Checking your Application Against the OWASP Top 10 Security Risks

Webinar Registration

Web application security is complex for a number of reasons. First of all, there’s all the components involved:

  • Browsers
  • Web server
  • Database server(s)
  • Server-side code of the application itself
  • Server-side components, libraries and frameworks used by the application
  • Client-side code of the application itself in the form of javascript, css and html
  • Client-side components

There’s potential for vulnerabilities every step of the way and bad guys often exploit subtle combinations of these technologies operating on different planes of execution. Take for instance SQL Injection. The vulnerability affects the database but the mitigation must be implemented in the server-side web application.

Some threats are easy for non-developers to understand and mitigate – such as missing patches or security misconfigurations. But many web application threats are deeply rooted in the code and architecture of the application itself and are a challenge to understand without coding knowledge and insight into how modern web applications work.

The non-profit OWASP Foundation is focused on web application security and they maintain a free, well-researched and technical document valuable to this discussion: OWASP Top 10 - The Ten Most Critical Web Application Security Risks which is updated each year. But it can be difficult to use this document if you aren’t an active web developer. Here’s a quick rundown on the Top 10:

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging & Monitoring

In this real-training-for-free webinar, I will take you through the current OWASP Top 10 with the goal of helping technical infosec pros (the heart of the UWS audience) who aren’t web developers to understand each risk and provide a road map of what it takes to determine if the web applications at your organization are vulnerable.

Rapid7 has agreed to sponsor this event and Garrett Gross, who specializes in web application security, will be helping me with the training. Then Garrett will briefly show you: 

  • Anatomy of an injection attack
    • history
    • types
    • exploitation example
  • Identifying injection vulnerabilities
    • DAST, SAST, RASP vs penetration testing
    • modern web app challenges
  • mitigating injection vulnerabilities
    • prepared statements w/ parameterized queries
    • stored procedures
    • whitelisting input
    • escaping user input entirely

Note: This abstract and the OWASP Top 10 document is licensed under a Creative Commons Attribution-ShareAlike 4.0 International license: https://creativecommons.org/licenses/by-sa/4.0/

Please join us for this real training for free session.

First Name:   
Last Name:   
Work Email:  
Phone:  
Job Title:  
Organization:  
Country:    
State:  
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.

 

 

Additional Resources