eLearning course catalog
Browse the current eLearning courses. For the latest updates on these courses, see Training updates.
The OWASP Top 10 2021 course supersedes OWASP 2017.
Download this course catalog
Secure Coding Foundations
Course | Description | Outline |
---|---|---|
Trust Boundaries 🕑 15 minutes 🗓️ Updated 4/4/2020 | This training covers secure coding foundation topics related to trust boundaries, including determining where where trust boundaries exist, and understanding best practices for securing data that passes a trust boundary. Intended audience: Any |
|
Authentication 🕑 45 minutes 🗓️ Updated 4/4/2020 | This training covers secure coding foundation topics related to authentication, including session management, service-based authentication, and cross-site request forgery. Intended audience: Any |
|
Authorization 🕑 20 minutes 🗓️ Updated 4/4/2020 | This training covers secure coding foundation topics related to authorization, including authorizing system access, where authorization should occur, and common authorization vulnerabilities. Intended audience: Any |
|
Validation and Encoding 🕑 30 minutes 🗓️ Updated 4/4/2020 | This training covers secure coding foundation topics related to input validation and output encoding, including validation strategies, SQL injection flaws, cross-site scripting, and other malicious input attempts. Intended audience: Any |
|
Information Handling 🕑 20 minutes 🗓️ Updated 4/4/2020 | This training covers secure coding foundation topics related to information handling, including information leakage, error handling, non-repudiation, auditing, and log files. Intended audience: Any |
|
Data Protection 🕑 25 minutes 🗓️ Updated 4/4/2020 | This training covers secure coding foundation topics related to data protection, including data protection failures, and cryptography. Intended audience: Any |
|
Configuration and Deployment 🕑 35 minutes 🗓️ Updated 4/4/2020 | This training covers secure coding foundation topics related to configuration and deployment, including failure to restrict URL access, malicious file execution, and using components with known vulnerabilities. Intended audience: Any |
|
General Security
Course | Description | Outline |
---|---|---|
Application Security Testing 🕑 35 minutes 🗓️ Updated 5/26/2021 | The Application Security Testing training covers assessment preparation, baseline review and testing, threat modeling, targeted testing, and assessment reporting. Intended audience: Security Professionals and Software Developers |
|
C/C++ Memory Management Risks and Best Practices 🕑 45 minutes 🗓️ Updated 5/26/2021 | This training reviews the safest way to work with C/C++ memory. Topics include stack and heap memory use, common coding flaws, and recommended memory management solutions. Intended audience: Software Developers |
|
Introduction to PCI DSS 3.2 for Developers 🕑 30 minutes 🗓️ Updated 5/26/2021 | This training describes the Payment Card Industry Data Security Standards (PCI DSS) that were designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Intended audience: Mobile Application Developers, Software Developers, Security Professionals, Penetration Testers |
|
Introduction to Web Application Security 🕑 40 minutes 🗓️ Updated 5/26/2021 | This training reviews web application security. The course begins with a summary of why application security is important, and a review of HTTP basics. It concludes with an application attack demonstration, and exploit examples. Intended audience: Security Professionals, Software Developers, Project Managers, Quality Assurance Staff |
|
Secure Architecture and Design 🕑 40 minutes 🗓️ Updated 5/26/2021 | A secure architecture and infrastructure are necessary to protect an organization's systems and assets. Topics include functional security solutions, use and abuse cases, business controls, dependency risks, data flow, and control flow analysis. Intended audience: Mobile Application Developers, Software Developers, Security Professionals, Penetration Testers |
|
General Security Awareness 🕑 63 minutes 🗓️ Updated 5/26/2021 | This training helps users to make smart decisions regarding security. It covers securing workplace information, security threats in the workplace, avoiding social engineering attacks, and best practices for email, password, and remote access use. Intended audience: All employees and contractors |
|
Secure Software Remediation Basics 🕑 25 minutes 🗓️ Updated 5/26/2021 | This training provides an overview of Software Security Remediation, from inception, through planning, and execution. Intended audience: Security Professionals, Software Developers and Software Quality Assurance Staff |
|
Threat Modeling 🕑 25 minutes 🗓️ Updated 5/26/2021 | This training describes threat modeling, when it is appropriate to use, and why it is useful. It also explains how to use threat modeling in application development. Intended audience: Security Professionals and Software Developers |
|
Cross Site Request Forgery (CSRF) Explained 🕑 20 minutes 🗓️ Updated 5/26/2021 | This training explains how Cross-Site Request Forgery (CSRF) is used by malicious actors to leverage social media (such as an email link) to trick a victim into executing actions defined by the attacker. Intended audience: Security Professionals and Software Developers |
|
Security for Mobile Devices
Course | Description | Outline |
---|---|---|
Overview of Mobile Application Security 🕑 25 minutes 🗓️ Updated 5/26/2021 | This training covers mobile device capabilities. It describes mobile platforms and application development tools, how mobile application threat models differ from typical web application threat models, and major security threats to mobile devices. Intended audience: Mobile Application Developers, Software Developers, Security Professionals, Penetration Testers |
