Web Application Security for Absolute Beginners (no coding!)
- Description
- Curriculum
- FAQ
- Reviews
[UPDATED in 2021]
Within 1,5 hour you will understand web application security without having to code. This course will jumpstart your security career.
I will teach you the 10 most common threats identified by the Open Web Application Security Project (OWASP). At the end of the course you will learn:
1) what the OWASP top 10 threats and are,
2) the impact per security threat for your business
3) how these security threats can be executed by attackers / pentesters / hackers
4) how these security threats can be mitigated
You will able to understand the above-mentioned points without having to understand code…
For your convenience I’ve combined the OWASP 2017 and OWASP 2013 top 10 list into a single list of 10 common web application security threats.
How is that possible?
The threats are explained conceptually, since the implementation of a threat may differ per situation. Therefore, having a general understanding of the security threats, its implications and potential solutions will provide you with the essential knowledge to mitigate the impact of these web application security threats. Hence, no security coding or security testing experience needed.
So, after following this course am I able to develop code-based solutions for the top 10 threats?
No. This course will teach you the basic concepts behind the 10 most common web application security threats so that you can critically question and discuss these security issues with software/operational engineers.
Uhm, after following this course I’m a full-fledged security expert, right?
Depends on the knowledge of the person that is judging your expertise. Most likely this won’t be the case.
What!?! Why should I enroll?
Only enroll when you are new to secure coding, secure web development and want a complete beginners’ perspective on web application security. This course is specifically developed for:
– (Project) managers that lead software projects, but have no clue how software engineers could mitigate potential security issues
– Recruiters hiring software engineers
– Software engineers that want to refresh their knowledge on web application security and secure coding principles
– Beginning red team, blue team, yellow and purple team members, hackers, or penetration testers
– Anyone interested in the basics of web application security or OWASP top 10 explained in layman’s terms
Ok, but there is already a lot of information on OWASP available on the web. So, what’s in it for me?
I thought you would never ask! This course differentiate itself from existing available information because:
– Existing OWASP documentation is technical and therefore difficult to comprehend (I’ll include some examples of technical documents as a resources that you may download).
– Unlike most other courses, you may actually claim 1 Continuing Professional Education (CPE) after finishing this course completely
– I’ll update this course with new videos on request or as significant security issues surface that have important implications for managers. Thus, over time this course may become your one-stop security education!
– I’ve included lots of documents that explain detailed mitigation strategies. Please note that these documents contain code and are therefore more suited for people that are implementing or testing security fixes.
– I’ve included lots of links to websites that provide comprehensive background information.
– That’s not it, there is more…
BONUS Material:
– Defense in depth. This is one of the basic security principles.
– Basic explanation of STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege). I’ve also added privacy by design resources in this course. This means both security by design and privacy by design!
– Overview of a secure software development process. Build security into you delivery process
– Frequently asked questions. Ask a security question and I’ll answer it with a video.
Why include bonus material, is the main course not exciting enough?
Again, excellent question! Getting security right goes well beyond web application security. With the bonus material, I would like to inform you about the complementary measures that should be taken into account.
I’m fully convinced of the benefits, but I don’t see why I should learn all this from you.
True, let me explain by giving you an overview of my experience:
– Chief Information Security Officer (present). Managing Security, Privacy and Quality professionals. Responsible for implementing and maintaining a well balanced organisational risk posture;
– Security and privacy operations manager (2 years). Acting as a security liaison on strategic accounts, I monitor the security of 2500+ workstations, 500+ servers and 10+ firewalls and routers, report on the operational security status of European and Dutch law and integrate intelligence results from AVDS, Check Point, Nagios, Nessus, Palo Alto Traps,SCCM, SCEP, SEP, SCOM and SIEM;
– Parttime PhD Candidate (7 years – present). I read the science, you’ll get the knowledge! What more do you want?
– Software quality consultant (6,5 years). I’ve advised many managers of large / small IT projects on various software related aspects;
– IT auditor (1 year). I have closely worked with accountants and audited large governmental IT projects;
– Quality assurance engineer (3 years). I have implemented large IT systems for large companies.
