{"course":{"productid":36451,"modality":1,"active":true,"language":"fr","title":"API security in Python","productcode":"ASIP","vendorcode":"CY","vendorname":"Cydrill","fullproductcode":"CY-ASIP","courseware":{"has_ekit":false,"has_printkit":true,"language":""},"url":"https:\/\/portal.flane.ch\/course\/cydrill-asip","objective":"<ul>\n<li>Getting familiar with essential cyber security concepts<\/li><li>Understanding API security issues<\/li><li>Detailed analysis of the OWASP API Security Top Ten elements<\/li><li>Putting API security in the context of Python<\/li><li>Going beyond the low hanging fruits<\/li><li>Managing vulnerabilities in third party components<\/li><li>Input validation approaches and principles<\/li><\/ul>","essentials":"<p>General Python development<\/p>","audience":"<p>Python API developers<\/p>","contents":"<h4>Day 1<\/h4><ul>\n<li>Cyber security basics\n<ul>\n<li>What is security?<\/li><li>Threat and risk<\/li><li>Cyber security threat types &ndash; the CIA triad<\/li><li>Consequences of insecure software<\/li><\/ul><\/li><li>OWASP API Security Top Ten\n<ul>\n<li>OWASP API Security Top 10 2023<\/li><\/ul><\/li><li>API1 &ndash; Broken Object Level Authorization\n<ul>\n<li>Confused deputy<\/li><li>Insecure direct object reference (IDOR)<\/li><li>Lab &ndash; Insecure Direct Object Reference<\/li><li>Authorization bypass through user-controlled keys<\/li><li>Case study &ndash; Remote takeover of Nexx garage doors and alarms<\/li><li>Lab &ndash; Horizontal authorization<\/li><li>File upload<\/li><li>Unrestricted file upload<\/li><li>Good practices<\/li><li>Lab &ndash; Unrestricted file upload<\/li><\/ul><\/li><li>API2 &ndash; Broken Authentication\n<ul>\n<li>Authentication basics<\/li><li>Multi-factor authentication (MFA)<\/li><li>Case study &ndash; The InfinityGauntlet attack<\/li><li>Passwordless solutions<\/li><li>Time-based One Time Passwords (TOTP)<\/li><li>Authentication weaknesses<\/li><li>Spoofing on the Web<\/li><li>Password management<\/li><li>Storing account passwords<\/li><li>Password in transit<\/li><li>Lab &ndash; Is just hashing passwords enough?<\/li><li>Dictionary attacks and brute forcing<\/li><li>Salting<\/li><li>Adaptive hash functions for password storage<\/li><li>Lab &ndash; Using adaptive hash functions in Python<\/li><li>Using password cracking tools<\/li><li>Password cracking in Windows<\/li><li>Password change<\/li><li>Password recovery issues<\/li><li>Password recovery best practices<\/li><li>Lab &ndash; Password reset weakness<\/li><li>Case study &ndash; Facebook account takeover via recovery code<\/li><li>Case study &ndash; GitLab account takeover<\/li><li>Anti-automation<\/li><li>Password policy<\/li><li>NIST authenticator requirements for memorized secrets<\/li><li>Password hardening<\/li><li>Using passphrases<\/li><li>Password database migration<\/li><li>(Mis)handling None passwords<\/li><\/ul><\/li><\/ul><h4>Day 2<\/h4><ul>\n<li>API3 &ndash; Broken Object Property Level Authorization\n<ul>\n<li>Information exposure<\/li><li>Exposure through extracted data and aggregation<\/li><li>Case study &ndash; Strava data exposure<\/li><li>System information leakage<\/li><li>Leaking system information<\/li><li>Information exposure best practices<\/li><li>Secrets management<\/li><li>Hard coded passwords<\/li><li>Best practices<\/li><li>Lab &ndash; Hardcoded password<\/li><li>Protecting sensitive information in memory<\/li><li>Challenges in protecting memory<\/li><li>Case study &ndash; Microsoft secret key theft via dump files<\/li><\/ul><\/li><li>API4 &ndash; Unrestricted Resource Consumption\n<ul>\n<li>Denial of service<\/li><li>Flooding<\/li><li>Resource exhaustion<\/li><li>Sustained client engagement<\/li><li>Infinite loop<\/li><li>Economic Denial of Sustainability (EDoS)<\/li><li>Algorithmic complexity issues<\/li><li>Regular expression denial of service (ReDoS)<\/li><li>Lab &ndash; ReDoS<\/li><li>Dealing with ReDoS<\/li><li>Case study &ndash; ReDoS vulnerabilities in Python<\/li><\/ul><\/li><li>API5 &ndash; Broken Function Level Authorization\n<ul>\n<li>Authorization<\/li><li>Access control basics<\/li><li>Access control types<\/li><li>Missing or improper