The OWASP Top Ten


Course Introduction
The OWASP Top Ten

This course explores how to manage code quality and security policies with Azure DevOps, and will help those preparing for Microsoft's AZ-400 exam.

It starts by examining the definition of code quality and how to write high-quality code. Next, we’ll look at what goes into code quality scanning and at how SonarCloud can help monitor code quality, and you'll see a hands-on demonstration that shows you how to use SonarCloud in the pipeline.

You'll learn what code coverage means and how to use the “Publish Code Coverage Results” task to report on code coverage. This course also covers security policies, including OWASP and its Top-10 list, as well as looking at a couple of popular security analysis tools.

If you have any feedback relating to this course, feel free to get in touch with us at Any URLs referenced during this course can be found in the relevant lecture transcripts.

Learning Objectives

  • Understand what high-quality code is and how to write quality code
  • Learn how to monitor code quality
  • Learn how to report on code coverage
  • Learn about the OWASP Top Ten
  • Understand how security analysis tools can be used in conjunction with Azure DevOps to check code for vulnerabilities
  • Learn how to configure SonarCloud in a pipeline

Intended Audience

This course is intended for those who are preparing for the AZ-400 exam, or anyone who wants to learn more about managing code quality and security policies with Azure DevOps.


To get the most from this course, you should have a basic understanding of Microsoft Azure and of DevOps concepts.


Hello and welcome to the OWASP Top 10. The term OWASP refers to The Open Web Application Security Project.  

The Open Web Application Security Project is an international organization dedicated to helping organizations conceive, develop, acquire, operate, and maintain applications that can be trusted. The information that OWASP provides is free and is open to anyone that wants to improve application security.

The Open Web Application Security Project is probably most known for its Top 10 list. Their Top 10 list highlights common issues in web applications. This list is designed to help minimize exposure to risks associated with these common issues.

Just to give you a feel for what OWASP is all about, let's look at some of the top issues mentioned in their Top 10 list.

The top security risk on the OWASP Top 10 at the time of this course publication is Injection. Because injection flaws like SQL injections and LDAP injections occur when untrusted data is sent to an interpreter as part of a command or query, you should get into the habit of never trusting any user input. You should also never execute any code that’s built directly from untrusted input.

Broken Authentication takes the number two spot on the OWASP Top 10. This shows up because application functions that are related to authentication and session management are, many times, implemented incorrectly. This allows the bad guys to compromise passwords, keys, and even session tokens. 

Number three on the OWASP Top 10 is Sensitive Data Exposure. This shows up because lots of web applications and APIs do a poor job of protecting sensitive data. As a result, hackers can often steal or modify this poorly protected data to commit credit card fraud, identity theft, and other crimes. 

XML External Entities comes in at number four on the Top 10 because lots of older and poorly configured XML processors evaluate external entity references within XML documents. This is an issue because external entities can be used to reveal internal files via the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Rounding out the top five on the OWASP Top 10 is Broken Access Control. Broken Access Control shows up because restrictions on what authenticated users can and can’t do are, quite often, not properly enforced. These flaws are then exploited to access unauthorized functionality or data.

To ensure a more secure software development environment, organizations should adopt the OWASP Top 10 as part of their development process.

To learn more about the OWASP Top 10, visit the URL that you see on your screen.


Course Introduction - Code Quality Defined - Monitoring Code Quality - Reporting on Code Coverage - Security Analysis Tools - DEMO: Configuring SonarCloud in a Pipeline - Course Summary



About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.