2021 OWASP Top Ten Deep Dive (TT8150)

Explore Bug Hunting, Ethical Hacking, Defensive Coding Concepts, Authentication, Authorization, Case Studies & More

TT8150

Introductory

2 Days

Course Overview

 

Overview

OWASP 2021 refers to the latest edition of the Open Web Application Security Project (OWASP) Top Ten list, which identifies the most critical web application security risks. It is a valuable resource as it provides organizations with insights into prevalent vulnerabilities, helping them prioritize their security efforts and fortify their applications against potential attacks.

Our 2021 OWASP Top Ten Deep Dive is a two day engaging course that provides you with the skills to protect data and maintain user trust across various digital projects. From identifying and eliminating bugs to managing unvalidated data, you'll delve into a myriad of vulnerabilities such as Broken Access Control, Cryptographic Failures, and the complexities of Server-Side Request Forgeries (SSRF).  Throughout the course you’ll explore the realm of software integrity, proper handling of authentication data, and the importance of robust security logging and monitoring systems. You'll also examine the challenges of 'Shifting Left' in software development processes and explore the intricacies of handling software and data integrity failures. These encompass using trusted repositories, protecting software development resources, and issues related to Continuous Integration/Continuous Deployment (CI/CD) pipelines.

This course is led by a seasoned web application security expert who shares practical insights, best practices, and real-life experiences, adding invaluable depth to your learning journey.  Through engaging demonstrations and activities, you'll apply your newfound knowledge to real-world scenarios, enhancing your ability to analyze and mitigate security risks while maintaining privacy and ethical standards. You'll also gain practical experience with innovative tools and strategies, working through labs mirroring real-world situations, such as dissecting high-profile case studies like SolarWinds and Capital One.

By the end of this course, you'll have a robust understanding of the OWASP Top Ten, secure software development principles, and a broadened view of web application security. Armed with these skills, you'll be well-prepared to help your organization navigate the challenging landscape of cybersecurity.

 

Learning Objectives

This course combines engaging instructor-led presentations and useful demonstrations with valuable hands-on labs and engaging group activities. Throughout the course you’ll:

  • Master Safe and Ethical Hacking Practices: Learn to execute bug hunting and hacking activities in a manner that respects privacy and system integrity, ensuring that all actions align with ethical standards and organizational policies.
  • Identify and Utilize Bug Reporting Mechanisms: Develop the ability to recognize and effectively utilize defect/bug reporting systems within your organization, facilitating swift response and mitigation.
  • Avoid Common Pitfalls in Vulnerability Testing: Gain insights into common mistakes made during bug hunting and vulnerability testing and learn strategies to avoid them, enhancing the accuracy and effectiveness of your security assessments.
  • Comprehend Defensive, Secure Coding Concepts: Delve into the principles and terminology of defensive coding, including understanding the phases and objectives of a typical exploit, to build more secure applications.
  • Appreciate the Multilayered Defense Approach: Recognize the value of a layered, in-depth defense strategy in cybersecurity, enhancing your capacity to build robust and resilient systems.
  • Identify and Manage Untrusted Data Sources: Understand the potential origins of untrusted data and the risks they pose, such as denial of service, cross-site scripting, and injections, and develop strategies to properly handle such data.
  • Strengthen Authentication and Authorization Security: Learn about the vulnerabilities associated with authentication and authorization, and how to detect, attack, and implement defenses to enhance the security of these critical functions.
  • Mitigate Risks of XML Processing, File Uploads, and Server-Side Interpreters: Familiarize yourself with the risks involved in XML processing, file uploads, and server-side interpreters, and learn how to apply techniques to harden web and application servers, and other infrastructure components to eliminate or mitigate these risks.
  • Optional / Bonus Overview: Explore applying AI to the OWASP Top Ten

If your team requires different topics, additional skills or a custom approach, our team will collaborate with you to adjust the course to focus on your specific learning objectives and goals.

