Course description
Exploring OWASP Top Ten
The impact for exploited software is obvious. We are beyond the point where vulnerabilties must be addressed. The recently updated OWASP Top 10 has become the most recognized source for defining the most significant vulnerabilities. This series of quick, hard-hitting sessions sets the context and charges through each of the OWASP vulnerabilities. Each virtual, instructor-led session provides a solid set of information for developers, testers, and other stakeholders about understanding, identifying, and mitigating a vulnerability. These short, intense sessions maximize the flow of information in an effective and interactive manner.
Students who attend this sequence of sessions will gain an understanding of the recently updated OWASP Top 10. Each of these sessions provides useful insights, discussions, and, in many cases, demonstrations of the application vulnerabilities that are plaguing the industry.
Learning Objectives
After a quick examination of the context for application security and the OWASP Top 10, each of the vulnerabilties are covered in detail. After the ten vulnerabilities are examined in detail, we wrap up with sessions on next steps for attendees to take as well as an overview of Threat Modeling.
Attendees will gain an understanding of:
- The mechanism by which the vulnerability is exploited. Often the exploitability of a vulnerability is rooted in an underlying pattern that is valid across many technologies and architectures.
- The prevalence of the vulnerability, including characteristics to focus on during design and code reviews to help detect potential issues.
- The potential consequences of a successful exploit.
- The measures that can be taken to eliminate, prevent, or minimize the risk of an exploited vulnerability.
- The relative effectiveness of scanners and other tools in detecting the vulnerability being discussed.
- Generic and code-specific references that can be utilized after the session.
Trivera offers hundreds of end-to-end skills-focused courses that provide participants with the job-ready skills they require to be truly productive in a modern IT business enterprise. Our courses are available for individuals, their teams, or across their organization, for students of all skill levels and roles. We offer an extensive online Public Course Schedule, deep catalog for Private Courses, flex-hour Mini-Camp short courses, self-paced QuickSkills courses, free webinars and more. Trivera’s unique EveryCourse Extras and AfterCourse Extras programs, included with every course, ensure our students can put their newly-learned skills right to work, while providing them with a solid platform for continued skills-development, support and long-term growth. For more information about our dedicated training services, public course offerings, collaborative coaching services, new hire or enterprise upskilling programs, or to see our complete list of course offerings and special offers please call us toll free at 844-475-4559. Our pricing and services are always satisfaction guaranteed.
Do you work at this company and want to update this page?
Is there out-of-date information about your company or courses published here? Fill out this form to get in touch with us.
Who should attend?
This is an introductory-level course designed for technical stakeholders and web developers. Familiarity with programming is helpful but not required.
Training content
Session 1: Jumping into the OWASP Top 10
- Security: The Complete Picture
- Attack Patterns
- Anthem, Dell, Target, Equifax, and Marriot Debriefs
- Verizon’s 2019 Data Breach Report
- Assumptions We Make
- Recognizing Assets
- Introduction to OWASP Top 10
Session 2: A1: Injection
- Injection Flaws
- Examples: SQL Injection
- Drill Down on Stored Procedures
- Understanding the Underlying Problem
- Other Forms of Injection
- Minimizing Injection Flaws
- Potential Demonstration: Defending Against SQL Injection
Session 3: A2: Broken Authentication
- Weak Authentication Data
- Protecting Authentication Data
- Protecting Authentication Services
- Effective Credential Management
- Effective Multi-Factor Authentication
- Handling Passwords on Server Side
- Potential Demonstration: Defending Authentication
Session 4: A3: Sensitive Data Exposure
- Protecting Data Can Mitigate Impact of Exploit
- Regulatory Considerations
- Establishing an Asset Inventory
- At Rest Data Handling
- In Motion Data Handling
- In Use Data Handling
- Potential Demonstration: Defending Sensitive Data
Session 5: A4: XML External Entities (XXE)
- Recognizing XML Processing: Direct, REST, SOAP, etc.
- Challenges of Safe XML Parsing
- Managing External Entity Resolution
- XSLT Processing Challenges
- Safe XML Processing
- Potential Demonstration: Safe XML Processing
Session 6: A5: Broken Access Control
- Access Control and Trust Boundaries
- Excessive Privileges
- Insufficient Flow Control
- Unprotected API Resource Access
- JWTs, Sessions and Session Management
- Single Sign-on (SSO)
- Potential Demonstration: Enforcing Access Control
Session 7: A6: Security Misconfiguration
- System Hardening: IA Mitigation
- Application Whitelisting
- Principle of Least Privileges in Real Terms
- Secure Configuration Baseline
- Error-Handling Issues
Session 8: A7: Cross Site Scripting (XSS)
- XSS Patterns
- Stored XSS
- Reflected XSS
- DOM XSS
- Best Practices for Untrusted Data
- Potential Demonstration: Defending Against XSS
Session 9: A8/9: Insecure Deserialization
- Recognizing Serialization in Java, JSON.Net and Elsewhere
- Deserializing Hostile Objects
- Safely Managing Deserialization
A9: Using Components with Known Vulnerabilities
- Maintaining Software Inventory
- Awareness of Vulnerabilities, Updates, and Patches
- Managing Versions, Updates, and Patches
- Reducing Software Risks
Session 10: A10: Logging and Monitoring
- Fingerprinting a Web Site
- Recognizing When and What to Log
- Logging in Support of Forensics
- Monitoring and Alerting
- Responding to Alerts
Session 11: Moving Forward
- Strength Training: Project Teams/Developers
- Strength Training: IT Organizations
- OWASP ASVS
- Leveraging Common AppSec Practices and Controls
Session 12: Threat Modelling
- Types of Security Controls
- Attack Phases
- Threat Modelling Overview
- Modeling Assets, Trust Boundaries, and Data Flows
- Relating Threats to Model
Mitigating Threats
Course delivery details
Student Materials: Each student will receive a Student Guide with course notes, code samples, software tutorials, diagrams and related reference materials and links (as applicable). Our courses also include step by step hands-on lab instructions and and solutions, clearly illustrated for users to complete hands-on work in class, and to revisit to review or refresh skills at any time. Students will also receive related (as applicable) project files, code files, data sets and solutions required for the hands-on work.
Classroom Setup Made Simple: Our dedicated tech team will work with you to ensure your classroom and lab environment is setup, tested and ready to go well in advance of the course delivery date, ensuring a smooth start to class and seamless hands-on experience for your students. We offer several flexible student machine setup options including guided manual set up for simple installation directly on student machines, or cloud based / remote hosted lab solutions where students can log in to a complete separate lab environment minus any installations, or we can supply complete turn-key, pre-loaded equipment to bring ready-to-go student machines to your facility. Please inquire for details, options and pricing.
Costs
- Price: $1,395.00
- Discounted Price: $906.75
Why choose Trivera Technologies LLC?
Over 25 years of technology training expertise.
Robust portfolio of over 1,000 leading edge technology courses.
Guaranteed to run courses and flexible learning options.
Contact this provider
Trivera Technologies
Trivera Technologies is a IT education services & courseware firm that offers a range of wide professional technical education services including: end to end IT training development and delivery, skills-based mentoring programs,new hire training and re-skilling services, courseware licensing and...