API testing Hardening Clinic
RCCE students will learn API security testing methodologies including REST API testing, authentication testing, authorization testing, input validation testing, business logic testing, and API fuzzing. RCCE students will learn to plan and execute API security assessments, test API authentication mechanisms for weaknesses, verify authorization controls at the object and function level, fuzz API endpoints to discover input validation vulnerabilities, test business logic flows for manipulation opportunities, use API testing tools including Burp Suite, Postman, and custom scripts, and write API security assessment reports with prioritized remediation guidance. This hands-on hardening course focuses on reducing attack surface through practical configuration changes and security guardrails. Building on core knowledge, RCCE students will learn to apply hardening baselines, validate configurations, and measure the security improvement achieved. Students walk away with actionable hardening checklists and the skills to maintain hardened configurations as environments evolve.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing API testing Hardening Clinic
- Execute hands-on tasks for learning objectives
- Execute hands-on tasks for test authentication & authorization
- Execute hands-on tasks for fuzz & validate inputs
- Execute hands-on tasks for api security landscape
- Execute hands-on tasks for key drivers
- Execute hands-on tasks for runtime api protection emerging rapidly
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for client app
- Execute hands-on tasks for auth service
- Execute hands-on tasks for → business logic →
- Execute hands-on tasks for data store — covering GraphQL APIs.
- Execute hands-on tasks for api1: broken object level authorization (bola) — covering Manipulate object IDs to access others' data, Most common and impactful API flaw.
| Module 01 | Learning Objectives |
| Module 02 | Test Authentication & Authorization |
| Module 03 | Fuzz & Validate Inputs |
| Module 04 | API Security Landscape |
| Module 05 | Key Drivers |
| Module 06 | Runtime API protection emerging rapidly |
| Module 07 | API Architecture Fundamentals |
| Module 08 | Client App |
| Module 09 | Auth Service |
| Module 10 | → Business Logic → |
| Module 11 | Data Store |
| Module 12 | API1: Broken Object Level Authorization (BOLA) |
| Module 13 | Manipulate object IDs to access others' data |
| Module 14 | API2: Broken Authentication |
All hands-on labs run on Rocheston Rose X OS. Students practice api testing hardening clinic by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for learning objectives
- Lab 2: Execute hands-on tasks for test authentication & authorization
- Lab 3: Execute hands-on tasks for fuzz & validate inputs
- Lab 4: Execute hands-on tasks for api security landscape
- Lab 5: Execute hands-on tasks for key drivers
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for API testing Hardening Clinic, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI