Quick Guide to AppSec and the OWASP Top 10 2025

In this video, we explore OWASP, the Open Worldwide Application Security Project—a global nonprofit dedicated to improving software security. Since its inception in 2001, OWASP has led the charge in providing open-source tools, resources, and community-driven projects, making it a vital resource for developers, security professionals, and organizations worldwide. With over 250 chapters and tens of thousands of members, OWASP offers training, educational resources, and conferences that drive industry standards. We’ll be diving into one of OWASP’s flagship initiatives, the OWASP Top Ten web application vulnerabilities, covering issues like broken access control, cryptographic failures, injection attacks, and more. Get ready to understand the risks and strengthen your app security!

In this video, we dive into the concept of broken access control, what it is, how it occurs, and why it matters for application security. Starting with the basics of authentication (validating identity) and authorization (granting access), we clarify the differences between these terms and illustrate what happens when authorization controls fail. Learn about common vulnerabilities, such as SQL injection and forced browsing, that attackers use to bypass access restrictions and gain unauthorized access to data and admin functions. Discover preventive measures like default-deny access, centralized control mechanisms, session management, and logging practices to protect sensitive areas and ensure users only access what they need.

In this video, we explore session hijacking, a critical vulnerability under the umbrella of broken access control. Using a hands-on example, we demonstrate how weak session ID generation—lacking complexity and randomness—can be exploited to predict and hijack session cookies. Follow along as we use developer tools and PowerShell scripting to identify patterns in session IDs and iterate through possible values to gain unauthorized access. Learn how attackers exploit predictable session IDs and the importance of implementing robust session management practices to protect your applications. This practical exercise underscores the risks of insecure session handling and how to mitigate them.

In this video, we unpack security misconfiguration, a common vulnerability resulting from improper or default configurations across systems and applications. From operating systems and web servers to databases and application code, misconfigurations leave critical systems open to attack. Examples include leaving default settings on production environments, exposing debug code or unused third-party libraries, enabling directory listing for attackers to reverse-engineer code, and providing overly permissive cloud configurations, such as public S3 buckets. Learn the risks these missteps pose and discover how following security best practices and proactive configuration management can prevent data breaches and safeguard your applications.

Software supply chain security has evolved far beyond patching vulnerable libraries. In this section, we trace that evolution — from the narrow "do you have Log4j?" question to the much harder problem of trusting the entire lifecycle of your software. We cover how modern supply chain attacks target the build pipeline itself rather than the deployed application, using the SolarWinds breach as the defining example of what systemic failure looks like at scale. From there, we examine how the attack surface has inverted: threats now originate at the developer workstation, in dependency repositories through typosquatting and package hijacking, and inside CI/CD build systems with access to production. We close with a concrete defensive framework — SBOMs, provenance validation, dependency pinning, least privilege for package publishing, and behavioral scanning beyond CVEs — organized around a single governing principle: the security question is no longer whether a component is vulnerable, but whether the entire chain that produced your artifact can be trusted.

In this video, we tackle cryptographic failures and explore how to protect data in its three primary states: in motion, at rest, and in use. Learn how data in motion is safeguarded through protocols like HTTPS and TLS, ensuring secure transfers between devices. For data at rest (stored in databases or file system) encryption is typically managed with symmetric keys, supported by secure key management tools like Hardware Security Modules (HSMs) and Key Management Services (KMS). Lastly, we cover data in use, which involves protecting data actively processed in memory using techniques such as memory segmentation and encryption. Dive in to understand how these layers of protection maintain data confidentiality and prevent cryptographic failures in your applications.

In this video, we dive into injection attacks, a critical security vulnerability that occurs when untrusted input changes the behavior of an application. From SQL injection, where malicious SQL commands exploit unfiltered inputs, to script injection like cross-site scripting (XSS) that embeds harmful code into web pages, we cover it all. Learn about OS injection, which can execute system commands, and XML injection, such as XML External Entity (XXE) attacks, that target XML processors. Discover best practices to prevent these vulnerabilities, including input validation, output encoding, and security mechanisms like Content Security Policy. This is your guide to understanding and mitigating injection vulnerabilities in application security.

This video explores the concept of insecure design, introduced in 2021 to highlight the risks of architectural and design flaws in applications. Learn why security must be integrated into the early stages of development through threat modeling, secure design patterns, and pre-code actions that align with secure-by-design principles. Discover how to create functional and security requirements informed by regulations, frameworks, and threat intelligence. We cover key elements like building a secure architecture, leveraging the Secure Software Development Lifecycle (SDLC), and using tools like SAST, DAST, and SCA for validation. Finally, understand how to mitigate common design vulnerabilities such as insecure password recovery, improper file uploads, and lack of bot protections. This video is your guide to embedding security from the start and ensuring resilient, robust application designs.

