TT8120: Secure Web Applications | OWASP 2021 Top Ten 2021, Web Services, Rich Interfaces & More

About this Course

Securing Web Applications: A Technical Overview gives you a practical and eye-opening look at what really makes modern applications vulnerable. Whether you are on a security team, leading development efforts, or managing risk for web-based systems, this course will help you think more clearly about what threats actually look like in today’s environment and how to recognize and respond to them with confidence. You will explore how bugs show up in working systems, what makes them dangerous, and how to plan effective defenses without needing to write code.

Through expert-led lectures and live demonstrations, you will work through realistic scenarios that show how common application flaws go unnoticed. You will examine where security breaks down in areas like user input handling, broken access rules, insecure design, and cryptographic errors. From authentication failures to outdated components and misconfigured systems, you will see how attackers find their way in and what it takes to stop them. This course walks through each category in the OWASP Top Ten using clear examples and connects them to patterns you can watch for in your own organization.

The course emphasizes technical understanding, strong evaluation habits, and better decision-making across teams. You will gain a deeper awareness of how poor security practices appear in web environments and how to identify bugs before they become problems. Whether you are reviewing architecture, leading planning meetings, or supporting a security function, this course gives you clear strategies, reference points, and practical takeaways that you can apply immediately to strengthen your organization’s web security posture.

Audience Profile

This technical overview course is intended for security analysts, DevSecOps team members, web developers, project leads, and application stakeholders who are involved in web application planning, architecture, review, or oversight. It is particularly useful for team members who do not specialize in secure coding but need to understand the risks that exist in real applications and how to mitigate them. No hands-on coding is required, but a comfort level with web system design, workflows, and technical discussion is recommended.

At Course Completion

This course is designed to help you understand and address key web application security risks, so you can better evaluate your systems, contribute to safer practices, and guide your team in avoiding costly mistakes.

By the end of this course, you will be able to:

Identify common reasons teams overlook security flaws in web applications
Explain why security tools and policies are not always enough to prevent risk
Recognize the structure and purpose of the OWASP Top Ten vulnerabilities
Understand how unvalidated data and broken access control open systems to attack
Evaluate real-world demonstrations of input validation, injection, and misconfiguration issues
Apply secure thinking when reviewing authentication, encryption, and logging practices
Spot vulnerable and outdated components and explain the risks they introduce
Build stronger habits and technical practices for secure web application planning and review

If your team requires different topics, additional skills or a custom approach, our team will collaborate with you to adjust the course to focus on your specific learning objectives and goals.

Guided by our application security expert, you will explore how to:

· Understand the concepts and terminology behind defensive, secure coding including the phases and goals of a typical exploit

· Establish the first axiom in security analysis of ALL web applications for this course and beyond

· Establish the first axiom in addressing ALL security concerns for this course and beyond

· Ensure that any hacking and bug hunting is performed in a safe and appropriate manner

· Identify defect/bug reporting mechanisms within their organizations

· Avoid common mistakes that are made in bug hunting and vulnerability testing

· Develop an appreciation for the need and value of a multilayered defense in depth

· Understand potential sources for untrusted data

· Understand the consequences for not properly handling untrusted data such as denial of service, cross-site scripting, and injections

· Understand the vulnerabilities of associated with authentication and authorization

· Detect, attack, and implement defenses for authentication and authorization functionality and services

· Understand the dangers and mechanisms behind Cross-Site Scripting (XSS) and Injection attacks

· Detect, attack, and implement defenses against XSS and Injection attacks

· Understand the risks associated with XML processing, software uploads, and deserialization and how to best eliminate or mitigate those risks

· Learn the strengths, limitations, and use for tools such as code scanners, dynamic scanners, and web application firewalls (WAFs)

· Understand techniques and measures that can used to harden web and application servers as well as other components in your infrastructure

· Identify resources to use for ongoing threat intelligence

· Plan next steps after completion of this training

Outline

Please note that this list of topics is based on our standard course offering, evolved from typical industry uses and trends. We'll work with you to tune this course and level of coverage to target the skills you need most. Topics, agenda and labs are subject to change, and may adjust during live delivery based on audience skill level, interests and participation.

1. Bug Hunting Foundation

Start with a clear understanding of what bug hunting is, why it matters, and how to approach it responsibly in real-world environments.

Why Hunt Bugs?
Safe and Appropriate Bug Hunting/Hacking

2. Exploring the OWASP Top Ten & Removing Bugs

Learn how to spot and respond to the most common and dangerous web application risks using the OWASP Top Ten as your guide.

OWASP Top Ten Deep Dive (latest edition)
Removing Bugs

3. Bug Stomping 101: What Makes Applications Break: The Essentials

Explore the most frequent application-level flaws and how to recognize unsafe patterns that lead to real vulnerabilities.

Unvalidated Data
Validation Analysis
Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration

4. Bug Stomping 102: Advanced Vulnerabilities and Harder-to-See Threats

Dig deeper into system-wide risks like authentication failures, outdated components, and logging gaps that attackers love to exploit.

Identification and Authentication Failures
Vulnerable and Outdated Components
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-Side Request Forgeries (SSRF)

5. Best Practices & What's Next

Wrap up with practical, team-ready strategies you can use right away to improve security awareness and reduce risk in your web environment.

Quick Review of Best Practices
AI and Web Application Security

Bonus: Web App Security Playbook

Tip Guides, Cheat Sheets and other helpful resources

Prerequisites

Although this course is not hands-on, it is helpful if you have the following incoming skills:

Recommended Prerequisites:

Basic knowledge of how web applications are structured and delivered
Familiarity with general application security goals and threats
Interest in learning how bugs are introduced, found, and removed across a system

NOTE: If your class is hands-on, the demos can be done as labs designed to give light, hands-on exposure to core secure coding practices. While we’re using ASP.NET as the base language for the examples, no prior experience with ASP.NET is needed—just follow along. The focus is on learning key web application security skills, not on mastering the language itself.
TT4154 Introduction to TypeScript: Clean Code and Strong Skills for Web Developers
TT8700 Securing Databases: Practical Database Security Skills for Safer Systems