|
Authentication and Authorization for Android and iOS 🕑 20 minutes 🗓️ Updated 5/26/2021 | This course covers the types of Android local storage, methods of configuring locally stored data, how to choose proper encryption technologies for locally stored data, and how to secure network communication between the device and web services. Intended audience: Mobile Application Developers, Software Developers, Security Professionals, Penetration Testers |
|
Data Protection for Android 🕑 25 minutes 🗓️ Updated 5/26/2021 | This course covers best practices for input validation and output encoding on the Android platform, and common mobile vulnerabilities that proper validation and encoding can help address. Intended audience: Mobile Application Developers, Software Developers, Security Professionals, Penetration Testers |
|
Validation and Encoding for Android 🕑 30 minutes 🗓️ Updated 5/26/2021 | This course covers best practices for input validation and output encoding on the Android platform, and common mobile vulnerabilities that proper validation and encoding can help address. Intended audience: Mobile Application Developers, Software Developers, Security Professionals, Penetration Testers |
|
AppSec Tutorials
Course | Description | Outline |
---|---|---|
Directory Traversal 🕑 10 minutes 🗓️ Updated 4/10/2020 | This training demonstrates an information leakage example, and provides suggested methods to help prevent it. Intended audience: Software Developers |
|
Information Leakage 🕑 10 minutes 🗓️ Updated 4/10/2020 | This training demonstrates a classic Open Redirect scenario, and provides suggested methods to help prevent it. Intended audience: Software Developers |
|
Open Redirects 🕑 10 minutes 🗓️ Updated 4/10/2020 | This training demonstrates an OS Command Injection attack, and provides suggested methods to help prevent it. Intended audience: Software Developers |
|
OS Command Injection 🕑 10 minutes 🗓️ Updated 4/10/2020 | This training demonstrates how an attacker might discover and exploit a CRLF Injection attack, and provides suggested methods to help prevent it. Intended audience: Software Developers |
|
CRLF Injection 🕑 10 minutes 🗓️ Updated 4/12/2020 | This training demonstrates how an attacker might discover and exploit a Cross Site Scripting attack, and provides suggested methods to help prevent it. Intended audience: Software Developers |
|
Cross Site Scripting 🕑 10 minutes 🗓️ Updated 4/10/2020 | This training demonstrates a cross-site request forgery attack on a web application, and provides suggested methods to help prevent it. Intended audience: Software Developers |
|
CSRF 🕑 10 minutes 🗓️ Updated 4/10/2020 | This training demonstrates a cross-site request forgery attack on a web application, and provides suggested methods to help prevent it. Intended audience: Software Developers |
|
SQL Injection 🕑 15 minutes 🗓️ Updated 9/1/2020 | This training demonstrates an SQL injection attack on a web application, and provides suggested methods to help prevent it. Intended audience: Software Developers |
|
Software and Data Integrity Failures 🕑 10 minutes 🗓️ Updated 5/17/2022 | This training demonstrates how updates, critical data, and pipelines can be security attack vectors when integrity is not verified, and suggests methods to minimize risk. Intended audience: Software Developers |
|
Server-Side Request Forgery 🕑 15 minutes 🗓️ Updated 5/17/2022 | This training demonstrates the risk to a web application when fetching a remote resource without validating the user-supplied URL, and provides suggested methods minimize the vulnerability. Intended audience: Software Developers |
|
Fundamentals Assessment 🕑 20 minutes 🗓️ Updated 5/17/2022 | This quiz tests the learner's knowledge of the information covered in the Application Security tutorials. Intended audience: Any |
|
OWASP Top 10 (2021)
Course | Description | Outline |
---|---|---|
Software Security Awareness 🕑 60 minutes 🗓️ Updated 5/17/2022 | This training covers the OWASP Top 10 Security Vulnerabilities for 2021. Each section describes a vulnerability, and provides tips to help prevent it. Intended audience: Software Developers and Security Professionals |
|
Secure Coding for .NET
Course | Description | Outline |
---|---|---|
Authentication 🕑 30 minutes 🗓️ Updated 5/24/2021 | This training covers secure coding authentication topics for .NET, including security best practices, and how cross-site request forgery (CSRF) can be used to force an end user to execute unwanted actions, on behalf of a malicious actor. Intended audience: Software Developers |
|
Authorization 🕑 20 minutes 🗓️ Updated 5/24/2021 | This training covers secure coding authorization topics for .NET developers, including authorizing system access, and common authorization vulnerabilities. Intended audience: Software Developers |
|
Validation and Encoding 🕑 20 minutes 🗓️ Updated 5/24/2021 | This training covers secure coding validation and encoding topics for .NET, including input validation and output encoding, validation strategies, SQL injection flaws, cross-site scripting, and other malicious input attempts. Intended audience: Software Developers |
|
Information and Error Handling 🕑 20 minutes 🗓️ Updated 5/24/2021 | This training covers secure coding information handling topics for .NET, including information access and leakage, error handling, non-repudiation, auditing, and log files. Intended audience: Software Developers |
|
Data Protection 🕑 25 minutes 🗓️ Updated 5/24/2021 | This training covers secure coding data protection topics for .NET developers, including data protection failures and cryptography. Intended audience: Software Developers |
