Course: OWASP Top 10
duration: 19 hours |
Language: English (US) |
access duration: 180 days |
OWASP is an international organization that focuses on improving software security. In this online training you will start with an introduction about the software development tools that can ensure the development of secure web applications, including OWASP ZAP, Burp Suite and OWASP ESAPI.
Next, you will dive into the OWASP Top 10 of most critical security risks, namely:
- Broken authentication
- Sensitive data exposure
- XML External Entities
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
Finally, you will get started with web application vulnerabilities. For example, you will learn how to use reconnaissance methods and learn how to carry out attacks such as XSS, CSRF and injection.
After successful completion of this training, you will be able to identify the OWASP top 10 vulnerabilities in web applications. In addition, you know how to use countermeasures against these vulnerabilities.
A basic knowledge of web security is recommended.
Web Developer, Security Specialist
OWASP Top 10
OWASP Top 10: Web Application Security
Web applications are ubiquitous in today's computing world. In
- this course, you'll learn about software developer tools that can
- result in secure web application creation. You'll learn about
- server-side and client-side code, as well how to scan a web app for
- vulnerabilities using OWASP ZAP and Burp Suite. Next, you’ll
- explore secure coding using the OWASP ESAPI. Moving on, you’ll
- examine how to enable the Metasploitable intentionally vulnerable
- web app virtual machine. You'll also learn about different types of
- software testing methodologies and the difference between
- vulnerability scanning and penetration testing. Lastly, you'll
- learn how to deploy a web application firewall in the Microsoft
- Azure cloud.
OWASP Top 10: A1 - Injection
Many web applications accept input from either external data
- sources or app users. In this course, you'll learn about various
- types of injection attacks such as SQL and command injections. You
- will learn how malicious users submit malicious code or commands to
- a web app for execution by the web server stack. Next, you'll learn
- how to test a web app for injection vulnerabilities using the OWASP
- ZAP tool. Next, you’ll set low security for a vulnerable web
- application tool in order to allow the execution of injection
- attacks. Next, you'll execute various types of injection attacks
- against a web application. Lastly, you will learn how to mitigate
- injection attacks using techniques such as input validation and
- input sanitization.
OWASP Top 10: A2 - Broken Authentication
Hardening user and device authentication can go a long way in
- securing web applications. In this course, you'll start by learning
- the difference between authentication and authorization, where
- authorization follows successful authentication. You'll also learn
- how authentication and authorization are related to web application
- security. Next, you'll explore how to hash and encrypt user
- credentials and harden user accounts through Microsoft Group
- Policy. You'll then examine how to use freely available tools to
- crack user credentials in various ways, such as using the John the
- Ripper tool to pass Linux passwords and the Hydra tool to crack RDP
- passwords. Lastly, you'll learn how to enable user multi-factor
- authentication and conditional access policies, as well as how to
- mitigate weak authentication.
OWASP Top 10: A3 - Sensitive Data Exposure
Data is one of the most valuable assets to an organization and
- must be protected in accordance with applicable laws, regulations,
- and security standards. In this course, you'll learn about attacks
- that compromise sensitive data, as well as how to classify
- sensitive data using a variety of methods. Next, you'll examine how
- to hash files in Windows and Linux, along with various methods of
- file encryption for Windows devices. You'll then explore the PKI
- hierarchy and how to use a certificate to secure a web application
- with HTTPS. Lastly, you'll learn how to configure IPsec, encrypt
- cloud storage, and mitigate sensitive data attacks.
OWASP Top 10: A4 - XML External Entities
Extensible Markup Language uses tags to describe data and has
- become the standard information exchange format between dissimilar
- systems. Many applications use XML to share and manage data. In
- this course, you'll begin with an XML overview, including document
- type definitions and how XML differs from HTML. Next, you’ll learn
- what XML external entity attacks are. Moving on, you'll examine how
- the OWASP ZAP tool can scan a vulnerable web application and
- identify weaknesses. Next, you'll explore how to scan a web app for
- XXE vulnerabilities and execute an XXE attack. Lastly, you'll learn
- how to mitigate XXE attacks.
OWASP Top 10: A5 - Broken Access Control
Resource authorization occurs after successful authentication.
- Resources include objects such as files, folders, web apps, storage
- accounts, virtual machines, and so on. In this course, you'll learn
- about various resource access control models including MAC, DAC,
- and RBAC. Next, you'll examine how broken access control attacks
- occur. You'll then explore HTTP methods, as well as how to set file
- system permissions in Windows and Linux, assign permissions to
- code, and digitally sign a PowerShell script. Lastly, you'll learn
- about identify federation, how to execute broken access control
- attacks, and how to mitigate broken access control attacks.
OWASP Top 10: A6 - Security Misconfiguration
Modern on-premises and cloud networks consist of many types of
- network devices, hosts, and services. Each of these must be
- configured and monitored to ensure continued compliance with
- organization security policies. In this course, you'll learn about
- various types of security misconfigurations, including using
- default credentials, leaving unnecessary services running, and
- exposing services unnecessarily to the Internet. Next, you'll
- explore application container management, including how to pull
- containers from Docker Hub and then start them. Moving on, you'll
- examine how containers relate to security, how to harden security
- settings through Group Policy, and how to manage software updates
- on-premises and in the cloud.
OWASP Top 10: A7 - Cross-site Scripting
Most web apps accept some kind of input, whether from users or
- through other automated means. All app input must be treated as
- untrusted and must be vigorously validated to ensure application
- and data integrity. In this course, you'll learn the difference
- is and how it can compromise a web site and its visitors. Next,
- you'll learn how to execute various XSS attacks against an
- intentionally vulnerable virtual machine, including through web
- forms. You'll also explore how to use XSS to hijack a user web
- browser and how to mitigate XSS attacks.
OWASP Top 10: A8 - Insecure Deserialization
Object-oriented programming is common when writing scripts, as
- well as during software development. OOP treats items as objects
- that have properties and methods, as opposed to treating command
- output as a simple string. In this course, you'll learn about OOP
- along with some syntax examples. You'll explore how programming
- objects become serialized and deserialized and how this can present
- a security risk to web applications. Next, you'll examine how
- deserialization works in PowerShell, as well as how to execute a
- deserialization attack against an intentionally vulnerable web
- application. Lastly, you'll learn how to prevent deserialization
- attacks from succeeding.
OWASP Top 10: A9 - Using Components with Known Vulnerabilities
Software developers often use existing third-party APIs and
- software components instead of recreating the wheel, so to speak.
- This reduces development time and time to market for software
- products. In this course, you'll learn that only trusted APIs and
- components should be used, that developers must truly understand
- how these items work, and that they must be kept up-to-date. Next,
- you'll learn about the Heartbleed Bug and how to view components in
- Microsoft Visual Studio. You'll then examine how security must
- apply to all aspects of Continuous Integration and Continuous
- Delivery. Lastly, you'll explore how to search the shodan.io web
- site for vulnerable devices and apps.
OWASP Top 10: A10 - Insufficient Logging & Monitoring
Modern web applications can consist of many components, which
- are often running within application containers. Each component
- must be monitored to detect intrusions. In this course, you'll
- learn about various ways monitoring can be enabled in Linux on
- individual hosts, in Windows, and in cloud computing environments.
- Next, you'll explore how to forward log entries to a central
- logging host in Linux and in Windows. You'll then learn how to
- monitor cloud-based web application performance. Moving on, you’ll
- examine how to download and configure the Snort IDS by creating IDS
- rules for Telnet and ICMP network traffic. Lastly, you'll learn how
- to analyze packet captures for suspicious activity and mitigate
- monitoring deficiencies.
