Start Left: API SecDevOps

What in the SecDevOps?! Shift API security left by embedding security as business-driven requirements. Learn BDD to write Given-When-Then executable specs, DDD to model domains and ubiquitous language, API-first/contract-driven design, semantic versioning, and compatibility. Apply SSDLC, dependency management, GitOps/IaC, key/certificate rotation, minimized scope (MVP/MMF), secure ops (no human prod access), OWASP API Top 10, and automated security tests.

(Earn 2 CPEs)

EXISTING STUDENT?
Add course to library
NEW STUDENT?
ENROLL NOW

Course Topics

Introduction

Learn to embed API security early in development. This course covers BDD, DDD, and SSDLC to ensure compliance with OWASP Top 10 while reducing cost and improving delivery.

Biz, Dev, Sec and Ops

Translate business value into security requirements for APIs. Learn SSDLC practices (scanning, OWASP), and secure operations: IaC, cert/key rotation, monitored, tooling-based production access.+tools.

What are APIs and How to Deliver Them


Explore API security & lifecycle: assume public (zero-trust), keep API inventory, plan deprecation, enforce compatibility, use semantic versioning, choose MVP/MMF reduce scope/cost with stakeholders .

Behavior-Driven Development and Domain-Driven Design

Learn BDD: write testable Given-When-Then scenarios, map them to DDD (domain, bounded contexts, ubiquitous language), and turn behavior into automated tests that drive secure API design.

Securing APIs

Learn the OWASP API Security Top 10 and turn each risk into BDD scenarios. You’ll cover broken auth/authorization, rate limits, SSRF, dependency risks, and automated mitigation tests.

Policies and Regulations

Convert policies into cross-functional requirements: author BDD scenarios for passwords, login, GDPR, and security rules; map to platform controls and automated compliance tests.

Wrap Up

In this workshop, I will guide you through testing the vulnerable application VAmPI for Broken Object Level Authorization vulnerabilities (BOLA).

Iwan Eising

Author, Software Engineering Done Right

"Start security left — make it a business requirement so APIs are designed secure from the start."

Meet the Instructor
Iwan Eising

Iwan ("Arc-E-Tect") Eising is a Techfluencer, iconoclast, and flip-thinker, inspirator and motivator. Author of the upcoming classic "Software Engineering Done Right - the practice of delivering useful and usable software".

Enroll Now

Earn your APIsec University Certificate

  • Earn an APIsec University certificate and badge for completing any of our courses.

  • Post your badge on LinkedIn and share your accomplishments. You can even receive CPE credits for taking these courses.