Hands-On API security
RCCE students will learn API security assessment, design, and protection including REST API authentication, API gateway configuration, rate limiting, input validation, OAuth token management, and API abuse detection. RCCE students will learn to identify API vulnerabilities including broken object-level authorization, broken authentication, excessive data exposure, lack of resources and rate limiting, broken function-level authorization, and mass assignment. The course covers API threat modeling, implementing API security controls, monitoring API traffic for abuse patterns, securing GraphQL endpoints, and building API security into development workflows. This practice-intensive course emphasizes applied skills through lab exercises, real-world scenarios, and production-realistic workflows. At an expert level, RCCE students will learn by doing, building muscle memory and practical confidence through repeated hands-on engagement. Students complete exercises that mirror actual workplace tasks, ensuring skills transfer directly to their professional roles.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Hands-On API security
- Execute hands-on tasks for assessment skills — covering API attack surfaces end-to-end, Identify OWASP API Top 10 vulnerabilities.
- Execute hands-on tasks for map api attack surfaces end-to-end — covering Identify OWASP API Top 10 vulnerabilities.
- Design a scalable privilege management architecture with policy and enforcement, including Architect secure API gateways, and OAuth 2.0 token flows.
- Execute hands-on tasks for architect secure api gateways — covering OAuth 2.0 token flows.
- Monitor and audit privilege usage; detect escalation attempts, including Deploy API traffic monitoring, and Build abuse detection rules.
- Monitor and audit privilege usage; detect escalation attempts, including Build abuse detection rules.
- Integrate privilege controls with identity providers and SIEM telemetry, including Embed API security in CI/CD, and Automate API security testing.
- Execute hands-on tasks for embed api security in ci/cd — covering Automate API security testing.
- Design a scalable privilege management architecture with policy and enforcement, including HTTP methods:, and Single endpoint, flexible.
- Execute hands-on tasks for client app
- Execute hands-on tasks for load balancer
- Execute hands-on tasks for synchronous patterns — covering Request-response: standard REST calls, Blocking until server responds.
| Module 01 | Assessment Skills |
| Module 02 | Map API attack surfaces end-to-end |
| Module 03 | Design & Protection |
| Module 04 | Architect secure API gateways |
| Module 05 | Monitoring & Response |
| Module 06 | Deploy API traffic monitoring |
| Module 07 | DevSecOps Integration |
| Module 08 | Embed API security in CI/CD |
| Module 09 | API Architecture Fundamentals |
| Module 10 | Client App |
| Module 11 | Load Balancer |
| Module 12 | Synchronous Patterns |
| Module 13 | Request-response: standard REST calls |
| Module 14 | Asynchronous Patterns |
All hands-on labs run on Rocheston Rose X OS. Students practice hands-on api security by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for assessment skills
- Lab 2: Execute hands-on tasks for map api attack surfaces end-to-end
- Lab 3: Design a scalable privilege management architecture with policy and enforcement
- Lab 4: Execute hands-on tasks for architect secure api gateways
- Lab 5: Monitor and audit privilege usage; detect escalation attempts
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Hands-On API security, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI