Pop Quiz! Test your OWASP knowledge and earn credit.

There is a frequent question I get from each of my client organizations at least twice a year and that is, “Does your organization adhere to the OWASP Top 10 and is it part of your software development life cycle (SDLC)?”

Well, currently, there are no certification exams and no formal training available so how do you prove it? I’ve decided to compile a short 10 question quiz with some new bonus courseware that will allow anyone to learn about the OWASP Top 10 and test their knowledge after each brief segment. If you need credit, save your results.

Enjoy!

OWASP Top 10 Threats and Mitigations with Bonus Courseware

Module Overview

The OWASP Top 10 defines and describes the most common and severe web application threats that developers face. This module describes and examines the first five of these threats. We have also included bonus sections which go beyond the current OWASP Top 10.

As a developer, you need to understand these threats and take precautionary measures at every stage of product development to mitigate them.

Topics covered in this review

Security Principles

  • A1 Injection
  • A2 Broken Authentication and Session Management
  • A3 Cross-Site Scripting (XSS)
  • A4 Insecure Direct Object References
  • A5 Security Misconfiguration
  • A6 Sensitive Data Exposure
  • A7 Missing Function Level Access Control
  • A8 Cross-Site Request Forgery (CSRF)
  • A9 Using Components with Known Vulnerabilities
  • A10 Unvalidated Redirects and Forwards

Bonus Section

  • A11: Insecure Cryptographic Storage
  • A12: Failure to Restrict URL Access
  • A13: Insufficient Transport Layer Protection

Module Objectives

After completing this course, you will be able to:

  • Explain the key security principles related to the OWASP top 10.
  • Identify and explain the ten threats in the OWASP Top 10.
  • Explain mitigation techniques for the 10 identified threats.

Security Principles

Let’s look at three key security principles related to the OWASP Top 10 threats. During this course, you will learn about the concepts associated with each of the Top 10 threats. Additionally, you will learn about the techniques that you can use to mitigate each threat.

Input is Evil

Much of security is related to input and a user’s ability to interact with and control that input. You should always mistrust and question user input everywhere that it is accepted in your application. Always remember that any input you receive could be malicious and you need to validate it before you trust it.

TOCTOU

Time of Check versus Time of Use, or TOCTOU describes the temporality of computing. Although it is convenient to think of a computer program as a series of instructions, starting at a method and going sequentially until it reaches its completion, remember that this interpretation is only an abstraction. Even though you might check input, state, or data at one point in time, an attacker may be able to control some aspect of the program between the time that the resource is checked and the time that the resource is used, which can lead to illegitimate access to the resource.

Dynamic Threat Environment

Finally, remember that the world is constantly changing and chaotic, with new threats developing and manifesting every single day. A system that was secure in the past may not be secure against new threats. You need to have a consistent and reproducible plan to handle evolving threats.