Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.

Preview

Start a free Basic trial
to watch this video

Sign up for Treehouse

What is the OWASP Top 10, and Why Trust It?

2:17 with Jared Smith

Started in 2003, the OWASP Top 10 is a major project by OWASP to standardize the top 10 most common vulnerabilities in the world of web development. It covers major vulnerabilities, from XSS to injection to insecure libraries, and has vast support from the security community. In the rest of this course, we will dive into each major component of the most recent OWASP Top 10 as well as specific implementation examples in JavaScript and Node.js.

Further Reading:

OWASP Top 10 Project

OWASP Top 10 for:

  • 0:00

    Across the wide world of web security, the OWASP Top 10 is the trusted resource for

  • 0:05

    the most common vulnerabilities plaguing modern web apps.

  • 0:08

    Started in 2003, the OWASP Top 10 has been updated most recently in 2017.

  • 0:13

    The list of vulnerabilities is determined through community agreement

  • 0:17

    with a comment period for

  • 0:18

    software release candidates before publishing a final accepted version.

  • 0:23

    The vulnerabilities are determined using a combination of four risk factors,

  • 0:27

    including prevalence,

  • 0:28

    which is the likelihood of an application having the vulnerability.

  • 0:31

    Detectability, which is the likelihood of an attacker discovering the vulnerability.

  • 0:36

    Exploitability, which is the likelihood of an attacker successfully

  • 0:39

    exploiting the vulnerability.

  • 0:41

    And finally, impact,

  • 0:42

    which is a typical technical impact if the vulnerability is exploited.

  • 0:46

    When evaluating each vulnerability, a number of trusted data sources are used,

  • 0:50

    including HP security, vericode and White Hat security.

  • 0:54

    After each version is published, the top ten framework is then used for

  • 0:58

    training across the world at companies of all kinds, from Google and

  • 1:02

    Mozilla to small start ups.

  • 1:04

    In this course we will look at the OWASP Top 10 with specific applications and

  • 1:08

    node.js as the back end, and JavaScript is the front end.

  • 1:11

    However, the vulnerabilities apply to nearly any language on both the server,

  • 1:15

    and frontend.

  • 1:16

    Everything we will discuss from command injection to security misconfiguration

  • 1:21

    can bring down even the most well reviewed apps at the largest of companies,

  • 1:25

    no matter the language it was written in.

  • 1:27

    In the teacher's notes, we've linked to other resources for

  • 1:30

    the top ten in other languages, though we will cover the general vulnerabilities

  • 1:34

    in enough detail here that you can apply elsewhere.

  • 1:37

    Finally, since the OWASP Top 10 2017 version is currently being revised,

  • 1:42

    we've decided to cover some of the new editions while leaving out others.

  • 1:46

    Now, how many times do you think I will say vulnerability or

  • 1:50

    vulnerabilities in this course?

  • 1:52

    Well, start making your guesses and place your bets.

  • 1:55

    Because if you make it through this journey with me, and

  • 1:57

    you come out on the other side as a web security expert-in-training,

  • 2:01

    I'll tell you in the final video.

  • 2:03

    Without further ado,

  • 2:04

    we will dive into three of the top ten major vulnerabilities in stage two,

  • 2:08

    which will all cover injection based attacks against applications.

  • 2:12

    Including command injection, cross-site scripting, and cross-site request forgery.

You need to sign up for Treehouse in order to download course files.

Sign up