authorization<\/li><li>Failure to restrict URL access<\/li><li>Cross-site Request Forgery (CSRF)<\/li><li>Lab &ndash; Cross-site Request Forgery<\/li><li>CSRF best practices<\/li><li>CSRF defense in depth<\/li><li>Lab &ndash; CSRF protection with tokens<\/li><\/ul><\/li><li>API6 &ndash; Unrestricted Access to Sensitive Business Flows\n<ul>\n<li>Security by design<\/li><li>The STRIDE model of threats<\/li><li>Secure design principles of Saltzer and Schroeder<\/li><li>Economy of mechanism<\/li><li>Fail-safe defaults<\/li><li>Complete mediation<\/li><li>Open design<\/li><li>Separation of privilege<\/li><li>Least privilege<\/li><li>Least common mechanism<\/li><li>Psychological acceptability<\/li><li>Logging and monitoring<\/li><li>Logging and monitoring principles<\/li><li>Insufficient logging<\/li><li>Case study &ndash; Plaintext passwords at Facebook<\/li><li>Log forging<\/li><li>Web log forging<\/li><li>Lab &ndash; Log forging<\/li><li>Log forging &ndash; best practices<\/li><li>Logging best practices<\/li><li>Monitoring best practices<\/li><\/ul><\/li><li>API7 &ndash; Server Side Request Forgery\n<ul>\n<li>Server-side Request Forgery (SSRF)<\/li><li>Case study &ndash; SSRF in Ivanti Connect Secure<\/li><\/ul><\/li><li>API8 &ndash; Security Misconfiguration\n<ul>\n<li>Information exposure through error reporting<\/li><li>Information leakage via error pages<\/li><li>Lab &ndash; Flask information leakage<\/li><li>Case study &ndash; Information leakage via errors in Apache Superset<\/li><li>Cookie security<\/li><li>Cookie attributes<\/li><li>Same Origin Policy<\/li><li>Simple request<\/li><li>Preflight request<\/li><li>Cross-Origin Resource Sharing (CORS)<\/li><li>Lab &ndash; Same-origin policy demo<\/li><li>Configuring XML parsers<\/li><li>DTD and the entities<\/li><li>Entity expansion<\/li><li>External Entity Attack (XXE)<\/li><li>File inclusion with external entities<\/li><li>Server-Side Request Forgery with external entities<\/li><li>Lab &ndash; External entity attack<\/li><li>Preventing XXE<\/li><li>Lab &ndash; Prohibiting DTD<\/li><li>Case study &ndash; XXE vulnerability in Ivanti products<\/li><\/ul><\/li><\/ul><h4>Day 3<\/h4><ul>\n<li>API9 &ndash; Improper Inventory Management\n<ul>\n<li>Documentation blindspots<\/li><li>Dataflow blindspots<\/li><li>Using vulnerable components<\/li><li>Untrusted functionality import<\/li><li>Malicious packages in Python<\/li><li>Case study &ndash; The Polyfill.io supply chain attack<\/li><li>Vulnerability management<\/li><li>Lab &ndash; Finding vulnerabilities in third-party components<\/li><\/ul><\/li><li>API10 &ndash; Unsafe Consumption of APIs\n<ul>\n<li>Input validation<\/li><li>Input validation principles<\/li><li>Denylists and allowlists<\/li><li>Case study &ndash; Denylist failure in urllib.parse.urlparse()<\/li><li>What to validate &ndash; the attack surface<\/li><li>Where to validate &ndash; defense in depth<\/li><li>When to validate &ndash; validation vs transformations<\/li><li>Output sanitization<\/li><li>Encoding challenges<\/li><li>Unicode challenges<\/li><li>Validation with regex<\/li><li>Injection<\/li><li>Injection principles<\/li><li>Injection attacks<\/li><li>SQL injection<\/li><li>SQL injection basics<\/li><li>Lab &ndash; SQL injection<\/li><li>Attack techniques<\/li><li>Content-based blind SQL injection<\/li><li>Time-based blind SQL injection<\/li><li>SQL injection best practices<\/li><li>Input validation<\/li><li>Parameterized queries<\/li><li>Lab &ndash; Using prepared statements<\/li><li>Database defense in depth<\/li><li>Case study &ndash; SQL injection against US airport security<\/li><li>Code injection<\/li><li>Code injection via input()<\/li><li>OS command injection<\/li><li>Lab &ndash; Command injection<\/li><li>OS command injection best practices<\/li><li>Avoiding command injection with the right APIs<\/li><li>Lab &ndash; Command injection best practices<\/li><li>Case study &ndash; Shellshock<\/li><li>Lab &ndash; Shellshock<\/li><li>Case study &ndash; Command injection in Ivanti security appliances<\/li><li>Open redirects and forwards<\/li><li>Open redirects and forwards &ndash; best practices<\/li><li>Files and streams<\/li><li>Path traversal<\/li><li>Lab &ndash; Path traversal<\/li><li>Additional challenges in Windows<\/li><li>Case study &ndash; File spoofing in WinRAR<\/li><li>Path traversal best practices<\/li><li>Lab &ndash; Path canonicalization<\/li><li>Wrap up<\/li><li>Secure coding principles<\/li><li>Principles of robust programming by Matt Bishop<\/li><li>Secure design principles of Saltzer and Schroeder<\/li><li>And now what?