Web Security Fundamentals Course by Troy Hunt



Most organisations spend a lot of money and time securing their information systems by installing latest and costly network controls such as firewalls, intrusion detection and prevention systems. However the fact is that majority of the attacks in recent times have been on web applications. Be attacks on big corporations like SONY 2011 attack or the most recent Qatar National Bank data leak through SQL injection web applications are most vulnerable to attacks. Knowledge of Web application security is limited as most security professionals have a background in networks. For someone desiring to get a basic understanding of Web application security, the free online course, Web Security Fundamentals by Troy Hunt is a good start.
       
Troy Hunt’s short introductory course is a good overview to the top risks on the web. In a little over an hour, Troy nicely covers SQL injection, insufficient TLS (Transport Layer Security) , insecure password storage, cross site scripting and weak account management. He takes each risk explains it with a live demo on how the risk actually works and what security measures can be taken to reduce or eliminate the risk. He first gives a logical view of the risk, then demonstrates the execution and then tells how to protect systems from these risks. A few free tools such as Havij and Hashcat are demonstrated to show how automated these attacks can get. It is a gentle introduction to Web Security by an expert.


The course is a must watch for web developers, new security admins and executives looking to get a short yet useful overview of web security risks and measures to counter them. As Troy mentions, security is a much more complex domain that these five risks. He covers a key issues beyond these risks in his final video where he talks about auditing, granting and reviewing permissions, and prioritizing security efforts. I would have liked if some references to further learning may also have been given. OWASP (Open Web Application Security Project ) website is an excellent resource to begin a more detailed study. Web Application Security by Bryan Sullivan and Vincent Liu is a good book to get a more comprehensive yet simplified view of this field. Overall an excellent course which motivated me to follow the author on Twitter @troyhunt and watch more of his courses on Pluralsight. 

Further Reading
  1. The 10 Most Common Application Attacks in Action
  2. OWASP Top 10 awareness document
  3. Web Application Security by Bryan Sullivan and Vincent Liu

Comments

  1. mbuckbeeMay 18, 2016 at 6:38 AM

    Did you see that Troy did a follow up course specifically about Ransomware? https://www.varonis.com/learn/introduction-to-ransomware/

    ReplyDelete

Post a Comment

Popular posts from this blog

API Security - A risk based approach for CISOs

       APIs or Application Programming Interfaces are the building blocks of modern applications. As the usage of APIs  and API traffic increases it is likely to be the major attack vector for hackers. APIs are utilised for a variety of purposes such as - share data with partners, customers, and other third parties. As per Akamai, 83 % of internet traffic is driven by APis. While APIs are a powerful enabler of digital transformation, they also present new security challenges. In fact, Gartner predicts that in 2023, API abuses will be the most frequent attack vector. To substantiate that prediction, OWASP has come out with a separate OWASP Top 10 for APIs in 2019. Also multiple organisations such as Coinbase and IRCTC have been affected by API security vulnerabilities in their applications.  To tackle this emerging attack vector, CISOs should understand the key risks associated with APIs. These include: Data Breaches or Data Leakages -  Risk of data le...
Read more

2024 Year Review and thoughts

  My review of 2024.  The year was a mixed bag with a overall positive outlook and a few hiccups. My ratings on key parameters  Health - Average  Family - Good  Professional - Good  Career - Good  Finances - Average  Health -  My health has been a mixed bag with several notable improvements and some setbacks. Exercise - I was able to regularly attend Gym and do strength training.  Due to improved leg strength I was able to run a 10 k run in Dec in a time of 67 mins . I was 40th out of 120 runners in the Veteran category which I am satisfied with keeping in mind the several issues I had been having at the start of the year.  Gut Health : My stomach and gut issues continued which led me to a take a nutritionist led meal plan. This has helped but I still continue to have gas and loose motions intermittently  and outside food does not suit me at all. The worry is that my weight has reduced from 68 Kg to 63 Kg in las...
Read more

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection In today's world, data is often referred to as the new oil, given its immense value to organisations. Companies have access to vast amounts of data, from customer information to intellectual property and strategic plans.  Over the last decade cyber criminals have targeted organisations repeatedly related to multiple breaches. Some organisations like Uber have faced multiple breaches and even government organisations are not spared as we observed in the Snowden case where confidential data of US  govt was leaked online. Protecting this data has become essential, and having an effective data protection program is crucial to achieving this requirement.  In my role as a CISO for the last five years I have found data protection as the most complex initiative yet most closely related to business enablement. This can be related to protecting customer data to prevent c...
Read more