You can find more details on LinkedIn on or my profile.
Go ahead and click the enroll button, and I’ll see you in lesson 1!
Cheers,
Soerin
-
1
Introduction OWASP top 10 (2017)For your convenience I've combined the OWASP 2017 and OWASP 2013 top 10 list into a single list of 10 common threats.
-
2
UPDATED - OWASP top 10 (2021)
Please note that the new videos regarding the updated OWASP top 10 can be found in a separate section called: New videos!
Happy learning! -
3
Injection
This video explains the first web application security vulnerability (SQL) injection [OWASP top 10]
Even in 2021 injection, especially SQL injection, are common place. Injection attack can be defeated using input / output sanitisation techniques, which are described in the attachments.However, there are several categories of injection vulnerabilities. The categories are explained in:
- You shall not pass- Mitigating SQL Injection Attacks on Legacy Web Applications
- A novel technique to prevent SQL injection and cross-site scripting attacks. -
4
InjectionSelect the best possible answer. Good luck!
-
5
Broken Authentication and Session management
This video explains the second web application security vulnerability Broken Authentication [OWASP top 10]. Some authentication methods, especially the ones that rely solely on usernames and passwords, are considered broken. In fact, the Open Web Application Security Project or OWASP has ranked broken authentication as number 2 in the list of most seen application vulnerabilities. It is, therefore, important to understand the threats that are common to authentication mechanisms (Quote from Authentication and access control, written by Sirapat Boonkrong).
This vulnerability has been renamed by OWASP from Broken Authentication and Session Management to Broken Authentication. The vulnerability is still the same, hence I'm leaving this video untouched. I you have any questions or remarks, please don't hesitate to contact me.
Amazon link to Authentication and access control: https://amzn.to/3qcTIh7 -
6
Broken Authentication and Session management
What is the impact of Broken Authentication and Session management and how can it be mitigated?
-
7
Cross-Site Scripting (XSS)
This video explains the seventh web application security vulnerability Cross-Site Scripting [OWASP top 10]
OWASP has a cheatsheet that you can use to reduce the likelihood of XSS attacks:https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
-
8
Cross-Site Scripting (XSS)
What is the most important message you want to communicate to your developers when mitigating Cross-Site Scripting?
-
9
Broken Access Control
This video explains the fifth web application security vulnerability Broken Access Control [OWASP top 10]
OWASP provide several hints for resolving Broken Access Control. Herewith the link(s).
https://www.owasp.org/index.php/Broken_Access_Control. More detail is provide here: https://www.owasp.org/index.php/Category:Access_Control. -
10
Broken Access Control
-
11
Security Misconfiguration
This video explains the sixth web application security vulnerability Security Misconfiguration [OWASP top 10]
OWASP is still in process of documenting misconfiguration in web server, application server, frameworks, CMS, etc. This documentation process is far from complete at this moment (Sept. 2017) and will probably never be complete. Nevertheless, believe their online documentation gives you some pointers. Herewith the to their online documentation:https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration.html
-
12
Security Misconfiguration
This lecture has two questions.
-
13
Sensitive Data Exposure
This video explains the third web application security vulnerability Sensitive Data Exposure [OWASP top 10]
Same with security misconfiguration, OWASP is still in process of documenting sensitive data exposure. This documentation process is far from complete at this moment (Sept. 2017) and will probably never be complete. Nevertheless, believe their online documentation gives you some pointers. Herewith the link to their documentation:https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html
-
14
Sensitive data exposure
Select the best answer.
-
15
Insufficient Attack Protection
Same with security misconfiguration, OWASP is still in process of documenting insufficient attack protection. This documentation process is far from complete at this moment (Sept. 2017) and will probably never be complete. OWASP decided to discard this issue (checked on Apr. 2020). Nevertheless, this issue may still be relevant for you. For information regarding attack surface analysis visit this link:
https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html
On a broader level you could also think of threat modelling. Herewith OWASP’s cheat sheet:
https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html
-
16
Insufficient attack protection
Select the best answer.
