OWASP Top 10 Practical Web Application Security training course

Module 4 — A03:2025 Software Supply Chain Failures

14:00 to 15:00

• Understanding the expanded scope from "Vulnerable and Outdated Components" (A06:2021) to the full software supply chain: dependencies, build systems, registries and distribution infrastructure
• Case studies: SolarWinds, Log4Shell, XZ Utils backdoor and dependency confusion attacks
• Understanding Software Bills of Materials (SBOMs) and their role in supply chain transparency
• Tools and practices: Software Composition Analysis (SCA), dependency pinning, signed artefacts, SLSA framework levels
• Hands-on lab: running OWASP Dependency-Check against a sample project; interpreting CVE findings and applying remediation strategies; reviewing a basic SBOM

Afternoon Break 1: 15 mins — 15:00 to 15:15

Module 5 — A04:2025 Cryptographic Failures

15:15 to 16:15

• Cryptographic Failures in context: still in the top 4 despite falling from #2, affecting ~3.80% of applications (32 CWEs)
• Data sensitivity classification: identifying what data requires cryptographic protection at rest and in transit
• Common failure patterns: use of weak or deprecated algorithms (MD5, SHA-1, DES, RC4), hard-coded secrets, insufficient key lengths, improper certificate validation and cleartext storage of sensitive data
• Password storage: why hashing is not enough — understanding salting, stretching and modern password hashing functions (bcrypt, Argon2, scrypt)
• Practical TLS considerations for application developers (complementing infrastructure-level TLS configuration)
• Hands-on lab: identifying cryptographic weaknesses using static analysis; replacing weak hashing implementations; configuring secrets management using environment variables and a vault-style store

Afternoon Break 2: 15 mins — 16:15 to 16:30

Module 6 — A05:2025 Injection

16:30 to 17:30

• Injection in 2025: still a major risk (38 CWEs) ranging from high-frequency/lower-impact Cross-Site Scripting (XSS) to lower-frequency/high-impact SQL Injection
• Attack taxonomy: SQL Injection, OS Command Injection, LDAP Injection, XPath Injection, Server-Side Template Injection (SSTI) and Prompt Injection in AI-integrated applications
• The root cause: untrusted data interpreted as commands or queries
• Defence strategies: parameterised queries and prepared statements, input validation, output encoding and the principle of least privilege for database accounts
• Hands-on lab: exploiting SQL Injection using manual techniques and sqlmap; demonstrating stored and reflected XSS; applying parameterised queries and context-sensitive output encoding as fixes

End of Day 1 — 17:30

Day 2 of 2 — "Security Architecture & Design Best Practices"

Theme: The five OWASP Top 10:2025 risks rooted in architecture, identity, integrity and operational response, covering A06–A10, followed by programme-level synthesis.

Module 7 — A06:2025 Insecure Design

09:30 to 10:30

• Distinguishing insecure design from insecure implementation: why fixing code is not enough when the design itself is flawed
• Recap of progress since 2021: improved industry awareness of threat modelling and secure-by-design principles
• Secure design patterns: defence in depth, least privilege, fail securely, separation of duties, economy of mechanism
• Abuse case and misuse case modelling: thinking like an attacker at the design stage
• Introduction to threat modelling methodologies: STRIDE, PASTA and threat modelling with OWASP Threat Dragon
• Hands-on lab: structured threat modelling exercise against a provided application architecture diagram; identifying design-level weaknesses and proposing security controls before a line of code is written

Morning Break 1: 15 mins — 10:30 to 10:45

Module 8 — A07:2025 Authentication Failures

10:45 to 11:45

• From "Identification and Authentication Failures" (2021) to "Authentication Failures" (2025): a tighter focus on 36 CWEs
• Common failure patterns: credential stuffing, brute force, weak or absent multi-factor authentication (MFA), insecure session management, predictable tokens and insecure "remember me" functionality
• The positive trend: standardised frameworks (OAuth 2.0, OpenID Connect, FIDO2/WebAuthn, passkeys) reducing occurrence rates
• Session lifecycle management: secure creation, transmission, timeout and invalidation
• Hands-on lab: demonstrating credential stuffing using a wordlist attack; bypassing weak MFA implementations; reviewing and hardening session cookie attributes (Secure, HttpOnly, SameSite); implementing account lockout and rate limiting

