Exploring the OWASP Top Ten

Detailed Exploration of the Leading Source for Defining the Most Significant Application Security Vulnerabilities



2 Days

Course Overview

The impact for exploited software is obvious. We are beyond the point where vulnerabilties must be addressed. The current OWASP Top 10 has become the most recognized source for defining the most significant vulnerabilities. This series of quick, hard-hitting sessions sets the context and charges through each of the OWASP vulnerabilities. Each virtual, instructor-led session provides a solid set of information for developers, testers, and other stakeholders about understanding, identifying, and mitigating a vulnerability. These short, intense sessions maximize the flow of information in an effective and interactive manner.

Students who attend this course will gain an understanding of the recently updated OWASP Top 10. Each of these sessions provides useful insights, discussions, and, in many cases, demonstrations of the application vulnerabilities that are plaguing the industry.

Course Objectives

Students who attend this sequence of sessions will gain an understanding of the recently updated OWASP Top 10. Each of these sessions provides useful insights, discussions, and, in many cases, demonstrations of the application vulnerabilities that are plaguing the industry.

After a quick examination of the context for application security and the OWASP Top 10, each of the vulnerabilties are covered in detail. Attendees will gain an understanding of:

  • The mechanism by which the vulnerability is exploited. Often the exploitability of a vulnerability is rooted in an underlying pattern that is valid across many technologies and architectures.
  • The prevalence of the vulnerability, including characteristics to focus on during design and code reviews to help detect potential issues.
  • The potential consequences of a successful exploit.
  • The measures that can be taken to eliminate, prevent, or minimize the risk of an exploited vulnerability.
  • The relative effectiveness of scanners and other tools in detecting the vulnerability being discussed.
  • Generic and code-specific references that can be utilized after the session.

After the ten vulnerabilities are examined in detail, we wrap up with sessions on next steps for attendees to take as well as an overview of Secure Development Lifecycle.

Need different skills or topics?  If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate.  We offer additional .Net programming, secure coding, development, hacking, database security, bug hunting and other related topics that may be blended with this course for a track that best suits your needs. Our team will collaborate with you to understand your needs and will target the course to focus on your specific learning objectives and goals.

Course Prerequisites

This is an introductory-level , lecture and demonstration style course, designed to provide technical application project stakeholders with a first-look or baseline understanding of how to develop well defended web applications.  Real-world programming experience is highly recommended for code reviews, but not required.

Please see the Related Courses Tab for Pre-Requisite course specifics and links, links to similar courses you might review as an alternative, as well as suggested Next-Step Follow-On Courses and Learning Path recommendations.

Course Agenda

Please note that this list of topics is based on our standard course offering, evolved from typical industry uses and trends. We’ll work with you to tune this course and level of coverage to target the skills you need most. Topics, agenda and labs are subject to change, and may adjust during live delivery based on audience interests, skill-level and participation.

Session 1: Jumping into the OWASP Top 10

  • Security: The Complete Picture
  • Attack Patterns
  • Dangerous Assumptions
  • Attack Vectors
  • Introduction to OWASP Top 10
  • Lab: Case Study in Failure

Session 2: A1: Injection

  • Injection Flaws
  • Examples: SQL Injection
  • Drill Down on Stored Procedures
  • Understanding the Underlying Problem
  • Other Forms of Injection
  • Minimizing Injection Flaws
  • Demo: Defending Against SQL Injection

Session 3: A2: Broken Authentication

  • Weak Authentication Data
  • Protecting Authentication Data
  • Protecting Authentication Services
  • Effective Credential Management
  • Effective Multi-Factor Authentication
  • Handling Passwords on Server Side
  • Demo: Defending Authentication

Session 4: A3: Sensitive Data Exposure

  • Protecting Data Can Mitigate Impact of Exploit
  • Regulatory Considerations
  • Establishing an Asset Inventory
  • At Rest Data Handling
  • In Motion Data Handling
  • In Use Data Handling
  • Demo: Defending Sensitive Data

Session 5: A4: XML External Entities (XXE)

  • Recognizing XML Processing: Direct, REST, SOAP, etc.
  • Challenges of Safe XML Parsing
  • Managing External Entity Resolution
  • XSLT Processing Challenges
  • Safe XML Processing
  • Demo: Safe XML Processing

