Skip to content
NightVision Docs

Attacking APIs in CI/CD - Course Outline

Overview

Section titled “Overview”

In today’s fast-paced development environments, securing your applications at scale is more critical — and more challenging — than ever. Relying solely on code scanning with SAST and dependency analysis to address risks like the OWASP Top 10 can leave exploitable vulnerabilities lurking in your code.

In “Attacking APIs in CI/CD,” you’ll discover how to integrate Dynamic Application Security Testing (DAST) into your CI/CD pipeline, empowering your team to identify and mitigate real-world threats before they hit production. You’ll learn how to scan APIs in CI/CD, perform API Discovery, and trace vulnerabilities back to code. You’ll also learn how to use DAST to complement your existing AppSec activities like SAST and SCA.

If you want to prioritize exploitable security risks and proactively defend your apps against live vulnerabilities, this course is for you.

Join us for this free training session on insertDate. The course will be approximately 4-5 hours.

Attendees will receive free lunch and a $50 Amazon gift card.

Agenda

Section titled “Agenda”
  1. Introduction to the Basics
    1. Web security and API Security Challenges
    2. API Testing Coverage and Impact
    3. Enabling Secure SDLC, DevSecOps, and CI/CD Pipelines
    4. Tools of the Trade - Docker, NightVision, OpenAPI/Swagger
  2. Basic DAST Scans
    1. Lab: DAST Scans
      1. Lab environment setup
      2. Internet-facing applications via the UI
      3. Private network applications via the CLI
      4. Replicating findings for regression testing
      5. False Positive Filtering
      6. Scope Control
  3. API Discovery
    1. Introduction to API Discovery
    2. API Discovery Approaches
      1. Manual instrumentation via OSS packages
      2. Traffic-based
      3. Source code based
    3. Lab: API Discovery
      1. Generating OpenAPI from Code
      2. Measuring API Coverage
      3. Handling unresolved variables
  4. CI/CD Integration
    1. Lab: GitHub Actions
      1. Automated Scans in CI/CD
      2. Tracing Vulnerabilities to Code with SARIF
      3. GitHub Security Alerts
  5. Authentication
    1. Lab: Authentication
      1. Recording Interactive Authentication
      2. Header Authentication
  6. User notification and attribution
    1. Lab: CODEOWNERS files and Slack Notifications
  7. Deep scans with HTTP Traffic Uploads
    1. Introduction to Traffic-informed scanning
    2. Lab: Recording and Scanning with HAR files
      1. Recording HAR files
      2. Uploading HAR files
      3. Scanning with HAR files