Course Outline
A01:2025 - Broken Access Control
A02:2025 - Security Misconfiguration
A03:2025 - Software Supply Chain Failures
A04:2025 - Cryptographic Failures
A05:2025 - Injection
A06:2025 - Insecure Design
A07:2025 - Authentication Failures
A08:2025 - Software or Data Integrity Failures
A09:2025 - Security Logging and Alerting Failures
A10:2025 - Mishandling of Exceptional Conditions
A01:2025 Broken Access Control - Access control enforces policies ensuring users cannot act beyond their intended permissions. Failures often result in unauthorized data disclosure, modification, or destruction, or performing business functions outside user limits.
A02:2025 Security Misconfiguration - Security misconfiguration occurs when a system, application, or cloud service is incorrectly set up from a security perspective, creating vulnerabilities.
A03:2025 Software Supply Chain Failures - These failures involve breakdowns or compromises in the software building, distribution, or update processes. They are frequently caused by vulnerabilities or malicious changes in third-party code, tools, or dependencies.
A04:2025 Cryptographic Failures - All data in transit should generally be encrypted at the transport layer (OSI layer 4). Modern CPUs now handle encryption acceleration (e.g., AES support) and simplify private key/certificate management via services like LetsEncrypt.org and cloud vendor integrations. Beyond the transport layer, it is crucial to identify data requiring encryption at rest and extra encryption in transit (application layer, OSI layer 7), such as passwords, credit card numbers, health records, personal information, and business secrets, especially under privacy laws like GDPR or regulations like PCI DSS.
A05:2025 Injection - An injection vulnerability allows attackers to insert malicious code or commands (e.g., SQL or shell code) into program inputs, tricking the system into executing them. This can lead to severe consequences.
A06:2025 Insecure Design - Insecure design represents weaknesses described as “missing or ineffective control design.” It differs from insecure implementation, having distinct root causes, timing in the development process, and remediation strategies. A secure design can still have implementation defects, whereas an insecure design cannot be fixed by perfect implementation because necessary security controls were never created.
A07:2025 Authentication Failures - This vulnerability exists when an attacker tricks a system into recognizing an invalid or incorrect user as legitimate.
A08:2025 Software or Data Integrity Failures - These relate to code and infrastructure that fail to protect against invalid or untrusted data being treated as trusted. Examples include reliance on untrusted plugins or CDNs, or CI/CD pipelines that do not verify software integrity checks, potentially introducing unauthorized access or malicious code.
A09:2025 Security Logging & Alerting Failures - Without logging and monitoring, attacks cannot be detected, and without alerting, responding to security incidents becomes difficult. Insufficient logging, monitoring, and detection occur when these measures are lacking.
A10:2025 Mishandling of Exceptional Conditions - Mishandling occurs when programs fail to prevent, detect, and respond to unusual situations, leading to crashes or vulnerabilities. This may involve failing to prevent unusual events, identify them, or respond appropriately.
We will discuss and present practical aspects of:
Broken Access Control
- Practical examples of broken access controls
- Secure access controls and best practices
Security Misconfiguration
- Real-world examples of misconfigurations
- Steps to prevent misconfiguration, including configuration management and automation tools
Cryptographic Failures
- Detailed analysis of cryptographic failures such as weak encryption algorithms or improper key management
- Importance of strong cryptographic mechanisms, secure protocols (SSL/TLS), and examples of modern cryptography in web security
Injection Attacks
- Detailed breakdown of SQL, NoSQL, OS, and LDAP injection
- Mitigation techniques using prepared statements, parameterized queries, and escaping inputs
Insecure Design
- We'll explore design flaws that can lead to vulnerabilities, like improper input validation
- We'll study strategies for secure architecture and secure design principles
Authentication Failures
- Common authentication issues
- Secure authentication strategies, like multi-factor authentication and proper session handling
Software and Data Integrity Failures
- Focus on issues like untrusted software updates and data tampering
- Safe update mechanisms and data integrity checks
Security Logging and Monitoring Failures
- Importance of logging security-relevant information and monitoring for suspicious activities
- Tools and practices for proper logging and real-time monitoring to detect breaches early
Requirements
- A general understanding of the web development lifecycle
- Experience in web application development and security
Audience
- Web developers
- Leaders
Testimonials (7)
That every technical lesson came with multiple practical exercises to nail down the concepts.
Andrei-Calin Bajea
Course - OWASP Top 10 2025
very dynamic and flexible training!
Valentina Giglio - Fincons SPA
Course - OWASP Top 10
Laboratory exercises
Pietro Colonna - Fincons SPA
Course - OWASP Top 10
The interactive components and examples.
Raphael - Global Knowledge
Course - OWASP Top 10
Hands-on approach and Trainer Knowledge
RICARDO
Course - OWASP Top 10
The knowledge of the trainer was phenomenal
Patrick - Luminus
Course - OWASP Top 10
exercises, even if outside of my comfort zone.