<\/li><li>Software security sources and further reading<\/li><li>Python resources<\/li><\/ul><\/li><\/ul>","outline":"<ul>\n<li>Cyber security basics<\/li><li>OWASP API Security Top Ten<\/li><li>API1 - Broken Object Level Authorization<\/li><li>API2 - Broken Authentication<\/li><li>API3 - Broken Object Property Level Authorization<\/li><li>API4 - Unrestricted Resource Consumption<\/li><li>API5 - Broken Function Level Authorization<\/li><li>API6 - Unrestricted Access to Sensitive Business Flows<\/li><li>API7 - Server Side Request Forgery<\/li><li>API8 - Security Misconfiguration<\/li><li>API9 - Improper Inventory Management<\/li><li>API10 - Unsafe Consumption of APIs<\/li><li>Wrap up<\/li><\/ul>","summary":"<p>Your application written in Python works as intended, so you are done, right? But do your APIs behave well for incorrect values? 16Gbs of data? A null? An apostrophe? Negative numbers, or specifically -1 or -2^31? Because these are the values the bad guys will feed in &ndash; and the list is far from complete.<\/p>\n<p>The course provides a comprehensive walkthrough on the OWASP API Security Top Ten, equipping developers, security professionals, and architects with the knowledge to identify, mitigate, and prevent the most critical security risks in modern API-driven applications. Each of the ten risks &ndash; including Broken Object, Property and Function Level Authorization (BOLA, BOPLA and BFLA), Unrestricted Resource Consumption, Unsafe Consumption of APIs, and more &ndash; are discussed in detail with real-world examples, hands-on labs, and mitigation strategies. Topics are discussed in the context of classic APIs, rest APIs as well as GraphQL.<\/p>\n<p>Beyond the top ten list, the course can also expand into further key security topics that are crucial for developers but often overlooked in API security, such as cryptography, integer overflows, and code quality.<\/p>\n<p>Whether you are a beginner in API security or an experienced developer looking to sharpen your skills, this course offers valuable knowledge to build APIs that are not only functional and efficient but also secure and resilient.<\/p>\n<p>So that you are prepared for the forces of the dark side.<\/p>\n<p>So that nothing unexpected happens.<\/p>\n<p>Nothing.<\/p>","objective_plain":"- Getting familiar with essential cyber security concepts\n- Understanding API security issues\n- Detailed analysis of the OWASP API Security Top Ten elements\n- Putting API security in the context of Python\n- Going beyond the low hanging fruits\n- Managing vulnerabilities in third party components\n- Input validation approaches and principles","essentials_plain":"General Python development","audience_plain":"Python API developers","contents_plain":"Day 1\n\n\n- Cyber security basics\n\n- What is security?\n- Threat and risk\n- Cyber security threat types \u2013 the CIA triad\n- Consequences of insecure software\n- OWASP API Security Top Ten\n\n- OWASP API Security Top 10 2023\n- API1 \u2013 Broken Object Level Authorization\n\n- Confused deputy\n- Insecure direct object reference (IDOR)\n- Lab \u2013 Insecure Direct Object Reference\n- Authorization bypass through user-controlled keys\n- Case study \u2013 Remote takeover of Nexx garage doors and alarms\n- Lab \u2013 Horizontal authorization\n- File upload\n- Unrestricted file upload\n- Good practices\n- Lab \u2013 Unrestricted file upload\n- API2 \u2013 Broken Authentication\n\n- Authentication basics\n- Multi-factor authentication (MFA)\n- Case study \u2013 The InfinityGauntlet attack\n- Passwordless solutions\n- Time-based One Time Passwords (TOTP)\n- Authentication weaknesses\n- Spoofing on the Web\n- Password management\n- Storing account passwords\n- Password in transit\n- Lab \u2013 Is just hashing passwords enough?