Session 6: A5: Broken Access Control

  • Access Control and Trust Boundaries
  • Excessive Privileges
  • Insufficient Flow Control
  • Unprotected API Resource Access
  • JWTs, Sessions and Session Management
  • Single Sign-on (SSO)
  • Demo: Enforcing Access Control
  • Lab: Spotlight: Verizon

Session 7: A6: Security Misconfiguration

  • System Hardening: IA Mitigation
  • Application Whitelisting
  • Principle of Least Privileges in Real Terms
  • Secure Configuration Baseline
  • Error-Handling Issues

Session 8: A7: Cross Site Scripting (XSS)

  • XSS Patterns
  • Stored XSS
  • Reflected XSS
  • Best Practices for Untrusted Data
  • Demo: Defending Against XSS

Session 9: A8/9: Insecure Deserialization

  • Recognizing Serialization in Java, JSON.Net and Elsewhere
  • Deserializing Hostile Objects
  • Safely Managing Deserialization

A9: Using Components with Known Vulnerabilities

  • Maintaining Software Inventory
  • Awareness of Vulnerabilities, Updates, and Patches
  • Managing Versions, Updates, and Patches
  • Reducing Software Risks
  • Lab: Spotlight: Equifax

Session 10: A10: Logging and Monitoring

  • Fingerprinting a Web Site
  • Recognizing When and What to Log
  • Logging in Support of Forensics
  • Monitoring and Alerting
  • Responding to Alerts

Session 11: Spoofing, CSRF, and Redirects

  • Name Resolution Vulnerabilities
  • Fake Certs and Mobile Apps
  • Targeted Spoofing Attacks
  • Cross Site Request Forgeries (CSRF)
  • CSRF Defenses
  • Demo: Cross-Site Request Forgeries

Session 12: Moving Forward

Lesson: Applications: What Next?

  • Common Vulnerabilities and Exposures
  • CWE/SANS Top 25 Most Dangerous SW Errors
  • Strength Training: Project Teams/Developers
  • Strength Training: IT Organizations
  • Leveraging Common AppSec Practices and Control
  • Lab: Recent Incidents
  • Lab: Spotlight: Capital One

Lesson: Making Application Security Real

  • Cost of Continually Reinventing
  • Paralysis by Analysis
  • Actional Application Security
  • Additional Tools for the Toolbox 

Course Materials

Hands-on Setup Made Simple! All course materials, data sets, course software (limited version, for course use only), course notes and related resources (as applicable) are provided for attendees in our easy access, no installation required, remote lab environment for the duration of the course. In most cases, we can also offer local (non-cloud) set up as an alternative.  Our tech team will help set up, test and verify lab access for each attendee prior to the course start date, ensuring a smooth start to class and successful hands-on course experience for all participants. 

Every-Course Extras = High-Value & Long-Term Learning Support! Most courses also include our unique EveryCourse Extras package (Post-Course Resource Site access, Review Labs, Live Instructor Follow-on Support, Free *Live* Course Refresh Re-Takes, early access to Special Offers, Free Courses & more). Please ask for details.

Raise the bar for advancing technology skills

Attend a Class!

Live scheduled classes are listed below or browse our full course catalog anytime

Special Offers

We regulary offer discounts for individuals, groups and corporate teams. Contact us

Custom Team Training

Check out custom training solutions planned around your unique needs and skills.

EveryCourse Extras

Exclusive materials, ongoing support and a free live course refresh with every class.

Summer Savings!
Register today to receive *50% off all 2021 Public Classes*!  Check out our Current Offers for Individuals, Teams and Organizations to Learn for Less!

See our latest Offers and Promotions

Learn. Explore. Advance!

Extend your training investment! Recorded sessions, free re-sits and after course support included with Every Course
Trivera MiniCamps
Gain the skills you need with less time in the classroom with our short course, live-online hands-on events
Trivera QuickSkills: Free Courses and Webinars
Training on us! Keep your skills current with free live events, courses & webinars
Trivera AfterCourse: Coaching and Support
Expert level after-training support to help organizations put new training skills into practice on the job

The voices of our customers speak volumes

Special Offers
Limited Offer for most courses.

SAVE 50%

Learn More