SEC101 – OWASP Top 10

Course Learning Objectives

Discover the top 10 most important web application vulnerabilities in the OWASP 2021 list, the most recent list in this standard. Covers all top 10 items, describing each vulnerability, why it happens from a business risk perspective, how hackers exploit it, and how best to defend against these issues.

Description

Students will learn the Top 10 threats as part of the OWASP Top 10 2021. This language agnostic course dives into concepts for web application threats, vulnerabilities and strategies to defend them. The OWASP top 10 list is an industry recognized list of vulnerabilities as dictated by the community, most recently in 2021.

The course engages students in learning about each of the Top 10 items, providing easy to understand business risks, concepts, news articles demonstrating how vulnerabilities have impacted organizations and best practices to defending against each of them.

Audience Time Required
General Staff / Developers

Tailored learning – 140 minutes total

Course Outline

1. Broken Access Control

  • About
  • Authentication vs. Authorization
  • About authorization
  • Server-side checks
  • Privilege escalation
  • Insecure direct object reference
  • Server-side session variables
  • Missing functional level access control
  • Page-level authorization
  • Server-side request forgery (SSRF)
  • Internal services authentication
  • Cross-site request forgery (CSRF)
  • Analyze your application for CSRF
  • Defend against CSRF
  • Risk of page-level authorization
  • Programmed authorization

2. Cryptographic Failures

  • About
  • Exposed passwords
  • Sensitive data exposure
  • Strong cryptography
  • Data sensitivity
  • Clear-text communication
  • Transport layer security
  • Insecure storage
  • Hashing for confidentiality
  • Challenges to hashing
  • Salts

3. Injection

  • SQL injection
  • Database errors
  • Blind SQL
  • Other forms of injection
  • Unrestricted file upload
  • Mad Libs analogy
  • Query with bind parameters
  • Defense in action
  • Other defenses

4. Insecure Design

  • About
  • Poorly constructed threat model
  • Strong threat modeling
  • Methods
  • Missing or ineffective business logic
  • Adapt to SAST, DAST, and SCA
  • SAST
  • DAST
  • SCA

5. Security Misconfiguration

  • About misconfiguration
  • Misconfiguration problems
  • Newsflash
  • Configuration activities
  • Hardening
  • Standardizing builds
  • Verbose error messages
  • Attack scenarios
  • Generic error messages
  • Patch management and audits
  • Maintenance

6. Vulnerable and Outdated Components

  • Using components with known vulnerabilities
  • Newsflash
  • Common vulnerabilities
  • Catalogue dependencies
  • Approval of external components
  • Patch management process