Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
Started in 2003, the OWASP Top 10 is a major project by OWASP to standardize the top 10 most common vulnerabilities in the world of web development. It covers major vulnerabilities, from XSS to injection to insecure libraries, and has vast support from the security community. In the rest of this course, we will dive into each major component of the most recent OWASP Top 10 as well as specific implementation examples in JavaScript and Node.js.
Across the wide world of web security, the
OWASP Top 10 is the trusted resource for
0:00
the most common vulnerabilities
plaguing modern web apps.
0:05
Started in 2003, the OWASP Top 10 has
been updated most recently in 2017.
0:08
The list of vulnerabilities is
determined through community agreement
0:13
with a comment period for
0:17
software release candidates before
publishing a final accepted version.
0:18
The vulnerabilities are determined using
a combination of four risk factors,
0:23
including prevalence,
0:27
which is the likelihood of
an application having the vulnerability.
0:28
Detectability, which is the likelihood of
an attacker discovering the vulnerability.
0:31
Exploitability, which is the likelihood
of an attacker successfully
0:36
exploiting the vulnerability.
0:39
And finally, impact,
0:41
which is a typical technical impact
if the vulnerability is exploited.
0:42
When evaluating each vulnerability,
a number of trusted data sources are used,
0:46
including HP security,
vericode and White Hat security.
0:50
After each version is published,
the top ten framework is then used for
0:54
training across the world at companies
of all kinds, from Google and
0:58
Mozilla to small start ups.
1:02
In this course we will look at the OWASP
Top 10 with specific applications and
1:04
node.js as the back end, and
JavaScript is the front end.
1:08
However, the vulnerabilities apply to
nearly any language on both the server,
1:11
and frontend.
1:15
Everything we will discuss from command
injection to security misconfiguration
1:16
can bring down even the most well reviewed
apps at the largest of companies,
1:21
no matter the language it was written in.
1:25
In the teacher's notes,
we've linked to other resources for
1:27
the top ten in other languages, though we
will cover the general vulnerabilities
1:30
in enough detail here that
you can apply elsewhere.
1:34
Finally, since the OWASP Top 10 2017
version is currently being revised,
1:37
we've decided to cover some of the new
editions while leaving out others.
1:42
Now, how many times do you think
I will say vulnerability or
1:46
vulnerabilities in this course?
1:50
Well, start making your guesses and
place your bets.
1:52
Because if you make it through
this journey with me, and
1:55
you come out on the other side as
a web security expert-in-training,
1:57
I'll tell you in the final video.
2:01
Without further ado,
2:03
we will dive into three of the top ten
major vulnerabilities in stage two,
2:04
which will all cover injection
based attacks against applications.
2:08
Including command injection, cross-site
scripting, and cross-site request forgery.
2:12
You need to sign up for Treehouse in order to download course files.
Sign up