Course description
In this course, you will learn about the OWASP Top 10 Proactive Controls document and the many guidelines it provides to help developers write better and more secure code. In particular, I will cover the last five controls. These include implementing access control to verify what a user is allowed to do in a system, methods of protecting data at rest and in transit, implementing logging and intrusion detection, and finally I will talk about using existing security frameworks and libraries as well as best practices for error and exception handling. Join me in this course as we continue our exploration of the OWASP Top 10 Proactive Controls.
Prerequisites
The assumption is the student is familiar with web and/or mobile development plus basic application security principles. Also, it is highly recommended the student be familiar with the OWASP Top 10 project.
There are several other courses provided by LearnNowOnline which can prepare the student with knowledge of the OWASP Top 10 before taking this course. This course is about the OWASP Top 10 Proactive Controls, which is a supplement to the OWASP Top 10 for developers
Learning Paths
This course is part of the following LearnNowOnline SuccessPaths™:
OWASP
Meet the expert
Robert Hurlbut is a software security architect and trainer. He is a Microsoft MVP for Developer Security / Visual Studio and Development Technologies and he holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in secure coding, software architecture, and software development and has served as a project manager, director of software development, chief software architect, and application security champion for several companies. He speaks at user groups, national and international conferences, and provides training for many clients.
Course outline
OWASP Proactive Controls 6-10
Implement Access Controls (15:00)
- Introduction (00:33)
- C6 - Implement Appropriate Access Controls (02:41)
- Access Control Anti-Patterns (07:13)
- Role-Based Access Control (01:22)
- ASP.NET Roles vs. Claims Authorization (01:29)
- Apache Shiro Permission-Based Access Control (01:16)
- Summary (00:23)
Protect Data (18:54)
- Introduction (00:31)
- C7 - Protect Data (00:47)
- Encrypting Data in Transit (03:52)
- HSTS (Strict Transport Security) (04:22)
- Certificate Pinning (02:45)
- Browser-Based TOFU Pinning (01:32)
- Pinning in Play (Chrome) (00:52)
- Forward Secrecy (01:35)
- Google KeyCzar (01:04)
- Libsodium (01:13)
- Summary (00:15)
Logging and Intrusion Detection (10:22)
- Introduction (00:24)
- C8 - Implement Logging and Intrusion Detection (01:15)
- Tips for Proper Application Logging (03:13)
- Detection Points Examples (05:07)
- Summary (00:21)
Security Frameworks and Exception Handling (11:26)
- Introduction (00:30)
- C9 - Leverage Security Frameworks and Libraries (03:08)
- Security Frameworks and Libraries (01:06)
- C10 - Error and Exception Handling (02:18)
- Best Practices for Error and Exception Handling (03:58)
- Summary (00:23)