2021 OWASP Top Ten Deep Dive (TT8150)
Learning Objectives
This course combines engaging instructor-led presentations and useful demonstrations with valuable hands-on labs and engaging group activities. Throughout the course you’ll:
- Master Safe and Ethical Hacking Practices: Learn to execute bug hunting and hacking activities in a manner that respects privacy and system integrity, ensuring that all actions align with ethical standards and organizational policies.
- Identify and Utilize Bug Reporting Mechanisms: Develop the ability to recognize and effectively utilize defect/bug reporting systems within your organization, facilitating swift response and mitigation.
- Avoid Common Pitfalls in Vulnerability Testing: Gain insights into common mistakes made during bug hunting and vulnerability testing and learn strategies to avoid them, enhancing the accuracy and effectiveness of your security assessments.
- Comprehend Defensive, Secure Coding Concepts: Delve into the principles and terminology of defensive coding, including understanding the phases and objectives of a typical exploit, to build more secure applications.
- Appreciate the Multilayered Defense Approach: Recognize the value of a layered, in-depth defense strategy in cybersecurity, enhancing your capacity to build robust and resilient systems.
- Identify and Manage Untrusted Data Sources: Understand the potential origins of untrusted data and the risks they pose, such as denial of service, cross-site scripting, and injections, and develop strategies to properly handle such data.
- Strengthen Authentication and Authorization Security: Learn about the vulnerabilities associated with authentication and authorization, and how to detect, attack, and implement defenses to enhance the security of these critical functions.
- Mitigate Risks of XML Processing, File Uploads, and Server-Side Interpreters: Familiarize yourself with the risks involved in XML processing, file uploads, and server-side interpreters, and learn how to apply techniques to harden web and application servers, and other infrastructure components to eliminate or mitigate these risks.
- Optional / Bonus Overview: Explore applying AI to the OWASP Top Ten
Audience
This is an overview-level course ideally suited for software developers, IT professionals, and cybersecurity enthusiasts who are keen to enhance their understanding of web application security. It would also benefit project managers and team leads overseeing digital projects, who require a strong grasp of security principles to manage risks effectively. Furthermore, IT auditors and compliance officers aiming to understand the technical aspects of web application security for better evaluation and enforcement of regulatory standards would find this course invaluable.
Pre-Requisites
This is not a hands-on course, however its helpful if you have:
- Basic understanding of web development and web architecture
- Some familiarity with basic programming concepts
- Basic understanding of web security or cybersecurity concepts
- Awareness of general IT concepts (servers, databases, networks, etc.)
Course Agenda
Course Topics / Agenda
Please note that this list of topics is based on our standard course offering, evolved from typical industry uses and trends. We’ll work with you to tune this course and level of coverage to target the skills you need most. Topics, agenda and labs are subject to change, and may adjust during live delivery based on audience skill level, interests and participation.
Session: Jumping into the OWASP Top 10
Lesson: Why Hunt Bugs?
- The Language of Cybersecurity
- The Changing Cybersecurity Landscape
- AppSec Dissection of SolarWinds
- The Human Perimeter
- First Axiom in Web Application Security Analysis
- First Axiom in Addressing ALL Security Concerns
- Lab: Case Study in Failure
Lesson: Safe and Appropriate Bug Hunting/Hacking
- Warning to All Bug Hunters
- Working Ethically
- Respecting Privacy
- Bug/Defect Notification
- Bug Hunting Pitfalls
Lesson: Removing Bugs
- Open Web Application Security Project (OWASP)
- OWASP Top Ten Overview
- Web Application Security Consortium (WASC)
- CERT Secure Coding Standard
- Microsoft Security Response Center
- Software-Specific Threat Intelligence
Session: Bug Stomping 101
Lesson: Unvalidated Data
- Potential Consequences
- Defining and Defending Trust Boundaries
- Rigorous, Positive Specifications
- Allow Listing vs Deny Listing
- Challenges: Free-Form Text, Email Addresses, and Uploaded Files
Lesson: A01: Broken Access Control
- Elevation of Privileges
- Insufficient Flow Control
- Unprotected URL/Resource Access/Forceful Browsing
- Metadata Manipulation (Session Cookies and JWTs)
- Understanding and Defending Against CSRF
- CORS Misconfiguration Issues
- Lab: Spotlight: Verizon
Lesson: A02: Cryptographic Failures
- Identifying Protection Needs
- Evolving Privacy Considerations
- Options for Protecting Data
- Transport/Message Level Security
- Weak Cryptographic Processing
- Keys and Key Management
- NIST Recommendations
Lesson: A03: Injection
- Pattern for All Injection Flaws
- Misconceptions With SQL Injection Defenses
- Drill Down on Stored Procedures
- Other Forms of Server-Side Injection
- Minimizing Server-Side Injection Flaws
- Client-side Injection: XSS
- Persistent, Reflective, and DOM-Based XSS
- Best Practices for Untrusted Data
Lesson: A04: Insecure Design
- Secure Software Development Processes
- Shifting Left
- Principles for Securing All Designs
- Leveraging Common AppSec Practices and Control
- Paralysis by Analysis
- Actionable Application Security
- Additional Tools for the Toolbox
Lesson: A05: Security Misconfiguration
- System Hardening: IA Mitigation
- Risks with Internet-Connected Resources
- Minimalist Configurations
- Application Allow Listing
- Secure Baseline
- Segmentation with Containers and Cloud
- Safe XML Processing
Session: Bug Stomping 102
Lesson: A06: Vulnerable and Outdated Components
- Problems with Vulnerable Components
- Software Inventory
- Managing Updates: Balancing Risk and Timeliness
- Virtual Patching
- Dissection of Ongoing Exploits
- Lab: Spotlight: Equifax
Lesson: A07: Identification and Authentication Failures
- Quality and Protection of Authentication Data
- Anti-Automation Defenses
- Multifactor Authentication
- Proper Hashing of Passwords
- Handling Passwords on Server Side
Lesson: A08: Software and Data Integrity Failures
- Software Integrity Issues and Defenses
- Using Trusted Repositories
- CI/CD Pipeline Issues
- Protecting Software Development Resources
- Serialization/Deserialization
Lesson: A09: Security Logging and Monitoring Failures
- Detecting Threats and Active Attacks
- Best Practices for Logging and Logs
- Safe Logging in Support of Forensics
Lesson: A10: Server Side Request Forgeries (SSRF)
- Understanding SSRF
- Remote Resource Access Scenarios
- Complexity of Cloud Services
- SSRF Defense in Depth
- Positive Allow Lists
Session: Moving Forward
Lesson: Applications: What Next?
- Common Vulnerabilities and Exposures
- CWE/SANS Top 25 Most Dangerous SW Errors
- Strength Training: Project Teams/Developers
- Strength Training: IT Organizations
- Lab: Spotlight: Capital One
Optional / Bonus Content
Optional / Bonus: Leveraging AI in Tackling the OWASP Top Ten
- Introduction to AI in Cybersecurity
- AI for Detecting and Mitigating Security Risks
- AI in Managing OWASP Top Ten Vulnerabilities Detecting XML External Entities (
- AI in Incident Response and Forensics
- The Future of AI in Web Application Security
Sorry! It looks like we haven’t updated our dates for the class you selected yet. There’s a quick way to find out. Contact us at 502.265.3057 or email info@training4it.com
Request a Date