OWASP Top 10 2025: Web App Security for Beginners (No Code)

A02:2021-Cryptographic Failures shifts up one position to #2, previously known as Sensitive Data Exposure, which was broad symptom rather than a root cause. The renewed focus here is on failures related to cryptography which often leads to sensitive data exposure or system compromise.

Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!

A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to "move left" as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.

Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!

A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from CVE/CVSS data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category.

Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!

A10:2021-Server-Side Request Forgery is added from the industry survey (#1). The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the industry professionals are telling us this is important, even though it's not illustrated in the data at this time.

Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!

This video explains the fourth web application security vulnerability XML External Entities of the OWASP top 10. Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Keep learning about Cyber Security to prevent  Ransomware from the perspective of a CISO!

This video explains the eight web application security vulnerability Insecure Deserialization of the OWASP top 10. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

Keep learning about Cyber Security to prevent  Ransomware from the perspective of a CISO!

This video explains the last web application security vulnerability Insufficient Logging and Monitoring of the OWASP top 10. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot in order to gain access more systems, and tamper, extract, or destroy data.
Most breach studies show that the time to detect a breach is around 200 days.

Please find several data breach reports from Verizon in the attachments for your convenience (from 2008 - 2023).

Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!

For your convenience I've combined the OWASP 2017 and OWASP 2013 top 10 list into a single list of 10 common threats. In addition to the top 10, Open Web Application Security Project (OWASP) has their standard called Application Security Verification Standard (ASVS). Here with two links to the relevant resources to jumpstart value added of this course; enrol now!

Please note that the new videos regarding the updated OWASP top 10 can be found in a separate section called: New videos! The whole course slide deck is made available for you to maximise your learning (OWASP course v1.4.pdf). If that is not enough, I've added a text document with URL's that you can use to identify, protect, mitigate weaknesses in your web applications (OWASP Course resources URLs). The latter also contains URLS to enhance your privacy.

Happy learning!

Alternatively, a great summary has been written by researchers and can be found attached: WAS.pdf

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

This section introduces the 2025 Release Candidate of the OWASP Top 10.

This video explains the first web application security vulnerability (SQL) injection of the OWASP top 10. Even in 2021 injection, especially SQL injection, are common place. Injection attack can be defeated using input / output sanitisation techniques, which are described in the attachments.

However, there are several categories of injection vulnerabilities. The categories are explained in:
1) You shall not pass- Mitigating SQL Injection Attacks on Legacy Web Applications
2) A novel technique to prevent SQL injection and cross-site scripting attacks.

This video explains the second web application security vulnerability Broken Authentication of the OWASP top 10. Some authentication methods, especially the ones that rely solely on usernames and passwords, are considered broken. In fact, the Open Web Application Security Project or OWASP has ranked broken authentication as number 2 in the list of most seen application vulnerabilities. It is, therefore, important to understand the threats that are common to authentication mechanisms (Quote from the book 'Authentication and access control', written by Sirapat Boonkrong).

This vulnerability has been renamed by OWASP from Broken Authentication and Session Management to Broken Authentication. The vulnerability is still the same, hence I'm leaving this video untouched. I you have any questions or remarks, please don't hesitate to contact me.

Keep learning about Cyber Security to prevent  Ransomware from the perspective of a CISO!

This video explains the seventh web application security vulnerability Cross-Site Scripting.
OWASP has published a cheatsheet that you can use to reduce the likelihood of XSS attacks, see attachments.

Keep learning about Cyber Security to prevent  Ransomware from the perspective of a CISO!

This video explains the fifth web application security vulnerability Broken Access Control [OWASP top 10]
OWASP provide several hints for resolving Broken Access Control, see attachment.

Keep learning about Cyber Security to prevent  Ransomware from the perspective of a CISO!

This video explains the sixth web application security vulnerability Security Misconfiguration [OWASP top 10]
OWASP is still in process of documenting misconfiguration in web server, application server, frameworks, CMS, etc. This documentation process is far from complete at this moment (Sept. 2017) and will probably never be complete. Nevertheless, believe their online documentation gives you some pointers.

There are industry best practices to harden your systems (applications, operating systems, etc.). The Centre for Internet Security provide you with these best practices, see attachment.

Resources:
- Security misconfiguration - links.docx
- Holistic Web Application...Test Results.pdf. This study presents metrics/measures and a dashboard tool for visualizing dynamic application security test results.

Keep learning about Cyber Security to prevent  Ransomware from the perspective of a CISO!

This video explains the third web application security vulnerability Sensitive Data Exposure of the OWASP top 10. OWASP's online documentation gives you some tips of how to mitigate Sensitive Data Exposure.

Keep learning about Cyber Security to prevent  Ransomware from the perspective of a CISO!

OWASP decided to discard this issue (checked on Apr. 2020). Nevertheless, this issue may still be relevant for you.

On a broader level you could also think of threat modelling. Herewith OWASP’s cheat sheet.

Keep learning about Cyber Security to prevent  Ransomware from the perspective of a CISO!

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Keep learning about Cyber Security to prevent  Ransomware from the perspective of a CISO!

This video explains the ninth web application security vulnerability Components with known vulnerabilities of the OWASP top 10. OWASP provides several hints for resolving this issue.

Keep learning about Cyber Security to prevent  Ransomware from the perspective of a CISO!

OWASP decided to discontinue this issue (checked on Apr. 2020). Nevertheless, it may still be relevant for you.
I've also included three academic papers that explain the best practices of how to create secure API's (especially for microservices).

Keep learning about Cyber Security to prevent  Ransomware from the perspective of a CISO!

Please find a qualitative risk analysis methodology process in the resources of this lecture (defense in depth revisited one column.pdf). Tough this process is quit tedious, it gives you an overview of what you could think of when estimating the risks that might occur. I've also included defense in depth mitigation strategies from US department of homeland security. It is very comprehensive and thus gives you a nice overview of the strategies you could employ in your organization (NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf). 

CISA (Cybersecurity & Infrastructure Security Agency) provides documents detailing a wide variety of industrial control systems (ICS) topics associated with cyber vulnerabilities and their mitigation, see attachment.

Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!

STRIDE is used to identify threats and stands for: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege. Check out the Excel sheet in the attachment which is ready for you to use! Microsoft has documented the use and identification of threats comprehensively on their website.

HOWEVER, please note that security sometimes hurts privacy. For instance, collecting too much information about a user is enabling you to hold the user accountable (good for resolving security incidents), but may hurt privacy (since you are collection too much information). To identify the privacy threats researchers came up with the LINDDUN framework.

I've also attached a paper that provides you with a concrete example for data protection by design (thus identifying and resolving privacy threats). 

Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!

Herewith some additional background resources you can use to get in-depth knowledge of secure software development processes.

I also added comparisons between the processes in the resources of this lecture (i.e. (1) On the secure software development process: CLASP, SSDL and Touchpoints compared, (2) Comparison of SDL and Touchpoints).

Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!

Don't forget to always test your website for basic security configuration.

Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!

Practice your hacking skills for free, is attachment

Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!

See attachment.
Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!