BYU OWASP Training

The Open Web Application Security Project (OWASP) brings together developers, security professionals, and other volunteers and organizations to improve software security. This module will introduce you to OWASP's Top 10 list of web application security risks.

In this module, we review the Broken Access Control category from the 2021 update of the OWASP Top 10. This category moved up from the fifth spot in 2017 to the top spot in 2021. According to OWASP, 94% of applications tested included some form of broken access control.

In this module, we'll review the Cryptographic Failures category from the 2021 update of the OWASP Top 10. Known as Sensitive Data Exposure in the 2017 update, the name change reflects that cryptographic failures are often the root cause of sensitive data exposure. This category moved up from #3 to #2 in the 2021 update.

In this module, we'll review the Injection category from the 2021 update of the OWASP Top 10. This category fell from the first spot to the third spot in 2021. The updated version of the category now includes Cross-Site Scripting.

In this module, we'll review Insecure Design - a new category in the 2021 update to the OWASP Top 10. Insecure design creates a poor foundation for building an application.

In this module, we'll review the Security Misconfiguration category from the OWASP Top 10. This vulnerability moved from #6 in the 2017 update to #5 in 2021. This vulnerability relates to A06: Vulnerable & Outdated Components.

In this module, we'll review the Vulnerable and Outdated Components category from the 2021 update of the OWASP Top 10. This vulnerability is threatening to the community, and is often encountered in web applications. Known as Using Components with Known Vulnerabilities in the 2017 update, this category moved up from the #9 spot to #6 in 2021.

In this module, we'll review the Identification and Authentication Failures category from the 2021 update of the OWASP Top 10. Known as Broken Authentication in the 2017 update, the category has been expanded to include identification failures. Failing to protect password data stores in an area of overlap with AO2: Cryptographic Failures.

In this module, we'll review Software and Data Integrity Failures, a new category of the OWASP Top 10. Software and Data Integrity Failures focuses on software update risks and Continuous Integration and Continuous Delivery/Deployment (CI/CD) pipelines without verifying integrity. This category also addresses unsigned firmware updates and Insecure Deserialization from OWASP 2017.

In this module, we'll review the Security Logging and Monitoring Failures category from the 2021 update of the OWASP Top 10. Known as Insufficient Logging and Monitoring in the 2017 update, this category moved up to #9 overall in 2021.

In this module, we'll review Server-Side Request Forgery a new category in the 2021 update of the OWASP Top 10. SSRF involves web applications fetching remote resources without validating user-supplied URLs.