This video explores identification and authentication failures, highlighting common weaknesses in authentication processes and how they can be exploited. Learn about attacks such as weak passwords, credential stuffing, brute-force attacks, and improper password storage practices. We explain the importance of robust password policies, multi-factor authentication (MFA), and secure password storage techniques like hashing with salt and pepper. Discover best practices aligned with NIST guidelines, including limiting failed login attempts, avoiding default passwords, and using advanced authentication methods like biometrics or PKI. Strengthen your application's defenses against authentication vulnerabilities and protect user identities with these actionable insights.

This video demonstrates how authentication bypasses occur and how attackers exploit flaws in configuration or logic to bypass security measures. Using a lab example, we explore bypassing a two-factor password reset mechanism by tampering with HTTP request parameters. Follow along as we use developer tools and PowerShell to manipulate hidden inputs and parameter counts to bypass verification and reset a password.

Key takeaways include:

• Common techniques for bypassing authentication, such as removing or renaming parameters and forced browsing.

• Understanding how insecure validation logic can allow bypasses by failing to properly verify input values.

• The importance of validating all parameters and ensuring robust security for authentication mechanisms.

This practical walkthrough highlights the risks of poorly implemented authentication and emphasizes the need for secure design and rigorous testing.

This video explores software and data integrity failures, focusing on how vulnerabilities can occur throughout the software development lifecycle (SDLC). From coding and building to deployment and runtime, we discuss key risks like unsigned software, tampered packages, and unverified repositories. Learn why signed software and hosting internal repositories are essential for maintaining code integrity, and discover the importance of a robust patch management process to address vulnerabilities. Additionally, we highlight the need for secure data exchanges with third parties, including validation mechanisms like encryption and mutual authentication. Build confidence in your software’s integrity with these critical best practices!

This video explores security logging and monitoring failures, a critical issue that underpins many major security incidents. Attackers exploit insufficient logging and delayed responses to achieve their goals undetected, with vulnerability probing often preceding successful exploits. Learn about the importance of capturing detailed, actionable logs for high-value transactions and the risks of logging sensitive information, which can lead to data breaches if exposed. We also discuss the role of Security Incident and Event Monitors (SIEMs) in aggregating and analyzing logs across systems to detect indicators of compromise and ongoing attacks. Enhance your security posture by implementing robust logging and monitoring practices to detect and respond to threats swiftly.

Improper error handling has graduated from a code quality concern to a primary attack vector — and this section explains why that distinction matters. We open by defining the three failure modes: prevention failures where the application can't handle unexpected conditions, detection failures where the system doesn't recognize that something has gone wrong, and response failures where the system reacts poorly — including the most dangerous outcome of all, failing open and granting access because a security check crashed before it could say no. We make the risk concrete through three real-world impact scenarios: stack trace leakage that hands attackers a detailed map of your backend, the fail open pattern where an authentication service exception defaults to granting admin rights, and logic corruption through race conditions that leave databases in exploitable states. We close with the architectural response — fail closed as a non-negotiable design contract, centralized exception handling through global middleware, sanitized outputs that give developers rich internal logging without exposing internals to users, and stress testing through fuzzing and chaos engineering to surface failure modes before production does. The core takeaway: how your application behaves when things go wrong is as much a part of your attack surface as how it behaves when things go right.

APIs have become the dominant attack surface of modern web applications — powering over 90% of internet traffic and responsible for billions of exposed records in recent years. In this section, we cover the OWASP API Security Top 10 through three threat pillars: Identity and Access Failures, which includes BOLA, BOPLA, Broken Authentication, and BFLA; Business Logic and Resource Abuse, covering unrestricted resource consumption and the harder-to-detect problem of attackers exploiting legitimate API functionality at scale; and Infrastructure and Integration Blind Spots, including SSRF, security misconfiguration, and the shadow and zombie API problem. We close with the API Defender's Blueprint — a layered defense model organized across the code, gateway, and runtime layers — and the core principle that API security is a design discipline, not a deployment checklist.

In this wrap-up video, we summarize the key takeaways from the course on cybersecurity principles. We revisit the pillars of cybersecurity: Confidentiality, Integrity, Availability, Authentication, and Authorization (CIAAA), and their role in safeguarding systems and data. Highlights include defense-in-depth strategies, least privilege access, secure input sanitization, effective patch management, and robust logging practices. Learn the importance of secure third-party components, distinguishing between authentication and authorization, using secure defaults to prevent misconfigurations, and designing systems resilient to failure. Thank you for joining us!