OWASP Top 10: Discovering & Exploiting Web App Vulnerabilities
There are almost two billion web sites in the world today. Many
- of these sites are not sufficiently protected against attacks. In
- this course, you'll begin by learning how to install a sample
- vulnerable web application. Next, you'll explore how to use
- reconnaissance methods, such as nmap scanning and web app scanning
- using OWASP ZAP, to discover HTTP hosts and vulnerable
- applications. You'll learn how to execute attacks including XSS,
- CSRF, file injection, and denial of service. You'll move on to
- examine how to capture user keystrokes using a hardware keylogger
- and capture cleartext HTTP transmissions. Lastly, you'll learn how
- to forge fake TCP/IP packets and then deploy and secure a
- cloud-hosted web application.
Final Exam: OWASP Top 10 Mitigations
Final Exam: OWASP Top 10 Mitigations will test your knowledge and application of the topics presented throughout the Skillsoft Aspire Web App Vulnerability Analyst Journey.
We offer several optional training products to enhance your learning experience. If you are planning to use our training course in preperation for an official exam then whe highly recommend using these optional training products to ensure an optimal learning experience. Sometimes there is only a practice exam or/and practice lab available.
Optional practice exam (trial exam)
To supplement this training course you may add a special practice exam. This practice exam comprises a number of trial exams which are very similar to the real exam, both in terms of form and content. This is the ultimate way to test whether you are ready for the exam.
Optional practice lab
To supplement this training course you may add a special practice lab. You perform the tasks on real hardware and/or software applicable to your Lab. The labs are fully hosted in our cloud. The only thing you need to use our practice labs is a web browser. In the LiveLab environment you will find exercises which you can start immediately. The lab enviromentconsist of complete networks containing for example, clients, servers,etc. This is the ultimate way to gain extensive hands-on experience.
Via ons opleidingsconcept bespaar je tot 80% op trainingen
Start met leren wanneer je wilt. Je bepaalt zelf het gewenste tempo
Spar met medecursisten en profileer je als autoriteit in je vakgebied.
Ontvang na succesvolle afronding van je cursus het officiële certificaat van deelname van Icttrainingen.nl
Krijg inzicht in uitgebreide voortgangsinformatie van jezelf of je medewerkers
Kennis opdoen met interactieve e-learning en uitgebreide praktijkopdrachten door gecertificeerde docenten
Once we have processed your order and payment, we will give you access to your courses. If you still have any questions about our ordering process, please refer to the button below.
Een zakelijk account aanmaken
Wanneer u besteld namens uw bedrijf doet u er goed aan om aan zakelijk account bij ons aan te maken. Tijdens het registratieproces kunt u hiervoor kiezen. U heeft vervolgens de mogelijkheden om de bedrijfsgegevens in te voeren, een referentie en een afwijkend factuuradres toe te voegen.
U heeft bij ons diverse betaalmogelijkheden. Bij alle betaalopties ontvangt u sowieso een factuur na de bestelling. Gaat uw werkgever betalen, dan kiest u voor betaling per factuur.
Als u een zakelijk account heeft aangemaakt dan heeft u de optie om cursisten/medewerkers aan te maken onder uw account. Als u dus meerdere trainingen koopt, kunt u cursisten aanmaken en deze vervolgens uitdelen aan uw collega’s. De cursisten krijgen een e-mail met inloggegevens wanneer zij worden aangemaakt en wanneer zij een training hebben gekregen.
Met een zakelijk account bent u automatisch beheerder van uw organisatie en kunt u naast cursisten ook managers aanmaken. Beheerders en managers kunnen tevens voortgang inzien van alle cursisten binnen uw organisatie.
What is included?
|Certificate of participation||Yes|
|Award Winning E-learning||Yes|
|Sharing knowledge||Unlimited access to our IT professionals community|
|Study advice||Our consultants are here for you to advice about your study career and options|
|Study materials||Certified teachers with in depth knowledge about the subject.|
|Service||World's best service|
Na bestelling van je training krijg je toegang tot ons innovatieve leerplatform. Hier vind je al je gekochte (of gevolgde) trainingen, kan je eventueel cursisten aanmaken en krijg je toegang tot uitgebreide voortgangsinformatie.