Aspire Journeys

Web App Vulnerability Analyst

  • 13 Courses | 12h 52m 4s
  • 1 Lab | 8h
Likes 16 Likes 16
Web application security is an essential skill for any software development. OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus that is used to raise awareness to developers, designers, architects, managers, and organizations about the consequences of OWASP Top 10 most common and most important web application security weaknesses. Organizations that address these flaws greatly reduce the risk of web applications being compromised, and in this Skillsoft Aspire journey we will help learners understand the risks associated with the OWASP Top 10. We will review each of the OWASP Top 10 items and discuss how to discover and exploit web app vulnerabilities. Having OWASP Top 10 awareness across all parts of the organization will go a long way in building secure applications across the entire organization.

Track 1: OWASP Top 10 Mitigations

In this track of the Web App Vulnerability Analyst Skillsoft Aspire journey, you will learn about all OWASP Top 10 security vulnerabilities any developer needs to be aware of when building web applications.


We will first provide an overview of Web Application Security and why it is important today to understand vulnerabilities. We will then review each of the OWAP Top items. We will then conclude this track by reviewing how to discover and exploit web app vulnerabilities.

 

 

  • 13 Courses | 12h 52m 4s
  • 1 Lab | 8h

COURSES INCLUDED

OWASP Top 10: Web Application Security
Web applications are ubiquitous in today's computing world. In this course, you'll learn about software developer tools that can result in secure web application creation. You'll learn about server-side and client-side code, as well how to scan a web app for vulnerabilities using OWASP ZAP and Burp Suite. Next, you’ll explore secure coding using the OWASP ESAPI. Moving on, you’ll examine how to enable the Metasploitable intentionally vulnerable web app virtual machine. You'll also learn about different types of software testing methodologies and the difference between vulnerability scanning and penetration testing. Lastly, you'll learn how to deploy a web application firewall in the Microsoft Azure cloud.
15 videos | 1h has Assessment available Badge
OWASP Top 10: A1 - Injection
Many web applications accept input from either external data sources or app users. In this course, you'll learn about various types of injection attacks such as SQL and command injections. You will learn how malicious users submit malicious code or commands to a web app for execution by the web server stack. Next, you'll learn how to test a web app for injection vulnerabilities using the OWASP ZAP tool. Next, you’ll set low security for a vulnerable web application tool in order to allow the execution of injection attacks. Next, you'll execute various types of injection attacks against a web application. Lastly, you will learn how to mitigate injection attacks using techniques such as input validation and input sanitization.
7 videos | 40m has Assessment available Badge
OWASP Top 10: A2 - Broken Authentication
Hardening user and device authentication can go a long way in securing web applications. In this course, you'll start by learning the difference between authentication and authorization, where authorization follows successful authentication. You'll also learn how authentication and authorization are related to web application security. Next, you'll explore how to hash and encrypt user credentials and harden user accounts through Microsoft Group Policy. You'll then examine how to use freely available tools to crack user credentials in various ways, such as using the John the Ripper tool to pass Linux passwords and the Hydra tool to crack RDP passwords. Lastly, you'll learn how to enable user multi-factor authentication and conditional access policies, as well as how to mitigate weak authentication.
16 videos | 1h has Assessment available Badge
OWASP Top 10: A3 - Sensitive Data Exposure
Data is one of the most valuable assets to an organization and must be protected in accordance with applicable laws, regulations, and security standards. In this course, you'll learn about attacks that compromise sensitive data, as well as how to classify sensitive data using a variety of methods. Next, you'll examine how to hash files in Windows and Linux, along with various methods of file encryption for Windows devices. You'll then explore the PKI hierarchy and how to use a certificate to secure a web application with HTTPS. Lastly, you'll learn how to configure IPsec, encrypt cloud storage, and mitigate sensitive data attacks.
17 videos | 1h has Assessment available Badge
OWASP Top 10: A4 - XML External Entities
