Course description
The Open Web Application Security Project focuses on improving the security of software .The OWASP Top 10 is a powerful awareness document for web application security and represents a broad consensus about the most critical security risks to web applications. This course discusses the updates to the Top 10 and how threats have changed.
Prerequisites
It would be helpful to have watched the previous OWASP courses as many of the threats still exist: OWASP, Part 1: Avoiding Hacker Tricks - OWASP, Part 2: Forgery and Phishing - OWASP, Part 3: Threats and Session Security - OWASP, Part 4: Misconfiguration and Data Encryption
Learning Paths
This course is part of the following LearnNowOnline SuccessPaths™:
OWASP
Meet the expert
Robert Hurlbut is a software security architect and trainer. He is a Microsoft MVP for Developer Security / Visual Studio and Development Technologies and he holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in secure coding, software architecture, and software development and has served as a project manager, director of software development, chief software architect, and application security champion for several companies. He speaks at user groups, national and international conferences, and provides training for many clients.
Course outline
OWASP 2017 Update
Objectives and Overview (02:58)
- Introduction (00:20)
- About This Course (00:29)
- Previous Courses (00:45)
- Related Courses (00:26)
- Outline (00:39)
- Summary (00:18)
History (08:50)
- Introduction (00:08)
- OWASP Top 10 2017: History (00:09)
- OWASP Top 10 (01:01)
- Web Application Security Risks (02:01)
- Why Revisited (02:29)
- OWASP Top 10 2017: History (02:49)
- Summary (00:11)
Process (08:10)
- Introduction (00:10)
- OWASP Top 10 2017: Process (00:07)
- New Approaches to the OWASP Top 10 2017 (02:08)
- Changes to OWASP Top 10: 2013 to 2017 (05:31)
- Summary (00:12)
Finding OWASP (03:12)
- Introduction (00:11)
- Demo: Finding OWASP (01:50)
- Demo: OWASP Wiki (00:59)
- Summary (00:11)
XML External Entities (09:34)
- Introduction (00:12)
- A4: XML External Entities (01:55)
- Examples (02:40)
- Remote Code Execution (01:49)
- Revealing Files (01:18)
- How to Prevent XXE (01:22)
- Summary (00:15)
XXE Demo (15:23)
- Introduction (00:16)
- XXE Demo (06:26)
- Unsafe XDocument (05:04)
- Java XXE (03:17)
- Summary (00:18)
XML XXE DOTNET Demo (05:48)
- Introduction (00:15)
- XML XXE Demo (02:24)
- XML Bomb (02:54)
- Summary (00:15)
Insecure Deserialization (09:47)
- Introduction (00:13)
- A8: Insecure Deserialization (03:48)
- Examples (03:04)
- How to Prevent Insecure Deserialization (02:32)
- Summary (00:08)
Insecure Deserialize Demo (08:39)
- Introduction (00:10)
- Insecure Deserialize Demo (03:52)
- Solutions (04:27)
- Summary (00:10)
Insufficient Logging and Monitoring (08:02)
- Introduction (00:19)
- A10: Insufficient Logging and Monitoring (03:21)
- Example Attack Scenarios (02:00)
- How to Prevent (02:02)
- Summary (00:18)
The Future of OWASP (04:50)
- Introduction (00:11)
- Future OWASP Top 10 (00:49)
- OWASP Top 10: A Starting Place (00:59)
- Other OWASP Resources (02:37)
- Summary (00:12)