OWASP

A 15-post collection

It’s more Pluralsight, it’s more website attacks and it’s more security

How much really changes in only three short years in the world of application security? Ok, a few sites get owned and some nasty hackers come up with some new ways of making some poor developers lives a misery but that’s about the extent of it, right? Yeah, turns out it’s a lot more complex than that. The very first course I wrote for Pluralsight and the one that continues to be the most popular is the OWASP Top 10 Web Application Security Risks for ASP.NET. This course is now an integral part of the security training for many organisations who have recognised that it kinda makes sense that their .NET developers know a thing...

New Pluralsight course: Web Security and the OWASP Top 10 – “The Big Picture”

And now for my fourth Pluralsight instalment: more OWASP! Wait – hasn’t this been done already?! Yes and no. My first course from April last year was OWASP Top 10 Web Application Security Risks for ASP.NET and as the title suggests, it contains a heap of stuff on how OWASP applies to ASP.NET. In fact it contains so much stuff that it’s over 8 hours of in-depth training for developers on (almost) everything they need to know to protect their .NET web apps. By all accounts, the course has been extremely popular and has formed the basis for many an organisation’s default set of developer training resources. It’s also rated...

Introducing the OWASP Top 10 Web Application Security Risks for ASP.NET on Pluralsight

I’ve been a little bit busy the last few months and here’s why – my first Pluralsight course, the OWASP Top 10 Web Application Security Risks for ASP.NET. Actually, if I’m honest, it’s been a lot longer than that in the making as my writing about the OWASP Top 10 goes all the way back to right on three years ago now. It begin with the blog series followed by the free eBook then last year the instructor lead training for QA and now finally, a complete online video course via Pluralsight. For the uninitiated, Pluralsight is what they call “hardcore developer training” and it’s predominantly produced...

Free eBook: OWASP Top 10 for .NET developers

This entire series is now available as a Pluralsight course. Writing this series was an epic adventure in all senses of the word: Duration – 19 months to complete a blog series, for crying out loud! Content – approaching 50,000 words, not including all the discussion in comments. Effort – some of the posts, such as transport layer security, probably approached 100 hours of reading, trialling, experimenting and finally, writing and proofing. This is why there was a four month “hiatus” before that post! But most of all, it was an epic learning adventure for me. Writing the series forced me to know this content in depth, not just the depth that facilitates casual conversation and allows...

OWASP Top 10 for .NET developers part 10: Unvalidated Redirects and Forwards

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" In the final part of this series we’ll look at the risk of an unvalidated redirect or forward. As this is the last risk in the Top 10, it’s also the lowest risk. Whilst by no means innocuous, the OWASP Risk Rating Methodology has determined that it takes last place in the order. The practice of unvalidated redirects and forwards, also often referred to as an “open redirect”, appears fairly benign on the surface. However, it can readily be employed in conjunction with a combination of social engineering and other malicious activity such...