Test your OWASP knowledge and earn credit.

Test your OWASP knowledge and earn credit.

Why is OWASP important? There is a frequent question we get from each of our client organizations at least twice a year and that is, “Does your organization adhere to the OWASP Top 10 and is it part of your software development life cycle (SDLC)?”

OWASP

Well, currently, there are no certification exams and no formal training available so how do you prove it? We decided to compile a short 10 question quiz that will allow anyone to learn about the OWASP Top 10 and test their knowledge after each brief segment. If you need credit, save your results.

You will need to create a free account to access the training material.

Enjoy!

We offer this resource freely to everyone. We do ask you to check out our other Proactive Cyber Security services too.

OWASP Top 10 Threats and Mitigations with Bonus Courseware

Module Overview

The OWASP Top 10 defines and describes the most common and severe web application threats that developers face. We have also included bonus sections which go beyond the current OWASP Top 10.

As a developer, you need to understand these threats and take precautionary measures at every stage of product development to mitigate them.

Topics covered in this review

Security Principles

  • Threat 1: Injection
  • Threat 2: Broken Authentication
  • Threat 3: Sensitive Data Exposure
  • Threat 4: XML External Entities (XXE)
  • Threat 5: -Broken Access Control
  • Threat 6: Security Misconfiguration
  • Threat 7: Cross-Site Scripting (XSS)
  • Threat 8: -Insecure Deserialization
  • Threat 9: Using Components with Known Vulnerabilities
  • Threat 10: Insufficient Logging and Monitoring

Bonus Section

  • Threat 11: Unvalidated Redirects and Forwards
  • Threat 12: Insecure Cryptographic Storage
  • Threat 13: Failure to Restrict URL Access
  • Threat 14: Insufficient Transport Layer Protection
  • Threat 15: Cross-Site Request Forgery (CSRF)

Module Objectives

After completing this course, you will be able to:

  • Explain the key security principles related to the OWASP top 10 and Bonus Course-ware.
  • Identify and explain the ten threats in the OWASP Top 10 and Bonus Course-ware.
  • Explain mitigation techniques for the 10 identified threats and Bonus Course-ware.

Security Principles

Let’s look at three key security principles related to the OWASP Top 10 threats. During this course, you will learn about the concepts associated with each of the Top 10 threats and Bonus Course-ware. Additionally, you will learn about the techniques that you can use to mitigate each threat.

Input is Evil

Much of security is related to input and a user’s ability to interact with and control that input. You should always mistrust and question user input everywhere that it is accepted in your application. Always remember that any input you receive could be malicious and you need to validate it before you trust it.

TOCTOU

Time of Check versus Time of Use, or TOCTOU describes the temporality of computing. Although it is convenient to think of a computer program as a series of instructions, starting at a method and going sequentially until it reaches its completion, remember that this interpretation is only an abstraction. Even though you might check input, state, or data at one point in time, an attacker may be able to control some aspect of the program between the time that the resource is checked and the time that the resource is used, which can lead to illegitimate access to the resource.

Dynamic Threat Environment

Finally, remember that the world is constantly changing and chaotic, with new threats developing and manifesting every single day. A system that was secure in the past may not be secure against new threats. You need to have a consistent and reproducible plan to handle evolving threats.

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.

The Foundation came online on December 1st 2001 it was established as a not-for-profit charitable organization in the United States on April 21, 2004 to ensure the ongoing availability and support for our work at OWASP. OWASP is an international organization and the OWASP Foundation supports efforts around the world. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. We can be found at www.owasp.org.

OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative and open way. The Foundation is a not-for-profit entity that ensures the project’s long-term success.