Education Track: Web Application Security Primer - Revision history

Martinknobloch at 21:28, 18 March 2009

2009-03-18T21:28:07Z

Sdeleersnyder: /* Table of Contents */

2007-11-01T14:31:15Z

‎Table of Contents

Sdeleersnyder at 19:23, 22 October 2007

2007-10-22T19:23:34Z

Sdeleersnyder at 11:25, 21 October 2007

2007-10-21T11:25:47Z

Sdeleersnyder at 10:21, 21 October 2007

2007-10-21T10:21:03Z

Sdeleersnyder at 08:27, 21 October 2007

2007-10-21T08:27:12Z

Sdeleersnyder at 07:53, 21 October 2007

2007-10-21T07:53:35Z

Sdeleersnyder: /* Table of Contents Proposal */

2007-10-21T07:51:33Z

‎Table of Contents Proposal

Sdeleersnyder at 20:13, 29 July 2007

2007-07-29T20:13:32Z

Sdeleersnyder: /* A Web Application Security Primer */

2007-07-29T17:38:09Z

‎A Web Application Security Primer

← Older revision		Revision as of 21:28, 18 March 2009
Line 58:		Line 58:

	[[Category:OWASP Education Project]]		[[Category:OWASP Education Project]]
		+	[[Category:OWASP_Education_Project_New]]

@@ Line 18: / Line 18: @@
 The challenge is to cover web application security in 4 hours to people who are new to the subject. The track is presented in such a way that people who are involved in developing or deploying a web application will know what their responsibilities are how to manage web application security controls within their area of influence.
-* [[Education Module Why WebAppSec Matters|Why WebAppSec matters]] (20 min)
+* [[Education Module Why WebAppSec Matters|Why WebAppSec matters]] (20 min) ([http://www.owasp.org/images/5/58/Education_Module_Why_WebAppSec_Matters.ppt direct link])
 :This part is the introduction of the track. It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.
 :*What goes wrong
 :*WebAppSec Defined
 :*Current trends
-* [[Education_Module_OWASP_Top_10_Introduction_and_Remedies|OWASP Top 10 Introduction & Remedies]]  (100 min)
+* [[Education_Module_OWASP_Top_10_Introduction_and_Remedies|OWASP Top 10 Introduction & Remedies]]  (100 min) ([http://www.owasp.org/images/b/b8/Education_Module_OWASP_Top_10_Introduction_and_Remedies.ppt direct link])
 :The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.
 :*[[Education Module Cross Site Scripting (XSS)|Cross Site Scripting (XSS)]]
@@ Line 35: / Line 35: @@
 :*Insecure Communications
 :*Failure to Restrict URL Access
-*[[Education Module Embed within SDLC|Embed within SDLC]] (People, Processes & Tools) (100 min)
+*[[Education Module Embed within SDLC|Embed within SDLC]] (People, Processes & Tools) (100 min) ([http://www.owasp.org/images/f/f2/Education_Module_Embed_within_SDLC.ppt direct link])
 :There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.
 :*People Awareness and Education
@@ Line 49: / Line 49: @@
 :*Starting and improving an SDLC
 :*Web Application Security Roles and Responsibilities
-*[[Education Module Good WebAppSec Resources|Good WebAppSec Resources]] (not limited to OWASP) (10 min)
+*[[Education Module Good WebAppSec Resources|Good WebAppSec Resources]] (not limited to OWASP) (10 min) ([http://www.owasp.org/images/f/fe/Education_Module_Good_WebAppSec_Resources.ppt direct link])
 :This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.
 :*Hard Copy

@@ Line 35: / Line 35: @@
 :*Insecure Communications
 :*Failure to Restrict URL Access
-*Embed within SDLC (People, Processes & Tools) (100 min)
+*[[Education Module Embed within SDLC|Embed within SDLC]] (People, Processes & Tools) (100 min)
 :There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.
 :*People Awareness and Education

@@ Line 23: / Line 23: @@
 :*WebAppSec Defined
 :*Current trends
-*OWASP Top 10 Introduction & Remedies (100 min)
+* [[Education_Module_OWASP_Top_10_Introduction_and_Remedies|OWASP Top 10 Introduction & Remedies]]  (100 min)
 :The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.
 :*[[Education Module Cross Site Scripting (XSS)|Cross Site Scripting (XSS)]]

@@ Line 49: / Line 49: @@
 :*Starting and improving an SDLC
 :*Web Application Security Roles and Responsibilities
-*Good WebAppSec Resources (not limited to OWASP) (10 min)
+*[[Education Module Good WebAppSec Resources|Good WebAppSec Resources]] (not limited to OWASP) (10 min)
 :This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.
 :*Hard Copy

