Exploring the OWASP Top Ten (Latest Edition)

Explore Common Web Application Vulnerabilities, How to Implement and Test Attack Defenses & More

Course Code: TT8150

Skill Level: Introductory

Duration: 2 Days

Course Overview

Exploring the OWASP Top Ten is a seminar style course designed for web developers and technical stakeholders who need to produce secure web applications using the most up to date OWASP standards. Our web app security expert will share how to integrate security measures into the development process. You will also explore core concepts and challenges in web application security, showcasing real world examples that illustrate the potential consequences of not following these best practices.

This course will walk you through how to recognize actual and potential software vulnerabilities and implement defenses for those vulnerabilities. You will explore most common security vulnerabilities faced by web applications today, examining each vulnerability from a coding perspective through a process of describing the threat and attack mechanisms, recognizing associated vulnerabilities, and, finally, designing and implementing effective defenses.

Guided by our application security expert, you will explore how to:

Ensure that any hacking and bug hunting is performed in a safe and appropriate manner
Identify defect/bug reporting mechanisms within their organizations
Avoid common mistakes that are made in bug hunting and vulnerability testing
Understand the concepts and terminology behind defensive, secure coding including the phases and goals of a typical exploit
Develop an appreciation for the need and value of a multilayered defense in depth
Understand potential sources for untrusted data
Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
Prevent and defend the many potential vulnerabilities associated with untrusted data
Understand the vulnerabilities of associated with authentication and authorization
Detect, attack, and implement defenses for authentication and authorization functionality and services
Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
Detect, attack, and implement defenses against XSS and Injection attacks
Understand the risks associated with XML processing, file uploads, and server-side interpreters and how to best eliminate or mitigate those risks
Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure

Need different skills or topics? If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate. We offer a wide variety of application security, programming and other related topics that may be blended with this course for a track that best suits your needs. Our team can help design the course or learning path that best meets your needs and skills goals.

Course Objectives

Guided by our application security expert, you will explore how to:

Ensure that any hacking and bug hunting is performed in a safe and appropriate manner
Identify defect/bug reporting mechanisms within their organizations
Avoid common mistakes that are made in bug hunting and vulnerability testing
Understand the concepts and terminology behind defensive, secure coding including the phases and goals of a typical exploit
Develop an appreciation for the need and value of a multilayered defense in depth
Understand potential sources for untrusted data
Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
Prevent and defend the many potential vulnerabilities associated with untrusted data
Understand the vulnerabilities of associated with authentication and authorization
Detect, attack, and implement defenses for authentication and authorization functionality and services
Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
Detect, attack, and implement defenses against XSS and Injection attacks
Understand the risks associated with XML processing, file uploads, and server-side interpreters and how to best eliminate or mitigate those risks
Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure

Need different skills or topics? If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate. We offer additional .Net programming, secure coding, development, hacking, database security, bug hunting and other related topics that may be blended with this course for a track that best suits your needs. Our team will collaborate with you to understand your needs and will target the course to focus on your specific learning objectives and goals.

Course Prerequisites

This is an overview-level , lecture and demonstration style course, designed to provide technical application project stakeholders with a first-look or baseline understanding of how to develop well defended web applications. Real-world programming experience is highly recommended for code reviews, but not required.

Please see the Related Courses Tab for Pre-Requisite course specifics and links, links to similar courses you might review as an alternative, as well as suggested Next-Step Follow-On Courses and Learning Path recommendations.

Course Agenda

Please note that this list of topics is based on our standard course offering, evolved from typical industry uses and trends. We’ll work with you to tune this course and level of coverage to target the skills you need most. Topics, agenda and labs are subject to change, and may adjust during live delivery based on audience interests, skill-level and participation.

Session: Jumping into the 2021 OWASP Top 10

Lesson: Why Hunt Bugs?

The Language of Cybersecurity
The Changing Cybersecurity Landscape
AppSec Dissection of SolarWinds
The Human Perimeter
First Axiom in Web Application Security Analysis
First Axiom in Addressing ALL Security Concerns
Lab: Case Study in Failure

Lesson: Safe and Appropriate Bug Hunting/Hacking

Warning to All Bug Hunters
Working Ethically
Respecting Privacy
Bug/Defect Notification
Bug Hunting Pitfalls

Lesson: Removing Bugs

Open Web Application Security Project (OWASP)
OWASP Top Ten Overview
Web Application Security Consortium (WASC)
CERT Secure Coding Standard
Microsoft Security Response Center
Software-Specific Threat Intelligence

Session: Bug Stomping 101

Lesson: Unvalidated Data

Potential Consequences
Defining and Defending Trust Boundaries
Rigorous, Positive Specifications
Allow Listing vs Deny Listing
Challenges: Free-Form Text, Email Addresses, and Uploaded Files

Lesson: A01: Broken Access Control

Elevation of Privileges
Insufficient Flow Control
Unprotected URL/Resource Access/Forceful Browsing
Metadata Manipulation (Session Cookies and JWTs)
Understanding and Defending Against CSRF
CORS Misconfiguration Issues
Lab: Spotlight: Verizon

Lesson: A02: Cryptographic Failures

Identifying Protection Needs
Evolving Privacy Considerations
Options for Protecting Data
Transport/Message Level Security
Weak Cryptographic Processing
Keys and Key Management
NIST Recommendations

Lesson: A03: Injection

Pattern for All Injection Flaws
Misconceptions With SQL Injection Defenses
Drill Down on Stored Procedures
Other Forms of Server-Side Injection
Minimizing Server-Side Injection Flaws
Client-side Injection: XSS
Persistent, Reflective, and DOM-Based XSS
Best Practices for Untrusted Data

