Aspire Journeys

Web App Vulnerability Analyst - 2022 Update

  • 11 Courses | 11h 21m 31s
  • 1 Lab | 8h
Likes 2 Likes 2
Web application security is an essential skill for any software development. OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus that is used to raise awareness to developers, designers, architects, managers, and organizations about the consequences of OWASP Top 10 most common and most important web application security weaknesses. Organizations that address these flaws greatly reduce the risk of web applications being compromised, and in this Skillsoft Aspire journey we will help learners understand the risks associated with the OWASP Top 10. We will review each of the OWASP Top 10 items and discuss how to discover and exploit web app vulnerabilities. Having OWASP Top 10 awareness across all parts of the organization will go a long way in building secure applications across the entire organization.

Track 1: OWASP Top 10 Mitigations

In this track of the Web App Vulnerability Analyst Skillsoft Aspire journey, you will learn about all OWASP Top 10 security vulnerabilities any developer needs to be aware of when building web applications.

  • 11 Courses | 11h 21m 31s
  • 1 Lab | 8h

COURSES INCLUDED

OWASP Top 10: Securing Web Applications
Web applications are ubiquitous in today's computing world, and many software development tools are available to help with secure web app creation. In this course, examine different software development tools and explore server-side and client-side code. Next, learn how to scan web apps for vulnerabilities using OWASP ZAP and Burp Suite, write secure code, and enable the Metasploitable intentionally vulnerable web app virtual machine. Finally, compare the different types of software testing methodologies, learn the difference between vulnerability scanning and penetration testing, and discover how web application firewalls (WAFs) protect web apps from common attacks. Upon completion, you'll be able to recognize the key components of secure web app creation and the purpose of the Open Web Application Security Project (OWASP).
12 videos | 1h 27m has Assessment available Badge
OWASP Top 10: A01:2021-Broken Access Control
Resource authorization occurs after successful authentication. Resources include objects such as files, folders, web apps, storage accounts, virtual machines, and more. In this course, learn about various resource access control models, including mandatory (MAC), discretionary (DAC), role-based (RBAC), and attribute-based access control (ABAC). Next, examine how broken access control attacks occur and how HTTP requests and responses interact with web applications. Discover how to set file system permissions in Windows and Linux, assign permissions to code, and digitally sign a PowerShell script. Finally, explore identity federation and how to execute and mitigate broken access control attacks. Upon completion, you'll be able to harden resource access to mitigate broken access control attacks.
12 videos | 1h 13m has Assessment available Badge
OWASP Top 10: A02:2021-Cryptographic Failures
Data is one of the most valuable assets to an organization and must be protected in accordance with applicable laws, regulations, and security standards. In this course, learn about cryptographic failure attacks that compromise sensitive data and how to classify sensitive data. Next, examine how to hash files in Windows and Linux and encrypt files for Windows devices. Then, explore the public key infrastructure (PKI) hierarchy and learn how to use a certificate to secure a web application with HTTPS. Finally, learn how to configure IPsec, encrypt cloud storage, and mitigate sensitive data attacks. Upon completion, you'll be able to protect sensitive data with security controls and classify and encrypt data at rest.
14 videos | 1h 26m has Assessment available Badge
OWASP Top 10: A03:2021-Injection
Many web applications accept input from either external data sources or app users. In this course, learn about the types of injection attacks and how malicious users submit malicious code or commands to a web app for execution by the web server stack. Next, practice testing a web app for injection vulnerabilities using the OWASP ZAP tool, setting low security for a vulnerable web app tool, and executing injection attacks against a web app. Finally, discover how to mitigate injection attacks using input validation and input sanitization. Upon completion, you'll be able to identify and mitigate web app injection attacks.
11 videos | 1h has Assessment available Badge
OWASP Top 10: A04:2021-Insecure Design
Today's web applications combine software code and resultant data, with the trustworthiness of both resulting in a secure trusted application. There are many planning strategies and tools that can ensure software and data integrity. In this course, explore IT supply chain security, how to deploy Linux updates, and how to configure a Windows Server Update Services (WSUS) host. Next, examine object-oriented programming (OOP) and how it is related to insecure deserialization attacks. Finally, learn how to use the OWASP Dependency-Check tool to verify that publicly disclosed vulnerabilities are not present in a project's dependencies. Upon completion, you'll be able to ensure that the design of a web application includes business requirements and related security controls.
8 videos | 38m has Assessment available Badge
OWASP Top 10: A05:2021-Security Misconfiguration
