Exploring the OWASP Top Ten (Latest Edition)

Explore Common Web Application Vulnerabilities, How to Implement and Test Attack Defenses & More

TT8150

Introductory

2 Days

Course Overview

Exploring the OWASP Top Ten is a seminar style course designed for web developers and technical stakeholders who need to produce secure web applications using the most up to date OWASP standards.  Our web app security expert will share how to integrate security measures into the development process.  You will also explore core concepts and challenges in web application security, showcasing real world examples that illustrate the potential consequences of not following these best practices.

This course will walk you through how to recognize actual and potential software vulnerabilities and implement defenses for those vulnerabilities.  You will explore most common security vulnerabilities faced by web applications today, examining each vulnerability from a coding perspective through a process of describing the threat and attack mechanisms, recognizing associated vulnerabilities, and, finally, designing and implementing effective defenses.

Guided by our application security expert, you will explore how to:

  • Ensure that any hacking and bug hunting is performed in a safe and appropriate manner
  • Identify defect/bug reporting mechanisms within their organizations
  • Avoid common mistakes that are made in bug hunting and vulnerability testing
  • Understand the concepts and terminology behind defensive, secure coding including the phases and goals of a typical exploit
  • Develop an appreciation for the need and value of a multilayered defense in depth
  • Understand potential sources for untrusted data
  • Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
  • Prevent and defend the many potential vulnerabilities associated with untrusted data
  • Understand the vulnerabilities of associated with authentication and authorization
  • Detect, attack, and implement defenses for authentication and authorization functionality and services
  • Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
  • Detect, attack, and implement defenses against XSS and Injection attacks
  • Understand the risks associated with XML processing, file uploads, and server-side interpreters and how to best eliminate or  mitigate those risks
  • Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure

Need different skills or topics?  If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate.  We offer a wide variety of application security, programming and other related topics that may be blended with this course for a track that best suits your needs.  Our team can help design the course or learning path that best meets your needs and skills goals.

Course Objectives

This course will walk you through how to recognize actual and potential software vulnerabilities and implement defenses for those vulnerabilities.  You will explore most common security vulnerabilities faced by web applications today, examining each vulnerability from a coding perspective through a process of describing the threat and attack mechanisms, recognizing associated vulnerabilities, and, finally, designing and implementing effective defenses.

Guided by our application security expert, you will explore how to:

  • Ensure that any hacking and bug hunting is performed in a safe and appropriate manner
  • Identify defect/bug reporting mechanisms within their organizations
  • Avoid common mistakes that are made in bug hunting and vulnerability testing
  • Understand the concepts and terminology behind defensive, secure coding including the phases and goals of a typical exploit
  • Develop an appreciation for the need and value of a multilayered defense in depth
  • Understand potential sources for untrusted data
  • Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections
  • Prevent and defend the many potential vulnerabilities associated with untrusted data
  • Understand the vulnerabilities of associated with authentication and authorization
  • Detect, attack, and implement defenses for authentication and authorization functionality and services
  • Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks
  • Detect, attack, and implement defenses against XSS and Injection attacks
  • Understand the risks associated with XML processing, file uploads, and server-side interpreters and how to best eliminate or  mitigate those risks
  • Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure

Need different skills or topics?  If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate.  We offer a wide variety of application security, programming and other related topics that may be blended with this course for a track that best suits your needs.  Our team can help design the course or learning path that best meets your needs and skills goals.

Need different skills or topics?  If your team requires different topics or tools, additional skills or custom approach, this course may be further adjusted to accommodate.  We offer additional .Net programming, secure coding, development, hacking, database security, bug hunting and other related topics that may be blended with this course for a track that best suits your needs. Our team will collaborate with you to understand your needs and will target the course to focus on your specific learning objectives and goals.

Course Prerequisites

This is an overview-level , lecture and demonstration style course, designed to provide technical application project stakeholders with a first-look or baseline understanding of how to develop well defended web applications.  Real-world programming experience is highly recommended for code reviews, but not required.

Please see the Related Courses Tab for Pre-Requisite course specifics and links, links to similar courses you might review as an alternative, as well as suggested Next-Step Follow-On Courses and Learning Path recommendations.

Course Agenda

Please note that this list of topics is based on our standard course offering, evolved from typical industry uses and trends. We’ll work with you to tune this course and level of coverage to target the skills you need most. Topics, agenda and labs are subject to change, and may adjust during live delivery based on audience interests, skill-level and participation.

Session: Jumping into the 2021 OWASP Top 10

Lesson: Why Hunt Bugs?

  • The Language of Cybersecurity
  • The Changing Cybersecurity Landscape
  • AppSec Dissection of SolarWinds
  • The Human Perimeter
  • First Axiom in Web Application Security Analysis
  • First Axiom in Addressing ALL Security Concerns
  • Lab: Case Study in Failure

Lesson: Safe and Appropriate Bug Hunting/Hacking

  • Warning to All Bug Hunters
  • Working Ethically
  • Respecting Privacy
  • Bug/Defect Notification
  • Bug Hunting Pitfalls

Lesson: Removing Bugs

  • Open Web Application Security Project (OWASP)
  • OWASP Top Ten Overview
  • Web Application Security Consortium (WASC)
  • CERT Secure Coding Standard
  • Microsoft Security Response Center
  • Software-Specific Threat Intelligence