\n- Dictionary attacks and brute forcing\n- Salting\n- Adaptive hash functions for password storage\n- Lab \u2013 Using adaptive hash functions in Python\n- Using password cracking tools\n- Password cracking in Windows\n- Password change\n- Password recovery issues\n- Password recovery best practices\n- Lab \u2013 Password reset weakness\n- Case study \u2013 Facebook account takeover via recovery code\n- Case study \u2013 GitLab account takeover\n- Anti-automation\n- Password policy\n- NIST authenticator requirements for memorized secrets\n- Password hardening\n- Using passphrases\n- Password database migration\n- (Mis)handling None passwords\nDay 2\n\n\n- API3 \u2013 Broken Object Property Level Authorization\n\n- Information exposure\n- Exposure through extracted data and aggregation\n- Case study \u2013 Strava data exposure\n- System information leakage\n- Leaking system information\n- Information exposure best practices\n- Secrets management\n- Hard coded passwords\n- Best practices\n- Lab \u2013 Hardcoded password\n- Protecting sensitive information in memory\n- Challenges in protecting memory\n- Case study \u2013 Microsoft secret key theft via dump files\n- API4 \u2013 Unrestricted Resource Consumption\n\n- Denial of service\n- Flooding\n- Resource exhaustion\n- Sustained client engagement\n- Infinite loop\n- Economic Denial of Sustainability (EDoS)\n- Algorithmic complexity issues\n- Regular expression denial of service (ReDoS)\n- Lab \u2013 ReDoS\n- Dealing with ReDoS\n- Case study \u2013 ReDoS vulnerabilities in Python\n- API5 \u2013 Broken Function Level Authorization\n\n- Authorization\n- Access control basics\n- Access control types\n- Missing or improper authorization\n- Failure to restrict URL access\n- Cross-site Request Forgery (CSRF)\n- Lab \u2013 Cross-site Request Forgery\n- CSRF best practices\n- CSRF defense in depth\n- Lab \u2013 CSRF protection with tokens\n- API6 \u2013 Unrestricted Access to Sensitive Business Flows\n\n- Security by design\n- The STRIDE model of threats\n- Secure design principles of Saltzer and Schroeder\n- Economy of mechanism\n- Fail-safe defaults\n- Complete mediation\n- Open design\n- Separation of privilege\n- Least privilege\n- Least common mechanism\n- Psychological acceptability\n- Logging and monitoring\n- Logging and monitoring principles\n- Insufficient logging\n- Case study \u2013 Plaintext passwords at Facebook\n- Log forging\n- Web log forging\n- Lab \u2013 Log forging\n- Log forging \u2013 best practices\n- Logging best practices\n- Monitoring best practices\n- API7 \u2013 Server Side Request Forgery\n\n- Server-side Request Forgery (SSRF)\n- Case study \u2013 SSRF in Ivanti Connect Secure\n- API8 \u2013 Security Misconfiguration\n\n- Information exposure through error reporting\n- Information leakage via error pages\n- Lab \u2013 Flask information leakage\n- Case study \u2013 Information leakage via errors in Apache Superset\n- Cookie security\n- Cookie attributes\n- Same Origin Policy\n- Simple request\n- Preflight request\n- Cross-Origin Resource Sharing (CORS)\n- Lab \u2013 Same-origin policy demo\n- Configuring XML parsers\n- DTD and the entities\n- Entity expansion\n- External Entity Attack (XXE)\n- File inclusion with external entities\n- Server-Side Request Forgery with external entities\n- Lab \u2013 External entity attack\n- Preventing XXE\n- Lab \u2013 Prohibiting DTD\n- Case study \u2013 XXE vulnerability in Ivanti products\nDay 3\n\n\n- API9 \u2013 Improper Inventory Management\n\n- Documentation blindspots\n- Dataflow blindspots\n- Using vulnerable components\n- Untrusted functionality import\n- Malicious packages in Python\n- Case study \u2013 The Polyfill.io supply chain attack\n- Vulnerability management\n- Lab \u2013 Finding vulnerabilities in third-party components\n- API10 \u2013 Unsafe Consumption of APIs\n\n- Input validation\n- Input validation principles\n- Denylists and allowlists\n- Case study \u2013 Denylist failure in urllib.parse.urlparse()\n- What to validate \u2013 the attack surface\n- Where to validate \u2013 defense in depth\n- When to validate \u2013 validation vs transformations\n- Output