Lesson: A04: Insecure Design

Secure Software Development Processes
Shifting Left
Principles for Securing All Designs
Leveraging Common AppSec Practices and Control
Paralysis by Analysis
Actionable Application Security
Additional Tools for the Toolbox

Lesson: A05: Security Misconfiguration

System Hardening: IA Mitigation
Risks with Internet-Connected Resources
Minimalist Configurations
Application Allow Listing
Secure Baseline
Segmentation with Containers and Cloud
Safe XML Processing

Session: Bug Stomping 102

Lesson: A06: Vulnerable and Outdated Components

Problems with Vulnerable Components
Software Inventory
Managing Updates: Balancing Risk and Timeliness
Virtual Patching
Dissection of Ongoing Exploits
Lab: Spotlight: Equifax

Lesson: A07: Identification and Authentication Failures

Quality and Protection of Authentication Data
Anti-Automation Defenses
Multifactor Authentication
Proper Hashing of Passwords
Handling Passwords on Server Side

Lesson: A08: Software and Data Integrity Failures

Software Integrity Issues and Defenses
Using Trusted Repositories
CI/CD Pipeline Issues
Protecting Software Development Resources
Serialization/Deserialization

Lesson: A09: Security Logging and Monitoring Failures

Detecting Threats and Active Attacks
Best Practices for Logging and Logs
Safe Logging in Support of Forensics

Lesson: A10: Server Side Request Forgeries (SSRF)

Understanding SSRF
Remote Resource Access Scenarios
Complexity of Cloud Services
SSRF Defense in Depth
Positive Allow Lists

Session: Moving Forward

Lesson: Applications: What Next?

Common Vulnerabilities and Exposures
CWE/SANS Top 25 Most Dangerous SW Errors
Strength Training: Project Teams/Developers
Strength Training: IT Organizations
Lab: Spotlight: Capital One

Additional Topics: Time Permitting
These topics will be included in your course materials but may or may not be presented during the live class depending on the pace of the course and attendee skill level and participation.

Lesson: SDL Overview

Attack Phases: Offensive Actions and Defensive Controls
Secure Software Development Processes
Shifting Left
Actionable Items Moving Forward

Lesson: SDL In Action

Risk Escalators
Risk Escalator Mitigation
SDL Phases
Actions for each SDL Phase
SDL Best Practices

Course Materials

Student Materials: Each participant will receive a digital Student Guide and/or Course Notes, code samples, software tutorials, step-by-step written lab instructions (as applicable), diagrams and related reference materials and resource links. Students will also receive the project files (or code, if applicable) and solutions required for the hands-on work.

Every-Course Extras = High-Value & Long-Term Learning Support! All Public Schedule courses include our unique EveryCourse Extras package (Course Recordings, Live Instructor Follow-on Support, Free *Live* Course Refresh Re-Takes, early access to Special Offers, Free Courses & more). Please inquire for details.

Raise the bar for advancing technology skills

Attend a Class!

Live scheduled classes are listed below or browse our full course catalog anytime

Special Offers

We regulary offer discounts for individuals, groups and corporate teams. Contact us

Custom Team Training

Check out custom training solutions planned around your unique needs and skills.

EveryCourse Extras

Exclusive materials, ongoing support and a free live course refresh with every class.

Learning is Twice as Nice!
Buy One Get One Free!
Enroll by March 31 in any TWO public classes in 2023 for the price of ONE!

Click for Details & Additional Offers

Learn. Explore. Advance!

Extend your training investment! Recorded sessions, free re-sits and after course support included with Every Course

Gain the skills you need with less time in the classroom with our short course, live-online hands-on events

Trivera QuickSkills: Free Courses and Webinars

Training on us! Keep your skills current with free live events, courses & webinars

Trivera AfterCourse: Coaching and Support

Expert level after-training support to help organizations put new training skills into practice on the job

The voices of our customers speak volumes

A very good balance of teaching time to lab time. I've done other courses that I found to be much lighter on content and heavy on labs to waste time. This was a refreshing change of pace.

Adam G

First time in my life I have attended remote class and I find it great. Personally I don't feel there is any area which require improvement!

Rishi M

Excellent detail about the Spring framework which directly relates to my role as a senior engineer. I found the content and style to be very enjoyable, and would encourage me to ask questions where previously I might not have paid much attention, eg. pom version numbers / spring starters being imported. The focus on the different styles of unit testing was also excellent and I would plan to incorporate in day to day work.

Edward K

Both the instructor and the course material were very thorough - the course material has many helpful references - the labs were well laid out, making it easy to learn from and get done on time

Steve C.

Instructor was beyond phenomenal. He had an in depth knowledge of the course material and always ensured that everyone understood what was being discussed. I really enjoyed the mix of theory and practical examples of each part of the course.

Cillian M

Great job overall. Great communicator and explained complex concepts in a simple, easier to understand format.

Jeremy G

The instructor was clearly knowledgeable about Java and programming in general. He was very attentive to every student's individual needs and constantly encouraged questions, concerns, student issues to be raised and addressed each one thoroughly.

Mark M

Excellent training. Even though it was online, I did not have any issues understanding or getting the answers for the questions I had. The lab exercises are interesting to apply what was learnt. Overall very good training. Thank you!

Anitha

Best programming class I've ever been in, head and shoulders above any thing I took in college as part of a computer science degree. The instructor was thorough and very detailed, he was very good abut explaining all possible scenarios a situation would apply to. The way the albs were structured and the class was conducted was very good for interaction and hand on learning.

Danish J

Special Offers
Limited Offer for most courses.

SAVE 50%

Learn More