|
Configuration and Deployment 🕑 30 minutes 🗓️ Updated 5/24/2021 | This training covers configuration and deployment strategies to help prevent direct access to sensitive URLs, malicious file execution, and denial of service conditions. It also describes known vulnerabilities and the principle of least privilege. Intended audience: Software Developers |
|
Secure Coding for Java
Course | Description | Outline |
---|---|---|
Authentication 🕑 25 minutes 🗓️ Updated 5/24/2021 | This training covers secure coding authentication topics for Java, including basic authentication, session management, service-based authentication, and cross-site request forgery. Intended audience: Software Developers |
|
Authorization 🕑 25 minutes 🗓️ Updated 5/24/2021 | This training covers secure coding authorization topics for Java developers, including authorizing system access, and common authorization vulnerabilities. Intended audience: Software Developers |
|
Validation and Encoding 🕑 25 minutes 🗓️ Updated 5/24/2021 | This training covers secure coding validation and encoding topics for Java, including input validation and output encoding, validation strategies, SQL injection flaws, cross-site scripting, and other malicious input attempts. Intended audience: Software Developers |
|
Information and Error Handling 🕑 25 minutes 🗓️ Updated 5/24/2021 | This training covers secure coding information handling topics for Java, including information access and leakage, error handling, non-repudiation, auditing, and log files. Intended audience: Software Developers |
|
Data Protection 🕑 20 minutes 🗓️ Updated 5/24/2021 | This training covers secure coding data protection topics for Java developers, including data protection failures and cryptography. Intended audience: Software Developers |
|
Configuration and Deployment 🕑 25 minutes 🗓️ Updated 5/24/2021 | This training covers configuration and deployment strategies to help prevent direct access to sensitive URLs, malicious file execution, and denial of service conditions. It also describes known vulnerabilities and the principle of least privilege. Intended audience: Software Developers |
|
Secure Coding for JavaScript
Course | Description | Outline |
---|---|---|
Information Handling 🕑 25 minutes 🗓️ Updated 2/12/2020 | This training covers secure coding information handling topics for JavaScript, including web information handling risks, secure error reporting, JavaScript function execution, and framework status reporting features. Intended audience: Software Developers |
|
Data Protection 🕑 18 minutes 🗓️ Updated 2/12/2020 | This training covers secure coding data protection topics for JavaScript developers, including browser data protection, web data storage, and data protection best practices. Intended audience: Software Developers |
|
Validation and Encoding 🕑 29 minutes 🗓️ Updated 2/13/2020 | This training covers secure coding validation and encoding topics for JavaScript developers, including JavaScript validation techniques, data encoding, field validation, React framework validation, and Angular framework validation. Intended audience: Software Developers |
|
Configuration and Deployment 🕑 17 minutes 🗓️ Updated 2/13/2020 | This training covers configuration and deployment strategies to help prevent direct access to sensitive URLs, malicious file execution, and denial of service conditions. It also describes known vulnerabilities and the principle of least privilege. Intended audience: Software Developers |
|
Authentication and Authorization 🕑 22 minutes 🗓️ Updated 2/13/2020 | This training covers secure coding authentication and authorization topics for JavaScript, including access authentication, authorization methods, service-based authentication, authorization best practices, and framework authorization features. Intended audience: Software Developers |
|
Secure Coding for PHP
Course | Description | Outline |
---|---|---|
Authentication 🕑 25 minutes 🗓️ Updated 5/25/2021 | This training covers secure coding authentication topics for PHP, including basic authentication, session management, service-based authentication, and cross-site request forgery. Intended audience: Software Developers |
|
Authorization 🕑 30 minutes 🗓️ Updated 5/25/2021 | This training covers secure coding authorization topics for PHP developers, including authorizing system access, and common authorization vulnerabilities. Intended audience: Software Developers |
|
Validation and Encoding 🕑 40 minutes 🗓️ Updated 5/25/2021 | This training covers secure coding validation and encoding topics for PHP, including input validation and output encoding, validation strategies, SQL injection flaws, cross-site scripting, and other malicious input attempts. Intended audience: Software Developers |
|
Information Handling 🕑 20 minutes 🗓️ Updated 5/25/2021 | This training covers secure coding information handling topics for PHP, including information access and leakage, error handling, non-repudiation, auditing, and log files. Intended audience: Software Developers |
|
Data Protection 🕑 30 minutes 🗓️ Updated 5/25/2021 | This training covers data protection topics for PHP developers, including data protection failures and cryptography. Intended audience: Software Developers |
|
Configuration and Deployment 🕑 35 minutes 🗓️ Updated 5/25/2021 | This training covers configuration and deployment strategies to help prevent direct access to sensitive URLs, malicious file execution, and denial of service conditions. It also describes known vulnerabilities and the principle of least privilege. Intended audience: Software Developers |
|
Secure Coding for Python
Course | Description | Outline |
---|---|---|
Design and Maintenance |