Course Objectives

Learning Objectives

This course combines engaging instructor-led presentations and useful demonstrations with valuable hands-on labs and engaging group activities. Throughout the course you’ll:

  • Master Safe and Ethical Hacking Practices: Learn to execute bug hunting and hacking activities in a manner that respects privacy and system integrity, ensuring that all actions align with ethical standards and organizational policies.
  • Identify and Utilize Bug Reporting Mechanisms: Develop the ability to recognize and effectively utilize defect/bug reporting systems within your organization, facilitating swift response and mitigation.
  • Avoid Common Pitfalls in Vulnerability Testing: Gain insights into common mistakes made during bug hunting and vulnerability testing and learn strategies to avoid them, enhancing the accuracy and effectiveness of your security assessments.
  • Comprehend Defensive, Secure Coding Concepts: Delve into the principles and terminology of defensive coding, including understanding the phases and objectives of a typical exploit, to build more secure applications.
  • Appreciate the Multilayered Defense Approach: Recognize the value of a layered, in-depth defense strategy in cybersecurity, enhancing your capacity to build robust and resilient systems.
  • Identify and Manage Untrusted Data Sources: Understand the potential origins of untrusted data and the risks they pose, such as denial of service, cross-site scripting, and injections, and develop strategies to properly handle such data.
  • Strengthen Authentication and Authorization Security: Learn about the vulnerabilities associated with authentication and authorization, and how to detect, attack, and implement defenses to enhance the security of these critical functions.
  • Mitigate Risks of XML Processing, File Uploads, and Server-Side Interpreters: Familiarize yourself with the risks involved in XML processing, file uploads, and server-side interpreters, and learn how to apply techniques to harden web and application servers, and other infrastructure components to eliminate or mitigate these risks.
  • Optional / Bonus Overview: Explore applying AI to the OWASP Top Ten

If your team requires different topics, additional skills or a custom approach, our team will collaborate with you to adjust the course to focus on your specific learning objectives and goals.

Course Prerequisites

Audience

This is an overview-level course ideally suited for software developers, IT professionals, and cybersecurity enthusiasts who are keen to enhance their understanding of web application security. It would also benefit project managers and team leads overseeing digital projects, who require a strong grasp of security principles to manage risks effectively. Furthermore, IT auditors and compliance officers aiming to understand the technical aspects of web application security for better evaluation and enforcement of regulatory standards would find this course invaluable.

 

Pre-Requisites

This is not a hands-on course, however its helpful if you have:

  • Basic understanding of web development and web architecture
  • Some familiarity with basic programming concepts
  • Basic understanding of web security or cybersecurity concepts
  • Awareness of general IT concepts (servers, databases, networks, etc.)

Course Agenda

Course Topics / Agenda

Please note that this list of topics is based on our standard course offering, evolved from typical industry uses and trends. We’ll work with you to tune this course and level of coverage to target the skills you need most. Topics, agenda and labs are subject to change, and may adjust during live delivery based on audience skill level, interests and participation.

Session: Jumping into the OWASP Top 10

Lesson: Why Hunt Bugs?

  • The Language of Cybersecurity
  • The Changing Cybersecurity Landscape
  • AppSec Dissection of SolarWinds
  • The Human Perimeter
  • First Axiom in Web Application Security Analysis
  • First Axiom in Addressing ALL Security Concerns
  • Lab: Case Study in Failure

Lesson: Safe and Appropriate Bug Hunting/Hacking

  • Warning to All Bug Hunters
  • Working Ethically
  • Respecting Privacy
  • Bug/Defect Notification
  • Bug Hunting Pitfalls

Lesson: Removing Bugs

  • Open Web Application Security Project (OWASP)
  • OWASP Top Ten Overview
  • Web Application Security Consortium (WASC)
  • CERT Secure Coding Standard
  • Microsoft Security Response Center
  • Software-Specific Threat Intelligence

Session: Bug Stomping 101

Lesson: Unvalidated Data

  • Potential Consequences
  • Defining and Defending Trust Boundaries
  • Rigorous, Positive Specifications
  • Allow Listing vs Deny Listing
  • Challenges: Free-Form Text, Email Addresses, and Uploaded Files

Lesson: A01: Broken Access Control

  • Elevation of Privileges
  • Insufficient Flow Control
  • Unprotected URL/Resource Access/Forceful Browsing
  • Metadata Manipulation (Session Cookies and JWTs)
  • Understanding and Defending Against CSRF
  • CORS Misconfiguration Issues
  • Lab: Spotlight: Verizon

Lesson: A02: Cryptographic Failures

  • Identifying Protection Needs
  • Evolving Privacy Considerations
  • Options for Protecting Data
  • Transport/Message Level Security
  • Weak Cryptographic Processing
  • Keys and Key Management
  • NIST Recommendations

