnerabilities to ensure the security of your applications. This course provides API developers and full-stack developers with the necessary knowledge to assess and improve the security of their applications.

With a mix of lectures, demos, quizzes, and cheat sheets, participants discover best practices for building secure APIs. We start this course by building a secure foundation to define a solid security baseline for any API. Next, we investigate various techniques to implement authentication and authorization, along with their trade-offs and pitfalls. We dive deep into handling authentication state, discussing the use of cookies or custom headers with tokens. Using concrete examples, we'll build up a set of guidelines for securely handling JSON Web Tokens (JWT). Finally, we explore how to protect against server-side request forgery (SSRF), potentially the fastest growing danger to modern APIs.

This course offers a deep understanding of the principles to build modern, secure APIs. At the end of this course, you walk away with practical and immediately applicable security advice to improve the security of your applications.



Live training is scheduled on October 25th and 28th, and November 4th and 9th. Recordings are made available shortly after each live session.

Course schedule

Recordings are available shortly after each live session.


Session 1

API security fundamentals

Monday, October 25th — 10 AM - 1PM Pacific  /  1 PM - 4PM Eastern  /  19:00 - 22:00 Central European


Concretely, this session covers the following topics:

  • The security model of APIs
  • The impact of HTTP methods on security
  • Configuring API security headers
  • The reincarnation of server-side vulnerabilities in APIs





Session 2

API authentication and authorization

Thursday, October 28th — 10 AM - 1PM Pacific  /  1 PM - 4PM Eastern  /  19:00 - 22:00 Central European


Concretely, this session covers the following topics:

  • Basic API authentication techniques
  • Advanced API authentication mechanisms
  • Practical API authentication scenarios
  • Common API authorization failures
  • Best practices for enforcing API authorization





Session 3

Authentication state management

Thursday, November 4th — 11 AM - 2PM Pacific  /  2 PM - 5PM Eastern  /  19:00 - 22:00 Central European


Concretely, this session covers the following topics:

  • Managing user state in REST APIs
  • The good, the bad, and the ugly parts of cookies
  • Understanding the security features of JWTs
  • Common JWT security pitfalls
  • JWT security best practices





Session 4

Cross-Origin Resource Sharing / Server-Side Request Forgery

Tuesday, November 9th — 10 AM - 1PM Pacific  /  1 PM - 4PM Eastern  /  19:00 - 22:00 Central European


Concretely, this session covers the following topics:

  • Understanding Cross-Origin Resource Sharing (CORS)
  • Configuring CORS for cookie-based APIs
  • The importance of CORS for non-cookie-based APIs
  • Introduction to Server-Side Request Forgery (SSRF)
  • Mitigating SSRF vulnerabilities in APIs

Course pricing

  • API Security best practices
     

    Subscribe to this course, which gives you access to the live sessions and the recordings.

    $ 349

  • API security + React security
     

    Save 20% by getting the course bundle, giving you access to this course and the Cutting-edge React security course.

    $ 518

  • API security + React security
    with private consulting

    Get the course bundle, plus 2 hours of private consulting with Philippe, scheduled at your convenience.

    $ 1319

Why should you follow this course?

This course is 100% relevant for anyone involved with designing and building APIs. Concretely, you should follow this course if ...


... you want to understand the trade-offs between different solutions so that you can make informed decisions for your APIs.

... you want to learn API security from a holistic point of view, which includes client capabilities and browser security mechanisms.

... you are looking for actionable advice that is based on real-world cases and deployment scenarios.

... other security courses failed to meet your expected level of profoundness. This course will help you understand why security issues exist and how defenses work so that you can apply them in any scenario.

What content is included in this course?

This course offers practical and immediately applicable security advice to API builders. Concretely, this course gives you access to:


  • The live teaching sessions, including lectures and demos

  • High-quality PDF materials of the lectures

  • Code examples used during the demos

  • Full-length recordings of the live sessions, available shortly after the live session

  • Complimentary access to the remastered recordings, as soon as they are available 

Your host

Jim Manico

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering.

He is also the co-founder of the LocoMoco Security Conference and is a investor/advisor for BitDiscovery and Signal Sciences.

Jim is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. He is the author of “Iron-Clad Java: Building Secure Web Applications” from McGraw-Hill.

Your instructor

Dr. Philippe De Ryck

Hi, I'm Philippe, your instructor for this course. I provide professionals like you with the high-quality security knowledge they need to perform at their best.

My PhD in web security has not only given me an exceptionally strong security background, it has also taught me how to methodically explain complex security concepts. This course rigorously translates that knowledge into security best practices for modern applications.

If you want to get an idea of what I have to offer, I recommend checking out my security articles or any of my recorded conference talks.

Finally, these testimonials from previous training participants should tell you everything you need to know.

We hired Phillipe De Ryck for a training on API Security. His mix of content and quizzes kept people well engaged. He was very clearly knowledgeable and patient as he took the time to be sure everyone’s questions were fully answered. Phillipe will definitely be at the top of our short list of people we want to bring back for future trainings.

Shane Gliser, Application Security Specialist, American Century Investments


I needed to provide a deep set of training content to developers at my company, especially around secure authorization flows for modern applications. Philippe delivered a comprehensive series on OIDC and OAuth flows and security of modern apps and API's and I couldn't be more happy with this valuable resource for our developers. Thank you so much Dr. Philippe!

Jet Anderson, Code Doctor, Nike

In a nutshell, you should definitely join this course.

FAQ

If you have a question, you will likely find the answer in the list below. If that is not the case, don't hesitate to reach out via email (courses@pragmaticwebsecurity.com).


Can I subscribe multiple people at once?

Yes, absolutely. Please fill out this Google Form with the details of your order. We will contact you to complete the order process. Note that group licenses for 10 or more attendees are eligible for a 20% volume discount.


Can I receive an invoice for my purchase?

Of course. Due to the complexity of tax rules, we do not handle invoicing on the online platform. After your purchase, we will contact you for invoicing details.


How does the private consulting session in the bundle work?

The bundle with private consulting includes two hours of consulting time with your instructor, Philippe. These two hours are scheduled at your convenience in one or two consulting sessions. In those two hours, you have the opportunity to ask Philippe's advice on specific questions or scenarios.

If you subscribe multiple people at once, you can choose for the consulting add-on as well. In that scenario, all the members of the group purchase are welcome to join the private consulting session.


How long do I have access to the course?

Course subscriptions do not have an expiration date. Registering now gives you permanent access to the live sessions, the recordings of those live sessions, and the remastered recordings when released.


Can I rewatch the live session?

Yes, the live sessions are recorded as a webinar and made available shortly after each session. So if you missed a live session or want to rewatch a part of one you attended, you can easily go back to the files.


What are the remastered recordings?

In the remastered version, we cut the long live session into separate lessons. These recordings are post-processed and receive close captions in English. Processing videos takes quite a bit of time, so these will be released at a later date. Note that the full-length live recordings are available almost immediately after the live session.

Every course subscription includes complimentary access to the remastered versions.


Do you offer discounts?

No, the courses are priced reasonably. If you strictly look at getting the most quality for your money, this course is off the charts (in a good way!), as the depth offered by this course is unparalleled in other offerings.

Note that purchasing the bundle saves you 20% on the price of the individual courses.

Group licenses for 10+ attendees are eligible for a 20% volume discount.