📘 Recommended study plans: Secure Code Review · Product Security.
API Security has emerged as its own specialty over the last 5 years. Modern apps are mostly APIs — mobile apps, SPAs, microservices, B2B integrations all expose APIs. Attackers know this; OWASP gave it a dedicated Top 10.
If you're starting fresh, do web-security.md first. API security is best learned after OWASP Web Top 10.
- AppSec / Web Pentesters wanting to specialize
- Backend developers moving into security
- DevSecOps engineers responsible for API gateways
- HTTP fundamentals (methods, headers, status codes, content negotiation)
- JSON / XML / YAML / Protobuf basics
- REST principles + understanding of RPC, GraphQL, gRPC, WebSockets
- AuthN/AuthZ — sessions, JWT, OAuth2, OIDC, mTLS, API keys
- At least one programming language for writing PoCs
- OWASP Web Top 10 understanding
Possible job titles:
- API Security Analyst (rare standalone; usually under AppSec)
- Application Security Analyst (API-leaning)
- Web/API Pentester (Junior)
Skills to focus on:
- OWASP API Security Top 10 (2023) — BOLA, Broken Auth, BOPLA, Unrestricted Resource Consumption, BFLA, Unrestricted Access to Sensitive Business Flows, SSRF, Security Misconfiguration, Improper Inventory Management, Unsafe Consumption of APIs
- Burp Suite — handling JSON, REST, modifying requests at scale
- Postman / Insomnia / Bruno — building and replaying API collections
- Authentication flows — JWT pitfalls (alg=none, weak secrets, kid injection), OAuth2 misconfigs
- Recon for APIs — Swagger/OpenAPI discovery, JS file analysis, Kiterunner, ffuf for API endpoints
- GraphQL testing — introspection, batch attacks, depth/complexity DoS
- Rate limit / business logic testing
- Writing API-specific PoC scripts in Python (httpx, requests)
Possible job titles:
- API Security Engineer
- Senior AppSec Engineer (API focus)
- API Penetration Tester
New skills to add:
- API Gateway security — Kong, Apigee, AWS API Gateway, Azure APIM, Tyk
- WAF for APIs — Cloudflare API Shield, Akamai, Wallarm, Salt Security
- gRPC, GraphQL deep dive — schema review, federation security
- Service mesh authorization (Istio, Linkerd)
- mTLS and certificate-based auth
- API discovery / inventory tools — Salt, Noname, 42Crunch, Traceable
- SAST for APIs — Spectral (Stoplight) for OpenAPI linting; Semgrep rules for API patterns
- DAST for APIs — APIsec, 42Crunch scan, ZAP API scan, Schemathesis
- Designing secure APIs — pagination, idempotency, signing requests, replay protection
Certs to consider:
- CASP: Certified API Security Professional
- Burp Suite Certified Practitioner
- OSWE (code-heavy, API-relevant)
Possible job titles:
- Senior API Security Engineer
- API Security Architect
- Product Security Engineer (API specialist)
New focus areas:
- API security strategy — discovery + posture + runtime + testing
- Threat modeling APIs — abuse cases, business logic attacks
- Zero Trust for APIs — workload identity, SPIFFE/SPIRE
- API governance — design standards, OpenAPI as source of truth
- Bug bounty / responsible disclosure program for APIs
- Cross-functional influence with platform and product teams
Possible job titles:
- API Security Architect
- Principal Product Security Engineer (API)
Focus areas:
- API security at scale (10k+ endpoints)
- Vendor strategy (API security platform vs. CNAPP)
- Mentoring AppSec teams; org-wide standards
API Security
│
┌────────────────────┼────────────────────┐
▼ ▼ ▼
AppSec / Product DevSecOps (API Cloud Security
Security Engineer pipeline focus) (gateway focus)
│ │ │
▼ ▼ ▼
Security Architect Platform Sec Cloud Security
Engineer Architect
- → Web Security / AppSec — broader application surface
- → Cloud Security — APIs live in the cloud
- → DevSecOps — automate API testing
- → Mobile Security — mobile apps are mostly API clients
- → Bug bounty — API bugs pay well and are common
AI both drives and threatens modern APIs.
- AI-assisted OpenAPI / Postman analysis — prompt to map endpoints to OWASP API Top 10 risk categories
- Schema fuzzing with AI — generate edge-case payloads from an OpenAPI spec
- GraphQL schema review — let AI walk through introspection and surface risky resolvers
- Burp / Caido AI extensions — first-pass triage of large traffic captures
- Spec drift detection — compare OpenAPI to live traffic with AI; flag undocumented endpoints (shadow APIs)
LLM endpoints are now first-class APIs. They need:
- AuthN/AuthZ per user, not per service account; agents should not bypass user authorization
- Rate limiting + token budgets — prompt injection-driven token amplification attacks
- Input validation — max prompt length, structure, allowed tools / functions
- Output validation — schema-validate JSON output, sanitize before downstream use
- PII / DLP filters at the gateway
- Provenance + audit logging — store prompt, completion, tool calls; expect e-discovery requests
- Tool / function call authorization — if the agent can call
deleteUser, who gets to authorize?
See: AI Security Career Roadmap · GenAI Security Study Plan
- Testing: Burp Suite (+ Hackvertor, Logger++, JWT Editor), Postman, Bruno, ffuf, Kiterunner, mitmproxy, Caido
- GraphQL: GraphQL Voyager, InQL, graphql-cop, clairvoyance
- OpenAPI: Spectral, openapi-diff, 42Crunch CLI
- Discovery / posture: Salt Security, Noname, Traceable, Akto (open source)
- OWASP API Security Top 10
- APIsec University (free)
- Hacking APIs — Corey J. Ball
- Inon Shkedy's API security checklist (GitHub)
Set up crAPI and VAmPI locally. Try to find every OWASP API Top 10 issue manually before reaching for a scanner.