@@ Line 6: / Line 6: @@
 The OWASP Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.
-This Education Track provides in a 4 hour session covering what every actor involved in developing or deploying a web application should know on web application security. It starts with an explanation of web application security and why it is important. Then the OWASP Top 10 is used to explain the nastiest vulnerabilities and how these can be prevented or remediated. A secure coding initiative must deal with all stages of a program’s lifecycle. Secure web applications are only possible when a secure SDLC is used. The SDLC is explained from the standpoint of people, processes and tools. Several web application security controls are explained that should be part of the SDLC. Finally the track finishes with an exhaustive list of web application security resources for web application developers.
+This Education Track provides in a 4 hour session covering what every actor involved in developing or deploying a web application should know on web application security. It starts with an explanation of web application security and why it is important. Then the OWASP Top 10 is used to explain the nastiest vulnerabilities and how these can be prevented or re-mediated. A secure coding initiative must deal with all stages of a program’s life cycle. Secure web applications are only possible when a secure SDLC is used. The SDLC is explained from the standpoint of people, processes and tools. Several web application security controls are explained that should be part of the SDLC. Finally the track finishes with an exhaustive list of web application security resources for web application developers.
 == Track Audience ==
@@ Line 16: / Line 16: @@
 == Table of Contents ==
-The challenge is to cover web application security in 4 hours to people who are new to the subject. The track is presented in such a way that people who are involved in developing or deploying a web appliction will know what their responsabilities are how to manage web application security controls within their area of influence.
+The challenge is to cover web application security in 4 hours to people who are new to the subject. The track is presented in such a way that people who are involved in developing or deploying a web application will know what their responsibilities are how to manage web application security controls within their area of influence.
 * [[Education Module Why WebAppSec Matters|Why WebAppSec matters]] (20 min)
@@ Line 36: / Line 36: @@
 :*Failure to Restrict URL Access
 *Embed within SDLC (People, Processes & Tools) (100 min)
-:There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Techologies.
+:There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.
 :*People Awareness and Education
 :*Web Application Security Training
@@ Line 48: / Line 48: @@
 :*WebAppSec Tools
 :*Starting and improving an SDLC
-:*Web Application Security Roles and Responsabilities
+:*Web Application Security Roles and Responsibilities
 *Good WebAppSec Resources (not limited to OWASP) (10 min)
-:This 4 hour education track in only the beginning of your yourney. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.
+:This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.
 :*Hard Copy
 :*Web Sites
 :*Mailing lists
 :*Blogs
-*RoundUp (10 min)
+*Roundup (10 min)
 [[Category:OWASP Education Project]]

@@ Line 15: / Line 15: @@
 Another important aspect is that web application security should be tailored to the risk profile of an organization.
-== Table of Contents Proposal ==
+== Table of Contents ==
 The challenge is to cover web application security in 4 hours to people who are new to the subject. The track is presented in such a way that people who are involved in developing or deploying a web appliction will know what their responsabilities are how to manage web application security controls within their area of influence.

@@ Line 25: / Line 25: @@
 *OWASP Top 10 Introduction & Remedies (100 min)
 :The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.
-:*Cross Site Scripting (XSS)
+:*[[Education Module Cross Site Scripting (XSS)|Cross Site Scripting (XSS)]]
 :*Injection Flaws
 :*Malicious File Execution

@@ Line 1: / Line 1: @@
-= A Web Application Security Primer =
+== Track Overview ==
-We first start with a small project to create a slide deck of WebAppSec intro topics for newbie's. This can be used to bring OWASP chapter visitors up to speed on the topic.<br>
+Web application security education and awareness is needed throughout the entire development and deployment organization. Each area and level of development or deployment organizations have specific needs and requirements regarding web application security education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.
-Next to the slide deck we will create some sort of teacher manual with narrative text and maybe complement this with a WebEx (or other) recording. <br>
-After the material is created we will organize a ‘teach the teacher’ session to enable others to use this. <br>
+The OWASP Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.
-What should be part of this intro? <br>
-TOC proposal:
+This Education Track provides in a 4 hour session covering what every actor involved in developing or deploying a web application should know on web application security. It starts with an explanation of web application security and why it is important. Then the OWASP Top 10 is used to explain the nastiest vulnerabilities and how these can be prevented or remediated. A secure coding initiative must deal with all stages of a program’s lifecycle. Secure web applications are only possible when a secure SDLC is used. The SDLC is explained from the standpoint of people, processes and tools. Several web application security controls are explained that should be part of the SDLC. Finally the track finishes with an exhaustive list of web application security resources for web application developers.
-* Why WebAppSec & History
-* OWASP Introduction
+== Track Audience ==
-* Current Trends
+The track audience is are all people that become involved in developing or administering a web application and who are new to web application security. No prior knowledge of web application security is assumed nor necessary. This track is independent of the coding language or web frameworks used; like PHP,  JSF, Java EE or .NET.
-* OWASP Top 10: Introduction & Remedies
-* OWASP Top 10 2007: [http://www.owasp.org/images/1/11/OWASP_Top_10_2007_RC1.zip RC 1]
+We must realize that people are the most important factor when web applications are secured. It is not enough to have good tools to secure web applications and to have excellent secure development and administration processes. People are often the weakest link within web application security. This track aims to make that link as secure as possible, given the constraint of 4 hours.
-* Embed within Complete Approach (People, Processes & Tools)
-* Good AppSec Resources (not limited to OWASP)
+Another important aspect is that web application security should be tailored to the risk profile of an organization.
-We already have a large part of the above material; it’s just a matter of restructuring and recompiling some stuff to a Newbie introduction track of about 4 hours. <br>
-Once we get this going, it can provide the base for more advanced tracks. <br>
+== Table of Contents Proposal ==
 [[Category:OWASP Education Project]]