Morning Break 2: 15 mins — 11:45 to 12:00

Module 9 — A08:2025 Software or Data Integrity Failures

12:00 to 13:00

• Distinguishing A08 from A03: A08 focuses on trust boundary failures at the artefact and data level, where A03 addresses the broader supply chain ecosystem
• Failure patterns: insecure deserialisation of untrusted data, missing integrity checks on software updates, auto-update mechanisms without signature verification and CI/CD pipeline manipulation
• The role of code signing: signing commits, container images and release artefacts
• CI/CD pipeline security: protecting build secrets, enforcing pipeline-as-code reviews and detecting tampering
• Hands-on lab: demonstrating an insecure deserialisation attack; verifying artefact integrity using cryptographic checksums and digital signatures; reviewing a sample CI/CD pipeline configuration for integrity weaknesses

Lunch Break: 60 mins — 13:00 to 14:00

Module 10 — A09:2025 Security Logging & Alerting Failures

14:00 to 15:00

• Why "Logging and Monitoring" became "Logging and Alerting": the critical distinction between capturing events and acting on them
• What to log: authentication events, access control failures, input validation failures and high-value business transactions — and what not to log (PII, credentials, payment data)
• Log integrity and centralisation: protecting logs from tampering, shipping to a SIEM, log retention policies
• Alerting design: defining thresholds, avoiding alert fatigue, building meaningful dashboards
• Mapping logs to the MITRE ATT&CK framework for detection engineering
• Hands-on lab: configuring structured (JSON) application logging in a sample application; writing detection rules in a SIEM query language; simulating an attack scenario and validating that the alert fires correctly

Afternoon Break 1: 15 mins — 15:00 to 15:15

Module 11 — A10:2025 Mishandling of Exceptional Conditions (New for 2025)

15:15 to 16:15

• Introduction to this new category (24 CWEs): what prompted its inclusion and the real-world failures it captures
• Core failure patterns: improper error handling revealing stack traces or internal paths; failing open (granting access on error) versus failing secure (denying access on error); unchecked return values; integer overflows and numeric edge cases; logical errors under unexpected input
• The principle of failing securely: designing systems that default to a safe state when exceptions occur
• Error messages for users versus error detail for developers: building a two-tier error handling strategy
• Exceptional conditions in AI and LLM-integrated applications: prompt injection edge cases, unexpected model outputs and graceful degradation
• Hands-on lab: reviewing code samples exhibiting common exceptional-condition failures; refactoring error handling to fail securely; writing and running unit tests that deliberately trigger boundary and error conditions

Afternoon Break 2: 15 mins — 16:15 to 16:30

Module 12 — Synthesis, Risk Prioritisation & Building a Continuous AppSec Programme

16:30 to 17:30

• Reflecting on the full OWASP Top 10:2025: consolidating learning across both days and connecting the ten risks into a coherent security narrative
• Risk-based prioritisation: mapping the Top 10 to your organisation's technology stack, threat model and regulatory context
• Embedding security in the SDLC: security requirements, secure design review, SAST/DAST/SCA in CI/CD, penetration testing and bug bounty programmes
• Signposting trusted continuous learning resources: OWASP projects (ASVS, WSTG, Cheat Sheet Series, Threat Dragon, Dependency-Check), SANS, PortSwigger Web Security Academy, CVE/NVD feeds
• Flowing security requirements to third parties: contractual clauses, supplier questionnaires and software assurance expectations
• Completing end-of-course feedback survey to improve future iterations
• Q&A and close