OWASP Top 10 2025

Prerequisites:

• A general understanding of web development lifecycle
• Experience in web application development and security

Audience

• Web developers
• Leaders

Overview:

The OWASP Top 10 is a community-led, open-source document developed by the Open Web Application Security Project (OWASP) Foundation that identifies the most common web application threats and vulnerabilities. OWASP Top 10 provides a comprehensive guide on web application security, risks, impacts, and countermeasures.

This instructor-led, live training (online or onsite) is aimed at web developers and leaders who wish to explore and implement the OWASP Top 10 reference standard to secure their web applications.

By the end of this training, participants will be able to strategize, implement, secure, and monitor their web applications and services using the OWASP Top 10 document.

Format of the Course

• Interactive lecture and discussion.
• Lots of exercises and practice.
• Hands-on implementation in a live-lab environment.

Course Customization Options

• To request a customized training for this course, please contact us to arrange.

Course Outline:

A01:2025 - Broken Access Control
A02:2025 - Security Misconfiguration
A03:2025 - Software Supply Chain Failures
A04:2025 - Cryptographic Failures
A05:2025 - Injection
A06:2025 - Insecure Design
A07:2025 - Authentication Failures
A08:2025 - Software or Data Integrity Failures
A09:2025 - Security Logging and Alerting Failures
A10:2025 - Mishandling of Exceptional Conditions

A01:2025 Broken Access Control - Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside the user's limits.

A02:2025 Security Misconfiguration - Security misconfiguration is when a system, application, or cloud service is set up incorrectly from a security perspective, creating vulnerabilities.

A03:2025 Software Supply Chain Failures - Software supply chain failures are breakdowns or other compromises in the process of building, distributing, or updating software. They are often caused by vulnerabilities or malicious changes in third-party code, tools, or other dependencies that the system relies on.

A04:2025 Cryptographic Failures - Generally speaking, all data in transit should be encrypted at the transport layer (OSI layer 4). Previous hurdles such as CPU performance and private key/certificate management are now handled by CPUs having instructions designed to accelerate encryption (eg: AES support) and private key and certificate management being simplified by services like LetsEncrypt.org with major cloud vendors providing even more tightly integrated certificate management services for their specific platforms. Beyond securing the transport layer, it is important to determine what data needs encryption at rest as well as what data needs extra encryption in transit (at the application layer, OSI layer 7). For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, especially if that data falls under privacy laws, e.g., EU's General Data Protection Regulation (GDPR), or regulations such as PCI Data Security Standard (PCI DSS).

A05:2025 Injection - An injection vulnerability is a system flaw that allows an attacker to insert malicious code or commands (such as SQL or shell code) into a program’s input fields, tricking the system into executing the code or commands as if it were part of the system. This can lead to truly dire consequences.

A06:2025 Insecure Design - Insecure design is a broad category representing different weaknesses, expressed as “missing or ineffective control design.” Insecure design is not the source for all other Top Ten risk categories. Note that there is a difference between insecure design and insecure implementation. We differentiate between design flaws and implementation defects for a reason, they have different root causes, take place at different times in the development process, and have different remediations. A secure design can still have implementation defects leading to vulnerabilities that may be exploited. An insecure design cannot be fixed by a perfect implementation as needed security controls were never created to defend against specific attacks. One of the factors that contributes to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine what level of security design is required.

A07:2025 Authentication Failures - When an attacker is able to trick a system into recognizing an invalid or incorrect user as legitimate, this vulnerability is present.

A08:2025 Software or Data Integrity Failures - Software and data integrity failures relate to code and infrastructure that does not protect against invalid or untrusted code or data being treated as trusted and valid. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline without consuming and providing software integety checks can introduce the potential for unauthorized access, insecure or malicious code, or system compromise. OneAnother example for this is a CI/CD that pulls code or artifacts from untrusted places and/or doesn’t verify them before use (by checking the signature or similar mechanism). 

A09:2025 Security Logging & Alerting Failures  - Without logging and monitoring, attacks and breaches cannot be detected, and without alerting it is very difficult to respond quickly and effectively during a security incident. Insufficient logging, continuous monitoring, detection, and alerting to initiate active responses occurs any time

A10:2025 Mishandling of Exceptional Conditions - Mishandling exceptional conditions in software happens when programs fail to prevent, detect, and respond to unusual and unpredictable situations, which leads to crashes, unexpected behavior, and sometimes vulnerabilities. This can involve one or more of the following 3 failings; the application doesn’t prevent an unusual situation from happening, it doesn’t identify the situation as it is happening, and/or it responds poorly or not at all to the situation afterwards.

We will discuss and present practical aspects of:

Broken Access Control
- Practical examples of broken access controls
- Secure access controls and best practices

Security Misconfiguration
- Real-world examples of misconfigurations
- Steps to prevent misconfiguration, including configuration management and automation tools

Cryptographic Failures
- Detailed analysis of cryptographic failures such as weak encryption algorithms or improper key management
- Importance of strong cryptographic mechanisms, secure protocols (SSL/TLS), and examples of modern cryptography in web security

Injection Attacks
- Detailed breakdown of SQL, NoSQL, OS, and LDAP injection
- Mitigation techniques using prepared statements, parameterized queries, and escaping inputs

Insecure Design
- We'll explore design flaws that can lead to vulnerabilities, like improper input validation
- We'll study strategies for secure architecture and secure design principles

Authentication Failures
- Common authentication issues
- Secure authentication strategies, like multi-factor authentication and proper session handling

Software and Data Integrity Failures
- Focus on issues like untrusted software updates and data tampering
- Safe update mechanisms and data integrity checks

Security Logging and Monitoring Failures
- Importance of logging security-relevant information and monitoring for suspicious activities
- Tools and practices for proper logging and real-time monitoring to detect breaches early