Course Overview
Improve your cybersecurity skills with our comprehensive OWASP Security Course. This course illuminates the critical aspects of web application security as outlined in the OWASP Top 10, a globally recognized consensus on the most perilous security risks faced by today's web applications.
Engage with our immersive training program that meticulously walks you through each vulnerability, while highlighting effective protection methods and best practices to safeguard against varied attack vectors.
Benefit from hands-on exercises where you will practice the art of ethical hacking by staging simulated attacks on a website, learning how to identify and exploit security weaknesses.
Get hands-on experience using industry-leading tools like the OWASP Zed Attack Proxy, strengthening your practical understanding of cybersecurity threats and defenses. By the end of this course, you will be well-equipped to help secure web applications against the most pressing contemporary threats.
Equip yourself with the skills to secure the digital world - join our OWASP Security Course today.
Course Prerequisites
This course is geared towards developers, but can also be attended by other roles. Basic knowledge of Web Development is required (html, javascript, xml)
Outline
Introduction
- Introduction to web security terminology
- Explanation of same origin
- Explanation of CORS
- Introduction to OWASP
- Introduction to OWASP Top 10 2021
- Differences with Top 10 2017
OWASP Top Ten 2021
01-Broken Access Control
- Discuss various attack vectors
- Discuss protection
- Apply the principle of least privilege
- Common URL related vulnerabilities
- Discuss CORS misconfiguration
- Cross-Site Request Forgery CSRF
- CSRF protection with XSRF tokens
02-Cryptographic Failures
- Message privacy
- Limiting deprecated ciphers
- Showcase problems with Hashing through rainbow tables
- Discuss deprecated security algorithms (hashing, padding, seeding)
- Discuss bcrypt
03-Injection
- Discuss various Injection attack vectors (sql, jpql, ldap, …)
- Discover Various types for SQL Injection (tautology, union, stacked)
- Discuss protection against injections
- Understand obfuscation
04-Insecure Design
- Common design and architectural mistakes
- Multi-tenant clusters and deployments
- Discuss secure design patterns
- Role of automated testing
05-Security Misconfiguration
- Understand XML Entities
- Attack vectors with XML Entities
- Remote code execution (java)
- Server Side Request Forgery SSRF
- Discuss common misconfigurations
- Discuss various HTTP Security Headers
06-Vulnerable and Outdated Components
- Using Components with Known Vulnerabilities**
- Using Common Vulnerability and Exposures (CVE) and National Vulnerability Database (NVD)
- Discuss known vulnerabilities
- Using tools such as nsp, dependency-check and retire.js
07-Identification and Authentication Failures
- Discuss attack vectors (known passwords, dictionary words)
- How attackers can find valid usernames
- Discuss credential stuffing
- Discuss session fixation
- Best practices for session ids
08-Software and Data Integrity Failures
- Using checksums and hashes of software sources (e.g., container images)
- Using your repositories/registries to protect against untrusted sources
- Problems in CI/CD pipelines
- Understand the process of marshaling/unmarshalling
- Discuss vulnerabilities and prevention
- Remote code execution with Java
09-Security Logging and Monitoring Failures
- Discuss vulnerabilities in Logging & Monitoring
- using log aggregation tools (such as Loki)
- Prevent leaking sensitive information into logs
- Logs and DevSecOps (monitoring logs)
10-Server-Side Request Forgery (SSRF)
- Data Sanitization and validation
- Network security