Play by Play is a series in which top technologists work through a problem in real time, unrehearsed, and unscripted. In this course, Play by Play: OWASP Top 10 2017, Troy Hunt and Andrew van der Stock discuss the methodology used to construct the 2017 version of the OWASP Top 10. You’ll learn how the analysis of the data collected resulted in a reordering of the risks from the 2013 version, the inclusion of new risks, and the demotion of some risks that were included in previous versions. By the end of this course, you’ll be familiar with each risk and understand how best to use the 2017 OWASP Top 10.
Troy Hunt is a Microsoft Regional Director and MVP for Developer Security. He's a regular conference speaker, frequent blogger at troyhunt.com and is the creator of the data breach notification service known as “Have I Been Pwned”.
Andrew van der Stock is a leading web application researcher in the proactive web application community. Since 2015, he sits on the OWASP Global Board of Directors, and currently holds the treasurer role since 2016.
Section Introduction Transcripts
Section Introduction Transcripts
Course Overview Hi everyone. I'm Troy Hunt. I'm an Aussie security specialist, long-time Pluralsight author, and the creator of many other Play by Plays in the Pluralsight library. I recently teamed up with fellow Aussie and Director of the OWASP Foundation, Andrew Vanderstock, and we created a course on the OWASP Top 10 2017 edition. Andrew is a great guy to do this course with because he's a co-leader of the OWASP Top 10. He's also a senior principle consultant at Synopsys, and he was the perfect guy to learn all about what is new in the OWASP Top 10 2017 edition. We've got four years since the last version of the Top 10, and it turns out a lot has changed in that time. We've actually gotten better at some things, which is great news, that have dropped off the Top 10. But we've also introduced all new risks due to the changing environment in the technology landscape. In this Play by Play, you're going to hear about why we've gotten so much better at cross- site scripting, why cross-site request forgery has disappeared altogether from the Top 10, and why we now have XML external entities and insecure deserialization. And they're both specific risks we've never seen in the Top 10 before. So this course is going to help you focus on the top application security risks that you need to know today and help you understand why they're important. And in this course, you'll see Andrew demonstrating exactly how some of these risks get exploited as well. This is a must see course for everyone building web software today. Please join Andrew Vanderstock and I on this Play by Play journey as we take you through the OWASP Top 10 2017 edition.
Introduction Hi, I'm Troy Hunt. I am a Pluralsight author who has done a bunch of courses on the OWASP Top 10 before, but today we're going to do the OWASP Top 10 2017 edition, and I'm here with Andrew van der Stock. So Andrew, why don't you tell everyone what do you do because you've got some good insight into this whole OWASP thing. Okay, so I'm a Director of the OWASP Foundation. I am also the current connector-leader of the OWASP Top 10 as of about mid-way through last year. I've been looking after the application security verification standard for a number of years, which is a proper standard. We'll talk about that a little bit later. And in my real world, I am a senior principle consultant at Synopsis.