OWASP - Top 10
Formation créée le 14/10/2022. Dernière mise à jour le 24/01/2024.
Version du programme : 1
Programme de la formation
Training objectives : This training will allow architects and developers to understand the main Web vulnerabilities, to correct them and to prevent them. Through a series of hands-on exercises putting you at the place of a penetration tester, you will acquire knowledge about how attackers proceed to exploit each of the vulnerabilities of the OWASP Top 10. All along the course, Students will practice on several ways to cover each of the vulnerability, allowing them to discover the mistake and understand how to mitigate.
Objectifs de la formation
- Understand the main Web Vulnerabilities
- Prevent the main Web Vulnerabilities
- Correct the main Web Vulnerabilities
Profil des bénéficiaires
- Architects
- Developers
- Technical project managers
- Introduction to application security
- A basic understanding of the 10 application security risks according to OWASP
- Basic knowledge of the technologies used in Web development (HTML, Javascript, SQL, etc.)
Contenu de la formation
-
OWASP Intro
- Refreshing about HTTP Protocol
- WEB Application architecture
- Briefing about OWASP and the Top 10
-
Broken Access Control
- CORS
- Parameter Tampering
-
Identification and Authentication Failures
- Brute-Force Attacks and Weak passwords
- Credential Stuffing
- SSO and MFA : security myths
-
Injection
- SQL Injection
- Data validation
-
Server-Side Request Forgery
- XXE attack
- TOCTOU (Race Condition)
- Network Segmentation
-
Security Misconfiguration
- Error Handling Failures
- Environment Hardening
-
Insecure Design
- DevOps and Security
- Threat Modeling
- Network Segmentation
-
Cryptographic Failures
- Certificates and Secure Channels
- Data Security at Rest
-
Vulnerable and Outdated Components
- Vulnerability Assessments and tools
- Patch Management
-
Software and Data Integrity Failures
- Trusted Repositories
- Case of the SolarWinds Sunburst Attack
- Insecure Deserialization
-
Security Logging and Monitoring Failures
- Log Storage & Format
- Incident Handling
- Digital Forensics
Professionnel expert technique et pédagogique
- Feuilles de présence
- Questions orales ou écrites (QCM)
- Mises en situation
- Formulaires d'évaluation de la formation
- Certificat de réalisation de l’action de formation
- Espace numérique de travail
- Documents supports de formation projetés
- Exposés théoriques
- Etude de cas concrets
- Quiz en salle
- Mise à disposition en ligne de documents supports à la suite de la formation.