OWASP: top ten security threats
Start course

In this course on malicious software, you will learn about the various types of malicious code in detail, contrast the different types before looking at look at the countermeasures used to combat them. You’ll also encounter non-technical controls and see the OWASP top 10 security threats.


Welcome to the OWASP Top Ten Security Threats. OWASP is the Open Web Application Security Project. These are the top ten security threats. And we can see on the site here, this is the OWASP website, and these are the latest top ten threats. Now, if I scroll down, you can see that there was two versions of the OWASP top ten. One when that was done back in 2017, and interesting enough, you've got the top-, these are top ten threats. And all of them are, sort of, equally valid. These are the threats there were back in 2017, web application ones. Top one, injection. A good example of that would be a Structured Query Language. And then you've got cross-site scripting which was another threat, that was number seven. But as of 2021, which is just at the end of 2021, the OWASP updated their website to include the latest threats. They do this every, every four years, they update to have the latest threats in there. And these are the latest threats that have come forward. Sometimes they just rename some of them and they get reordered slightly, which is what's happened on this one here. We've now got-, so, before we had broken access control, which was five in 2017, that's now brought up to number one as a-, as a priority in terms of risk. Some of the other ones have been re-badged, we've now got injection which has now dropped down to three. Cross-site scripting's also joined up, that's not the only two that involve those type of injection attacks. There are lots of other web applications that come up through that.  

Now, the site itself is a not-for-profit organisation, who promote cybersecurity in relation to web applications themselves. And you can see these are the top ten here. Some examples, you've got ones which are vulnerabilities. Some of these are cryptographic, which is to do with encryption. So, if I go into the injection one, which is the third one down. And you can see there, the injection one covers the types of-, overview what the, the risks are, so it gives you an overview. A description of what these type of vulnerable attacks are for the different applications, and you can see SQL, Structured Query Language, is mentioned there, so is cross-site scripting, but-, and a lot more other web applications which are vulnerable. Which you don't need to know for your exam, but, but it's well worth looking for when you expand your career, when you need to look at these things in a different viewpoint. And as I go down it, you can see also in the way-, in addition to what the threats are, you'll also see how to prevent these type of threats and attacks. And as I go down, you actually have some real good examples of these attack scenarios. One equals one, that's something I've mentioned previously, to remember that's an SQL injection type of attack. It's not the only type of attack in injection, 'cause we cover a lot of other areas as well, but you've got some good examples of the different attack scenarios. And as I scroll down, you have some reference guides to look at. So, if I just click on the cheat sheet to help you understand about SQL injection prevention. And the cheat sheet gives you a lot more detailed information about different attacks, the primary defences against these type of attacks and then obviously gives you some detail on how to defend against these type of attacks. Very detailed- the information it's providing for you, and you can learn more about the different types of techniques through this. So, it's a very good analysis tool to bring up information.   

Then, if I just backspace and go down. So, we're back to our number three again, but I'm going down to mapped, mapped-, other vulnerabilities, web applications, specifically under injection, and you can see some more of the web application information, further references, if you wanna read that further in this type of area of work. And obviously, this is not just web applications, this is not just injection attacks, this is covering the whole gambit of different attacks people can use against you. Just very similar to one, where just by clicking the x button on a website, which maybe a lot of you do that, that does not end your session, you're still-, session is still open. Potentially, it can be open for fifteen to twenty minutes. Someone could take advantage of that using these type of techniques. But it's well worth spending a lot of time with this site, because you will get an exam question about this. But what I wanted to also show you was some additional information to support this website, and one is called the OWASP Juice Shop. The OWASP Juice Shop is a vulnerable website being created, a bit like hacking the box type of site, where you can actually try out all the different hacking techniques that are mentioned in the OWASP, and actually use the application and see in an operation how these vulnerabilities can be manifested, and how the information you can find can be gained from the site. It's a test site, but it's a good opportunity to put into practice things that you've-, the theoretical stuff, and how this site works. It's a very good application to play with, and it tells you how to use the application and then you can get the information from it. 

An additional site that I've also come across is Hacksplaining, and I do like this, I've demonstrated a few times. Hacksplaining also have an OWASP top ten web security risks platform, and you can see here these are the top ten platform-, these map exactly with the OWASP top ten itself. And these are specifically examples of web applications, vulnerabilities where you can actually click through it and see an example of the web application or vulnerabilities, and also learn about them as well. So, these are vulnerable applications, you click on them, they bring them up, they demonstrate them to you, and then you'll see some additional information you can learn from it. Very similar to what you saw when you start looking at the cheat sheets, but they do map the top ten. Some of this site here, you have to provide an email address if you wanna see all of them, but for some of this-, some of these web applications, you can go straight in. The top-, the top ten ones are relatively straightforward for you. Hopefully, you've enjoyed that little session there, just demonstrating these type of techniques. Please spend some time in this, 'cause you will get this as an exam question.  

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.