Session: Bug Stomping 101

Lesson: Unvalidated Data

  • Potential Consequences
  • Defining and Defending Trust Boundaries
  • Rigorous, Positive Specifications
  • Allow Listing vs Deny Listing
  • Challenges: Free-Form Text, Email Addresses, and Uploaded Files

Lesson: A01: Broken Access Control

  • Elevation of Privileges
  • Insufficient Flow Control
  • Unprotected URL/Resource Access/Forceful Browsing
  • Metadata Manipulation (Session Cookies and JWTs)
  • Understanding and Defending Against CSRF
  • CORS Misconfiguration Issues
  • Lab: Spotlight: Verizon

Lesson: A02: Cryptographic Failures

  • Identifying Protection Needs
  • Evolving Privacy Considerations
  • Options for Protecting Data
  • Transport/Message Level Security
  • Weak Cryptographic Processing
  • Keys and Key Management
  • NIST Recommendations

Lesson: A03: Injection

  • Pattern for All Injection Flaws
  • Misconceptions With SQL Injection Defenses
  • Drill Down on Stored Procedures
  • Other Forms of Server-Side Injection
  • Minimizing Server-Side Injection Flaws
  • Client-side Injection: XSS
  • Persistent, Reflective, and DOM-Based XSS
  • Best Practices for Untrusted Data

Lesson: A04: Insecure Design

  • Secure Software Development Processes
  • Shifting Left
  • Principles for Securing All Designs
  • Leveraging Common AppSec Practices and Control
  • Paralysis by Analysis
  • Actionable Application Security
  • Additional Tools for the Toolbox

Lesson: A05: Security Misconfiguration

  • System Hardening: IA Mitigation
  • Risks with Internet-Connected Resources
  • Minimalist Configurations
  • Application Allow Listing
  • Secure Baseline
  • Segmentation with Containers and Cloud
  • Safe XML Processing

Session: Bug Stomping 102

Lesson: A06: Vulnerable and Outdated Components

  • Problems with Vulnerable Components
  • Software Inventory
  • Managing Updates: Balancing Risk and Timeliness
  • Virtual Patching
  • Dissection of Ongoing Exploits
  • Lab: Spotlight: Equifax

Lesson: A07: Identification and Authentication Failures

  • Quality and Protection of Authentication Data
  • Anti-Automation Defenses
  • Multifactor Authentication
  • Proper Hashing of Passwords
  • Handling Passwords on Server Side

Lesson: A08: Software and Data Integrity Failures

  • Software Integrity Issues and Defenses
  • Using Trusted Repositories
  • CI/CD Pipeline Issues
  • Protecting Software Development Resources
  • Serialization/Deserialization

Lesson: A09: Security Logging and Monitoring Failures

  • Detecting Threats and Active Attacks
  • Best Practices for Logging and Logs
  • Safe Logging in Support of Forensics

Lesson: A10: Server Side Request Forgeries (SSRF)

  • Understanding SSRF
  • Remote Resource Access Scenarios
  • Complexity of Cloud Services
  • SSRF Defense in Depth
  • Positive Allow Lists

Session: Moving Forward

Lesson: Applications: What Next?

  • Common Vulnerabilities and Exposures
  • CWE/SANS Top 25 Most Dangerous SW Errors
  • Strength Training: Project Teams/Developers
  • Strength Training: IT Organizations
  • Lab: Spotlight: Capital One

Additional Topics: Time Permitting
These topics will be included in your course materials but may or may not be presented during the live class depending on the pace of the course and attendee skill level and participation.

Lesson: SDL Overview

  • Attack Phases: Offensive Actions and Defensive Controls
  • Secure Software Development Processes
  • Shifting Left
  • Actionable Items Moving Forward

Lesson: SDL In Action

  • Risk Escalators
  • Risk Escalator Mitigation
  • SDL Phases
  • Actions for each SDL Phase
  • SDL Best Practices

Course Materials

Student Materials: Each participant will receive a digital Student Guide and/or Course Notes, code samples, software tutorials, step-by-step written lab instructions (as applicable), diagrams and related reference materials and resource links. Students will also receive the project files (or code, if applicable) and solutions required for the hands-on work.

Every-Course Extras = High-Value & Long-Term Learning Support! All Public Schedule courses include our unique EveryCourse Extras package (Course Recordings, Live Instructor Follow-on Support, Free *Live* Course Refresh Re-Takes, early access to Special Offers, Free Courses & more). Please inquire for details.

Raise the bar for advancing technology skills

Attend a Class!

Live scheduled classes are listed below or browse our full course catalog anytime

Special Offers

We regulary offer discounts for individuals, groups and corporate teams. Contact us

Custom Team Training

Check out custom training solutions planned around your unique needs and skills.

EveryCourse Extras

Exclusive materials, ongoing support and a free live course refresh with every class.

Learning is Twice as Nice!
Buy One Get One Free!

Enroll by March 31 in any TWO public classes in 2023 for the price of ONE! 

Click for Details & Additional Offers

Learn. Explore. Advance!

Extend your training investment! Recorded sessions, free re-sits and after course support included with Every Course
Trivera MiniCamps
Gain the skills you need with less time in the classroom with our short course, live-online hands-on events
Trivera QuickSkills: Free Courses and Webinars
Training on us! Keep your skills current with free live events, courses & webinars
Trivera AfterCourse: Coaching and Support
Expert level after-training support to help organizations put new training skills into practice on the job

The voices of our customers speak volumes

Special Offers
Limited Offer for most courses.

SAVE 50%

Learn More