Course description
In this course, you will learn about the OWASP Top 10 Proactive Controls document and the many guidelines it provides to help developers write better and more secure code. In particular, I provide an overview of the Proactive Controls and then I cover the first five security controls. These security controls include testing for security early and often, learning about parameterizing SQL queries, encoding data input that may be parsed as executable code, validating data input, and finally you will learn about identity and authentication techniques to make sure you know who is using your web applications. Join me in this course as we explore the OWASP Top 10 Proactive Controls.
Prerequisites
The assumption is the student is familiar with web and/or mobile development plus basic application security principles. Also, it is highly recommended the student be familiar with the OWASP Top 10 project.
There are several other courses provided by LearnNowOnline which can prepare the student with knowledge of the OWASP Top 10 before taking this course. This course is about the OWASP Top 10 Proactive Controls, which is a supplement to the OWASP Top 10 for developers
Learning Paths
This course is part of the following LearnNowOnline SuccessPaths™:
OWASP
Meet the expert
Robert Hurlbut is a software security architect and trainer. He is a Microsoft MVP for Developer Security / Visual Studio and Development Technologies and he holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in secure coding, software architecture, and software development and has served as a project manager, director of software development, chief software architect, and application security champion for several companies. He speaks at user groups, national and international conferences, and provides training for many clients.
Course outline
OWASP Proactive Controls 1-5
Overview (14:51)
- Introduction (00:32)
- About This Course (01:19)
- What Is a Security Control (01:27)
- What are the OWASP Top 10 Proactive Controls (01:02)
- OWASP Top 10 Proactive Controls (00:33)
- Relation to OWASP Top 10 (00:27)
- History (02:01)
- For Developers by Developers (01:24)
- Demo: OWASP Top 10 Proactive Controls (05:27)
- Summary (00:34)
Verify Security (15:13)
- Introduction (00:48)
- C1 - Verfiy Security Early and Often (03:03)
- The DevOps Challenge to Security (03:20)
- Automated Tests in a Continuous Delivery Pipeline (00:36)
- BDD - Security Testing Framework (03:14)
- Demo: OWASP Top 10 Mapping (03:39)
- Summary (00:29)
Paramterize Queries (31:29)
- Introduction (00:22)
- C2 - Parameterize Queries (00:49)
- Anatomy of an SQL Injection Attack (03:35)
- The Perfect Password (01:45)
- SQL Injection (01:35)
- Demo: SQL Injection (04:58)
- Demo: Attack Strategies (05:10)
- Demo: Identity Membership (05:28)
- Demo: Edit Posts (02:44)
- Demo: Fixing SQL Injection (04:41)
- Summary (00:18)
Encode Data (18:26)
- Introduction (00:31)
- C3 - Encode Data (02:31)
- Anatomy of an XSS Attack (02:17)
- XSS Attack: Problem and Solution (00:39)
- Microsoft Encoder and AntiXSS Library (00:54)
- OWASP Java Encoder Project (00:26)
- Other Resources (00:18)
- Demo: Preventing XSS Attacks (04:57)
- Demo: Sanitization (05:22)
- Summary (00:26)
Validate Inputs (14:45)
- Introduction (00:26)
- C4 - Validate All Inputs (02:30)
- OWASP HTML Sanitizer Project (05:00)
- File Upload (04:05)
- File Upload Verification (02:13)
- Summary (00:29)
Identity and Authentication Controls (21:38)
- Introduction (00:21)
- C5 - Implement Identity and Authentication Control (01:10)
- Password Cracking (03:04)
- Password Management Best Practices (09:13)
- Again, the Perfect Password (01:19)
- User Authentication Best Practices (05:03)
- User Authentication - Real-World Examples (01:08)
- Summary (00:16)