Extensible Markup Language uses tags to describe data and has become the standard information exchange format between dissimilar systems. Many applications use XML to share and manage data. In this course, you'll begin with an XML overview, including document type definitions and how XML differs from HTML. Next, you’ll learn what XML external entity attacks are. Moving on, you'll examine how the OWASP ZAP tool can scan a vulnerable web application and identify weaknesses. Next, you'll explore how to scan a web app for XXE vulnerabilities and execute an XXE attack. Lastly, you'll learn how to mitigate XXE attacks.
7 videos | 31m has Assessment available Badge
OWASP Top 10: A5 - Broken Access Control
Resource authorization occurs after successful authentication. Resources include objects such as files, folders, web apps, storage accounts, virtual machines, and so on. In this course, you'll learn about various resource access control models including MAC, DAC, and RBAC. Next, you'll examine how broken access control attacks occur. You'll then explore HTTP methods, as well as how to set file system permissions in Windows and Linux, assign permissions to code, and digitally sign a PowerShell script. Lastly, you'll learn about identify federation, how to execute broken access control attacks, and how to mitigate broken access control attacks.
14 videos | 1h has Assessment available Badge
OWASP Top 10: A6 - Security Misconfiguration
Modern on-premises and cloud networks consist of many types of network devices, hosts, and services. Each of these must be configured and monitored to ensure continued compliance with organization security policies. In this course, you'll learn about various types of security misconfigurations, including using default credentials, leaving unnecessary services running, and exposing services unnecessarily to the Internet. Next, you'll explore application container management, including how to pull containers from Docker Hub and then start them. Moving on, you'll examine how containers relate to security, how to harden security settings through Group Policy, and how to manage software updates on-premises and in the cloud.
11 videos | 1h has Assessment available Badge
OWASP Top 10: A7 - Cross-site Scripting
Most web apps accept some kind of input, whether from users or through other automated means. All app input must be treated as untrusted and must be vigorously validated to ensure application and data integrity. In this course, you'll learn the difference between Java and JavaScript, as well as what cross-site scripting is and how it can compromise a web site and its visitors. Next, you'll learn how to execute various XSS attacks against an intentionally vulnerable virtual machine, including through web forms. You'll also explore how to use XSS to hijack a user web browser and how to mitigate XSS attacks.
7 videos | 36m has Assessment available Badge
OWASP Top 10: A8 - Insecure Deserialization
Object-oriented programming is common when writing scripts, as well as during software development. OOP treats items as objects that have properties and methods, as opposed to treating command output as a simple string. In this course, you'll learn about OOP along with some syntax examples. You'll explore how programming objects become serialized and deserialized and how this can present a security risk to web applications. Next, you'll examine how deserialization works in PowerShell, as well as how to execute a deserialization attack against an intentionally vulnerable web application. Lastly, you'll learn how to prevent deserialization attacks from succeeding.
5 videos | 21m has Assessment available Badge
OWASP Top 10: A9 - Using Components with Known Vulnerabilities
Software developers often use existing third-party APIs and software components instead of recreating the wheel, so to speak. This reduces development time and time to market for software products. In this course, you'll learn that only trusted APIs and components should be used, that developers must truly understand how these items work, and that they must be kept up-to-date. Next, you'll learn about the Heartbleed Bug and how to view components in Microsoft Visual Studio. You'll then examine how security must apply to all aspects of Continuous Integration and Continuous Delivery. Lastly, you'll explore how to search the shodan.io web site for vulnerable devices and apps.
6 videos | 30m has Assessment available Badge
OWASP Top 10: A10 - Insufficient Logging & Monitoring
Modern web applications can consist of many components, which are often running within application containers. Each component must be monitored to detect intrusions. In this course, you'll learn about various ways monitoring can be enabled in Linux on individual hosts, in Windows, and in cloud computing environments. Next, you'll explore how to forward log entries to a central logging host in Linux and in Windows. You'll then learn how to monitor cloud-based web application performance. Moving on, you’ll examine how to download and configure the Snort IDS by creating