-
17
Cross-Site Request Forgery (CSRF)
-
18
Cross-Site Request Forgery
Select the best answer.
-
19
Using Components with Known Vulnerabilities
This video explains the ninth web application security vulnerability Components with known vulnerabilities [OWASP top 10]
OWASP provide several hints for resolving using components with known vulnerabilities. Herewith a link to virtual patching:https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities.html
How to fix the heart-bleed bug: http://heartbleed.com/
-
20
Using component with known vulnerabilities
This quiz contains two questions. Select the best answer.
-
21
Underprotected APIs
Same with security misconfiguration, OWASP is still in process of documenting underprotected APIs. This documentation process is far from complete at this moment (Sept. 2017) and will probably never be complete. OWASP decided to discontinue this issue (checked on Apr. 2020). Nevertheless, it may still be relevant for you. Herewith the link to their documentation:
https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
Security code review tools you can may use to perform secure code reviews/audits: https://www.owasp.org/index.php/Source_Code_Analysis_Tools
I've also included three academic papers that explain the best practices of how to create secure API's (especially for microservices). -
22
Underprotected APIs
This quiz contains two questions. Select the best answer.
-
23
XML external entities (new)
This video explains the fourth web application security vulnerability XML External Entities [OWASP top 10]
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
Links:
Explanation: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
Cheat sheet: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
Presentation (old): http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20XML%20External%20Entity%20Attacks%20(XXE)%20-%20owasp.pdf -
24
XML external entities (new)
Select the best answer.
-
25
Insecure deserialization
This video explains the eight web application security vulnerability Insecure Deserialization [OWASP top 10]
nsecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.Links:
Explanation: https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization
Cheat sheet: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html -
26
Insecure deserialization
Select the best answer.
-
27
Insufficient logging and monitoring
This video explains the last web application security vulnerability Insufficient Logging and Monitoring [OWASP top 10]
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.Links:
Explanation: https://owasp.org/www-project-top-ten/2017/A10_2017-Insufficient_Logging%2526Monitoring
Cheat sheet: https://owasp.org/www-project-proactive-controls/v3/en/c9-security-logging.html
The 3 R's of security (Rotate, Repave and Repair): https://builttoadapt.io/the-three-r-s-of-enterprise-security-rotate-repave-and-repair-f64f6d6ba29d
Verizon data breach report (2020): https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf -
28
Insufficient logging and monitoring
Select the best answer.
-
29
Defense in depth
Please find a qualitative risk analysis methodology process in the resources of this lecture (defense in depth revisited one column.pdf). Tough this process is quit tedious, it gives you an overview of what you could think of when estimating the risks that might occur.
I've also included defense in depth mitigation strategies from US department of homeland security. It is very comprehensive and thus gives you a nice overview of the strategies you could employ in your organization (NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf).
-
30
STRIDE
STRIDE is used to identify threats and stands for: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege. Microsoft has documented the use and identification of threats comprehensively on their website:
- https://docs.microsoft.com/en-us/archive/blogs/heinrichg/stride-cia-and-the-modern-adversary
- https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878%28v%3dcs.20%29HOWEVER, please note that security sometimes hurts privacy. For instance, collecting too much information about the user is enabling you to hold the user accountable (good for resolving security incidents), but may hurt privacy (since you are collection too much information. To identify the privacy threats researchers came up with the LINDDUN framework.
- https://www.linddun.org/linddun
- https://www.linddun.org/downloads
I've also attached a paper that provides you with a concrete example for data protection by design (thus identifying and resolving privacy threats). -
31
Secure development processes
Herewith some additional background resources you can use to get in-depth knowledge of secure software development processes.
1) MS SDL. https://www.microsoft.com/en-us/SDL/adopt/tools.aspx
2) Open SAMM. http://www.opensamm.org/download/
3) Touchpoints. There is less public information about Touchpoints, hence I've attached some work of the author Gary McGraw: Software_security_building_security_in.pdf.I also added comparisons between the processes in the resources of this lecture (i.e. (1) On the secure software development process: CLASP, SSDL and Touchpoints compared, (2) Comparison of SDL and Touchpoints).
