Web application security

Day 1

• Cyber security basics
  • What is security?
  • Threat and risk
  • Cyber security threat types – the CIA triad
  • Consequences of insecure software
• The OWASP Top Ten 2021
  • The OWASP Top 10 2021
  • A01 – Broken Access Control
    • Access control basics
    • Confused deputy
    • File upload
    • Open redirects and forwards
    • Cross-site Request Forgery (CSRF)
  • A02 – Cryptographic Failures
    • Information exposure
    • Cryptography for developers

Day 2

• A03 – Injection
  • Injection principles
  • Injection attacks
  • SQL injection
  • Code injection
  • HTML injection – Cross-site scripting (XSS)
• A04 – Insecure Design
  • The STRIDE model of threats
  • Secure design principles of Saltzer and Schroeder
  • Client-side security
• A05 – Security Misconfiguration
  • Configuration principles
  • Server misconfiguration
  • Cookie security
  • XML entities

Day 3

• A06 – Vulnerable and Outdated Components
  • Using vulnerable components
  • Assessing the environment
  • Hardening
  • Untrusted functionality import
  • Vulnerability management
• A07 – Identification and Authentication Failures
  • Authentication
  • Session management
• A08 – Software and Data Integrity Failures
  • Integrity protection
  • Subresource integrity
  • Insecure deserialization
• A09 – Security Logging and Monitoring Failures
  • Logging and monitoring principles
• A10 – Server-side Request Forgery (SSRF)
  • Server-side Request Forgery (SSRF)
  • Case study – SSRF and the Capital One breach
• Wrap up
  • Secure coding principles
  • And now what?