1.
4 API Architectures
�1. Introduction to api architecture
● Why understanding architecture is vital for effective
pentesting & API design.
2
�2. Monolithic v microservices architecture
● Definitions and primary distinctions.
● Pros & cons of each, especially from a security perspective.
3
�3. Api gateway
● Role & purpose in modern API architectures.
● Features: Request routing, rate limiting, caching etc.
● Security implications & benefits.
4
�4. Serverless architecture & api’s
● Introduction to serverless/FaaS(function as a service)
● Platforms like AWS Lamdba, Azure functions.
● Security considerations specific to serverless.
5
�5. GraphQl architecture
● Overview and how it works.
● Resolvers, Queries & Mutations.
● Potential vulnerabilities like batch query attacks.
6
�6. Api composition
● The idea of combining multiple API calls into a single response.
● Backend-for-Frontend (BFF) pattern.
● Implications for performance & security.
7
�7. Statefull v Stateless api’s
● Definitions & distinctions.
● Importance of state management.
● Security concerns associated with each.
8
�8. Api versioning
● Why versioning is important.
● Common strategies: URI, header, parameter versioning.
● The security implication of maintaining old API versions.
9
�9. Websockets & api architecture
● Introduction to WebSocket protocol.
● How WebSockets differ from traditional HTTP/REST.
● Use cases & security considerations.
10
�10. Rate limiting & throttling
● Importance in API architectures.
● Strategies & their implications.
● Role in maintaining API’s health & security.
11
�11. Caching mechanisms in api’s
● Benefits of caching for performance.
● Risks: Stale data, cache poisoning.
● Secure caching practises.
12
�12. Containerization & api deployment
● Brief introduction to containers (e.g. Docker).
● Benefits & potential security risks.
● Importance of secure container orchestration(e.g. kubernetes).
13
�13. Logging & monitoring in api architecture
● Why it’s vital for security & diagnostics.
● What to loag & what not to.
● Risks: Sensitive data in logs, inadequate logging.
14