Lesson: A03: Injection

  • Pattern for All Injection Flaws
  • Misconceptions With SQL Injection Defenses
  • Drill Down on Stored Procedures
  • Other Forms of Server-Side Injection
  • Minimizing Server-Side Injection Flaws
  • Client-side Injection: XSS
  • Persistent, Reflective, and DOM-Based XSS
  • Best Practices for Untrusted Data

Lesson: A04: Insecure Design

  • Secure Software Development Processes
  • Shifting Left
  • Principles for Securing All Designs
  • Leveraging Common AppSec Practices and Control
  • Paralysis by Analysis
  • Actionable Application Security
  • Additional Tools for the Toolbox

Lesson: A05: Security Misconfiguration

  • System Hardening: IA Mitigation
  • Risks with Internet-Connected Resources
  • Minimalist Configurations
  • Application Allow Listing
  • Secure Baseline
  • Segmentation with Containers and Cloud
  • Safe XML Processing

Session: Bug Stomping 102

Lesson: A06: Vulnerable and Outdated Components

  • Problems with Vulnerable Components
  • Software Inventory
  • Managing Updates: Balancing Risk and Timeliness
  • Virtual Patching
  • Dissection of Ongoing Exploits
  • Lab: Spotlight: Equifax

Lesson: A07: Identification and Authentication Failures

  • Quality and Protection of Authentication Data
  • Anti-Automation Defenses
  • Multifactor Authentication
  • Proper Hashing of Passwords
  • Handling Passwords on Server Side

Lesson: A08: Software and Data Integrity Failures

  • Software Integrity Issues and Defenses
  • Using Trusted Repositories
  • CI/CD Pipeline Issues
  • Protecting Software Development Resources
  • Serialization/Deserialization

Lesson: A09: Security Logging and Monitoring Failures

  • Detecting Threats and Active Attacks
  • Best Practices for Logging and Logs
  • Safe Logging in Support of Forensics

Lesson: A10: Server Side Request Forgeries (SSRF)

  • Understanding SSRF
  • Remote Resource Access Scenarios
  • Complexity of Cloud Services
  • SSRF Defense in Depth
  • Positive Allow Lists

Session: Moving Forward

Lesson: Applications: What Next?

  • Common Vulnerabilities and Exposures
  • CWE/SANS Top 25 Most Dangerous SW Errors
  • Strength Training: Project Teams/Developers
  • Strength Training: IT Organizations
  • Lab: Spotlight: Capital One

Optional / Bonus Content

Optional / Bonus: Leveraging AI in Tackling the OWASP Top Ten

  • Introduction to AI in Cybersecurity
  • AI for Detecting and Mitigating Security Risks
  • AI in Managing OWASP Top Ten Vulnerabilities Detecting XML External Entities (
  • AI in Incident Response and Forensics
  • The Future of AI in Web Application Security

Course Materials

Setup Made Simple with our robust Learning Experience Platform (LXP) 

All applicable course software, digital courseware files or course notes, labs, data sets and solutions, live coaching support channels and rich extended learning and post training resources are provided for you in our “easy access, no install required” high-speed Learning Experience Platform (LXP), remote lab and content environment. Course materials, software, resources and post-training platform access periods vary by course.

Raise the bar for advancing technology skills

Attend a Class!

Live scheduled classes are listed below or browse our full course catalog anytime

Special Offers

We regulary offer discounts for individuals, groups and corporate teams. Contact us

Custom Team Training

Check out custom training solutions planned around your unique needs and skills.

EveryCourse Extras

Exclusive materials, ongoing support and a free live course refresh with every class.

Mix, Match & Master!
2FOR1: Two Courses, One Price!

Enroll in *any* two public courses (for 2023 *OR* 2024 dates!) by December 31, for one price!  Learn something new, or share the promo!

Click for Details & Additional Offers

Learn. Explore. Advance!

Extend your training investment! Recorded sessions, free re-sits and after course support included with Every Course
Trivera MiniCamps
Gain the skills you need with less time in the classroom with our short course, live-online hands-on events
Trivera QuickSkills: Free Courses and Webinars
Training on us! Keep your skills current with free live events, courses & webinars
Trivera AfterCourse: Coaching and Support
Expert level after-training support to help organizations put new training skills into practice on the job

The voices of our customers speak volumes

Special Offers
Limited Offer for most courses.

SAVE 50%

Learn More