What is the OWASP Top 10, and Why Trust It?

Across the wide world of web security, the OWASP Top 10 is the trusted resource for 0:00 the most common vulnerabilities plaguing modern web apps. 0:05 Started in 2003, the OWASP Top 10 has been updated most recently in 2017. 0:08 The list of vulnerabilities is determined through community agreement 0:13 with a comment period for 0:17 software release candidates before publishing a final accepted version. 0:18 The vulnerabilities are determined using a combination of four risk factors, 0:23 including prevalence, 0:27 which is the likelihood of an application having the vulnerability. 0:28 Detectability, which is the likelihood of an attacker discovering the vulnerability. 0:31 Exploitability, which is the likelihood of an attacker successfully 0:36 exploiting the vulnerability. 0:39 And finally, impact, 0:41 which is a typical technical impact if the vulnerability is exploited. 0:42 When evaluating each vulnerability, a number of trusted data sources are used, 0:46 including HP security, vericode and White Hat security. 0:50 After each version is published, the top ten framework is then used for 0:54 training across the world at companies of all kinds, from Google and 0:58 Mozilla to small start ups. 1:02 In this course we will look at the OWASP Top 10 with specific applications and 1:04 node.js as the back end, and JavaScript is the front end. 1:08 However, the vulnerabilities apply to nearly any language on both the server, 1:11 and frontend. 1:15 Everything we will discuss from command injection to security misconfiguration 1:16 can bring down even the most well reviewed apps at the largest of companies, 1:21 no matter the language it was written in. 1:25 In the teacher's notes, we've linked to other resources for 1:27 the top ten in other languages, though we will cover the general vulnerabilities 1:30 in enough detail here that you can apply elsewhere. 1:34 Finally, since the OWASP Top 10 2017 version is currently being revised, 1:37 we've decided to cover some of the new editions while leaving out others. 1:42 Now, how many times do you think I will say vulnerability or 1:46 vulnerabilities in this course? 1:50 Well, start making your guesses and place your bets. 1:52 Because if you make it through this journey with me, and 1:55 you come out on the other side as a web security expert-in-training, 1:57 I'll tell you in the final video. 2:01 Without further ado, 2:03 we will dive into three of the top ten major vulnerabilities in stage two, 2:04 which will all cover injection based attacks against applications. 2:08 Including command injection, cross-site scripting, and cross-site request forgery. 2:12