Modern on-premises and cloud networks consist of many types of network devices, hosts, and services. Each of these must be configured and monitored to ensure continued compliance with organizational security policies. In this course, learn about security misconfiguration attack criteria, including using default credentials, leaving unnecessary services running, and exposing services unnecessarily to the Internet. Next, explore application container management, including how to pull containers from Docker Hub and start them. Finally, examine how containers relate to security, how to harden security settings through Group Policy, and how to manage software updates on-premises and in the cloud. Upon completion, you'll be able to detect security misconfigurations and deploy solutions to rectify weaknesses.
9 videos | 49m has Assessment available Badge
OWASP Top 10: A06:2021-Vulnerable & Outdated Components
Software developers often use existing third-party APIs and software components. This reduces development time and the time to market for software products. In this course, learn about trusted APIs and components, including when they are used, how developers must truly understand how these items work, and how they must be kept up to date. Next, examine the Heartbleed Bug and how to view components in Microsoft Visual Studio. Finally, discover how security must apply to all aspects of continuous integration and continuous delivery (CI/CD) and learn how to search the Shodan website for vulnerable devices and apps. Upon completion, you'll be able to recognize the importance of using only trusted third-party APIs and software components during application development.
8 videos | 40m has Assessment available Badge
OWASP Top 10: A07:2021-Identification & Authentication Failures
Hardening user and device authentication can go a long way in securing web applications. In this course, learn the difference between authentication and authorization and how they relate to web application security. Next, explore how to hash and encrypt user credentials and harden user accounts through Microsoft Group Policy and practice using freely available tools to crack user credentials in various ways, including the Hydra tool, Burp Suite, and John the Ripper. Finally, learn how to enable user multi-factor authentication and conditional access policies, as well as how to mitigate weak authentication. Upon completion, you'll be able to recognize how to discover and mitigate authentication vulnerabilities using various tools.
14 videos | 1h 18m has Assessment available Badge
OWASP Top 10: A08:2021-Software & Data Integrity Failures
Today's web applications combine software code and resultant data, with the trustworthiness of both resulting in a secure and trusted application. There are many planning strategies and tools that can ensure software and data integrity. In this course, learn about IT supply chain security, deploying Linux updates, and configuring a Windows Server Update Services (WSUS) host. Next, explore object-oriented programming (OOP) and how it is related to insecure deserialization attacks. Finally, practice ensuring file integrity using file hashing in Windows and Linux and using the OWASP Dependency-Check tool to verify that publicly disclosed vulnerabilities are not present in a project's dependencies. Upon completion, you'll be able to ensure the integrity of software code, dependencies, and resultant data.
12 videos | 1h 6m has Assessment available Badge
OWASP Top 10: A09:2021-Security Logging & Monitoring Failures
Modern web applications can consist of many components which are often running within application containers. Each component must be monitored to detect intrusions. In this course, learn how monitoring can be enabled in Linux on individual hosts, Windows, and cloud computing environments. Next, explore how to forward log entries to a central logging host in Linux and Windows, monitor cloud-based web application performance, and download and configure the Snort IDS by creating IDS rules. Finally, practice analyzing packet captures for suspicious activity and mitigating monitoring deficiencies. Upon completion, you'll be able to ensure that monitoring is deployed correctly and the timely detection of past security breaches and security incidents in the midst of occurring.
10 videos | 57m has Assessment available Badge
OWASP Top 10: A10:2021-Server-Side Request Forgery (SSRF)
URLs are endpoints for web services that can be accessed remotely. Server-Side Request Forgery (SSRF) attacks target servers and result from attackers leveraging URLs and vulnerable web applications to access sensitive data. Cross-Site Request Forgery (CSRF) attacks target client devices and perform unauthorized actions using authenticated user sessions with web services. In this course, learn about SSRFs. Next, discover how to scan a network for HTTP hosts using Nmap, execute a Cross-Site Request Forgery (CSRF) attack, and run a Denial of Service (DoS) attack against a web server. Finally, practice mitigating controls for SSRFs. Upon completion, you'll be able to mitigate Cross-Site Request Forgery and Server-Side Request Forgery attacks.
7 videos | 37m has Assessment available Badge

EARN A DIGITAL BADGE WHEN YOU COMPLETE THESE TRACKS

Skillsoft is providing you the opportunity to earn a digital badge upon successful completion on some of our courses, which can be shared on any social network or business platform.

Digital badges are yours to keep, forever.