sanitization\n- Encoding challenges\n- Unicode challenges\n- Validation with regex\n- Injection\n- Injection principles\n- Injection attacks\n- SQL injection\n- SQL injection basics\n- Lab \u2013 SQL injection\n- Attack techniques\n- Content-based blind SQL injection\n- Time-based blind SQL injection\n- SQL injection best practices\n- Input validation\n- Parameterized queries\n- Lab \u2013 Using prepared statements\n- Database defense in depth\n- Case study \u2013 SQL injection against US airport security\n- Code injection\n- Code injection via input()\n- OS command injection\n- Lab \u2013 Command injection\n- OS command injection best practices\n- Avoiding command injection with the right APIs\n- Lab \u2013 Command injection best practices\n- Case study \u2013 Shellshock\n- Lab \u2013 Shellshock\n- Case study \u2013 Command injection in Ivanti security appliances\n- Open redirects and forwards\n- Open redirects and forwards \u2013 best practices\n- Files and streams\n- Path traversal\n- Lab \u2013 Path traversal\n- Additional challenges in Windows\n- Case study \u2013 File spoofing in WinRAR\n- Path traversal best practices\n- Lab \u2013 Path canonicalization\n- Wrap up\n- Secure coding principles\n- Principles of robust programming by Matt Bishop\n- Secure design principles of Saltzer and Schroeder\n- And now what?\n- Software security sources and further reading\n- Python resources","outline_plain":"- Cyber security basics\n- OWASP API Security Top Ten\n- API1 - Broken Object Level Authorization\n- API2 - Broken Authentication\n- API3 - Broken Object Property Level Authorization\n- API4 - Unrestricted Resource Consumption\n- API5 - Broken Function Level Authorization\n- API6 - Unrestricted Access to Sensitive Business Flows\n- API7 - Server Side Request Forgery\n- API8 - Security Misconfiguration\n- API9 - Improper Inventory Management\n- API10 - Unsafe Consumption of APIs\n- Wrap up","summary_plain":"Your application written in Python works as intended, so you are done, right? But do your APIs behave well for incorrect values? 16Gbs of data? A null? An apostrophe? Negative numbers, or specifically -1 or -2^31? Because these are the values the bad guys will feed in \u2013 and the list is far from complete.\n\nThe course provides a comprehensive walkthrough on the OWASP API Security Top Ten, equipping developers, security professionals, and architects with the knowledge to identify, mitigate, and prevent the most critical security risks in modern API-driven applications. Each of the ten risks \u2013 including Broken Object, Property and Function Level Authorization (BOLA, BOPLA and BFLA), Unrestricted Resource Consumption, Unsafe Consumption of APIs, and more \u2013 are discussed in detail with real-world examples, hands-on labs, and mitigation strategies. Topics are discussed in the context of classic APIs, rest APIs as well as GraphQL.\n\nBeyond the top ten list, the course can also expand into further key security topics that are crucial for developers but often overlooked in API security, such as cryptography, integer overflows, and code quality.\n\nWhether you are a beginner in API security or an experienced developer looking to sharpen your skills, this course offers valuable knowledge to build APIs that are not only functional and efficient but also secure and resilient.\n\nSo that you are prepared for the forces of the dark side.\n\nSo that nothing unexpected happens.\n\nNothing.","version":"1.0","duration":{"unit":"d","value":3,"formatted":"3 jours"},"pricelist":{"List Price":{"DE":{"country":"DE","currency":"EUR","taxrate":19,"price":2250},"SI":{"country":"SI","currency":"EUR","taxrate":20,"price":2250},"AT":{"country":"AT","currency":"EUR","taxrate":20,"price":2250},"SE":{"country":"SE","currency":"EUR","taxrate":25,"price":2250},"CH":{"country":"CH","currency":"CHF","taxrate":8.1,"price":2250}}},"lastchanged":"2025-10-29T08:55:14+01:00","parenturl":"https:\/\/portal.flane.ch\/swisscom\/fr\/json-courses","nexturl_course_schedule":"https:\/\/portal.flane.ch\/swisscom\/fr\/json-course-schedule\/36451","source_lang":"fr","source":"https:\/\/portal.flane.ch\/swisscom\/fr\/json-course\/cydrill-asip"}}