Course Outline
A01:2025 - Broken Access Control
A02:2025 - Security Misconfiguration
A03:2025 - Software Supply Chain Failures
A04:2025 - Cryptographic Failures
A05:2025 - Injection
A06:2025 - Insecure Design
A07:2025 - Authentication Failures
A08:2025 - Software or Data Integrity Failures
A09:2025 - Security Logging and Alerting Failures
A10:2025 - Mishandling of Exceptional Conditions
A01:2025 Broken Access Control - Access control enforces policies to ensure users cannot act beyond their intended permissions. Failures typically result in unauthorized data disclosure, modification, or destruction, or allow performing business functions outside the user's limits.
A02:2025 Security Misconfiguration - Security misconfiguration occurs when a system, application, or cloud service is incorrectly set up from a security perspective, creating vulnerabilities.
A03:2025 Software Supply Chain Failures - Software supply chain failures are breakdowns or compromises in the process of building, distributing, or updating software. They are often caused by vulnerabilities or malicious changes in third-party code, tools, or dependencies that the system relies on.
A04:2025 Cryptographic Failures - Generally, all data in transit should be encrypted at the transport layer (OSI layer 4). Previous challenges such as CPU performance and private key/certificate management are now addressed by CPUs with instructions designed to accelerate encryption (e.g., AES support) and simplified private key and certificate management through services like LetsEncrypt.org. Major cloud vendors also provide tightly integrated certificate management services. Beyond securing the transport layer, it is crucial to determine what data needs encryption at rest and what data requires extra encryption in transit (at the application layer, OSI layer 7). For instance, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, especially if they fall under privacy laws like the EU's General Data Protection Regulation (GDPR) or regulations such as PCI Data Security Standard (PCI DSS).
A05:2025 Injection - An injection vulnerability is a system flaw that allows an attacker to insert malicious code or commands (such as SQL or shell code) into a program’s input fields, tricking the system into executing them as if they were part of the system. This can lead to severe consequences.
A06:2025 Insecure Design - Insecure design represents different weaknesses, expressed as “missing or ineffective control design.” Insecure design is not the source of all other Top Ten risk categories. There is a difference between insecure design and insecure implementation. We differentiate between design flaws and implementation defects because they have different root causes, occur at different times in the development process, and require different remediations. A secure design can still have implementation defects leading to exploitable vulnerabilities. Conversely, an insecure design cannot be fixed by a perfect implementation because the needed security controls were never created to defend against specific attacks. One factor contributing to insecure design is the lack of business risk profiling inherent in the software or system being developed, leading to a failure to determine the required level of security design.
A07:2025 Authentication Failures - This vulnerability is present when an attacker is able to trick a system into recognizing an invalid or incorrect user as legitimate.
A08:2025 Software or Data Integrity Failures - Software and data integrity failures relate to code and infrastructure that does not protect against invalid or untrusted code or data being treated as trusted and valid. For example, an application relying on plugins, libraries, or modules from untrusted sources, repositories, or content delivery networks (CDNs). An insecure CI/CD pipeline that does not consume or provide software integrity checks can introduce potential unauthorized access, insecure or malicious code, or system compromise. Another example is a CI/CD that pulls code or artifacts from untrusted places and/or does not verify them before use (by checking the signature or a similar mechanism).
A09:2025 Security Logging & Alerting Failures - Without logging and monitoring, attacks and breaches cannot be detected, and without alerting, it is very difficult to respond quickly and effectively during a security incident. Insufficient logging, continuous monitoring, detection, and alerting to initiate active responses occurs anytime these elements are lacking.
A10:2025 Mishandling of Exceptional Conditions - Mishandling exceptional conditions in software happens when programs fail to prevent, detect, and respond to unusual and unpredictable situations, which leads to crashes, unexpected behavior, and sometimes vulnerabilities. This can involve one or more of the following three failures: the application doesn’t prevent an unusual situation from happening, it doesn’t identify the situation as it is occurring, and/or it responds poorly or not at all to the situation afterwards.
We will discuss and present practical aspects of:
Broken Access Control
- Practical examples of broken access controls
- Secure access controls and best practices
Security Misconfiguration
- Real-world examples of misconfigurations
- Steps to prevent misconfiguration, including configuration management and automation tools
Cryptographic Failures
- Detailed analysis of cryptographic failures such as weak encryption algorithms or improper key management
- Importance of strong cryptographic mechanisms, secure protocols (SSL/TLS), and examples of modern cryptography in web security
Injection Attacks
- Detailed breakdown of SQL, NoSQL, OS, and LDAP injection
- Mitigation techniques using prepared statements, parameterized queries, and escaping inputs
Insecure Design
- We'll explore design flaws that can lead to vulnerabilities, like improper input validation
- We'll study strategies for secure architecture and secure design principles
Authentication Failures
- Common authentication issues
- Secure authentication strategies, like multi-factor authentication and proper session handling
Software and Data Integrity Failures
- Focus on issues like untrusted software updates and data tampering
- Safe update mechanisms and data integrity checks
Security Logging and Monitoring Failures
- Importance of logging security-relevant information and monitoring for suspicious activities
- Tools and practices for proper logging and real-time monitoring to detect breaches early
Requirements
- A general understanding of the web development lifecycle.
- Experience in web application development and security.
Audience
- Web developers.
- Leaders.
Testimonials (7)
That every technical lesson came with multiple practical exercises to nail down the concepts.
Andrei-Calin Bajea
Course - OWASP Top 10 2025
very dynamic and flexible training!
Valentina Giglio - Fincons SPA
Course - OWASP Top 10
Laboratory exercises
Pietro Colonna - Fincons SPA
Course - OWASP Top 10
The interactive components and examples.
Raphael - Global Knowledge
Course - OWASP Top 10
Hands-on approach and Trainer Knowledge
RICARDO
Course - OWASP Top 10
The knowledge of the trainer was phenomenal
Patrick - Luminus
Course - OWASP Top 10
exercises, even if outside of my comfort zone.
