The OWASP Top Ten 2021 - excerpts

The OWASP Top 10 2021

A01 - Broken Access Control
  • Access control basics
  • Confused deputy
    • Insecure direct object reference (IDOR)
    • Path traversal
    • Lab – Insecure Direct Object Reference
    • Path traversal best practices
    • Authorization bypass through user-controlled keys
    • Case study – Authorization bypass on Facebook
    • Lab – Horizontal authorization
A02 - Cryptographic Failures
  • Information exposure
    • Case study – Strava data exposure
  • Cryptography for developers
    • Cryptography basics
A03 - Injection
  • Input validation
    • Input validation principles
    • Denylists and allowlists
    • What to validate – the attack surface
    • Where to validate – defense in depth
    • When to validate – validation vs transformations
    • Validation with regex
  • Injection
    • Injection principles
    • Injection attacks
  • Code injection
    • OS command injection
      • OS command injection best practices
      • Case study – Shellshock
      • Lab - Shellshock
A04 - Insecure Design
  • The STRIDE model of threats
  • Secure design principles of Saltzer and Schroeder
    • Economy of mechanism
    • Fail-safe defaults
    • Complete mediation
    • Open design
    • Separation of privilege
    • Least privilege
    • Least common mechanism
    • Psychological acceptability
  • Client-side security
    • Frame sandboxing
      • Cross-Frame Scripting (XFS) attacks
      • Lab - Clickjacking
      • Clickjacking protection best practices
      • Lab – Using CSP to prevent clickjacking
A06 - Vulnerable and Outdated Components
  • Using vulnerable components
  • Vulnerability management
    • Vulnerability databases
    • DevOps, the build process and CI / CD
A08 - Software and Data Integrity Failures
  • Subresource integrity
    • Importing JavaScript
    • Lab – Importing JavaScript
    • Case study – The British Airways data breach
A10 - Server-side Request Forgery (SSRF)
  • Server-side Request Forgery (SSRF)
  • Case study – SSRF and the Capital One breach
Wrap up
Secure coding principles
  • Principles of robust programming by Matt Bishop
And now what?
  • Software security sources and further reading


ITLS Training & Consulting GmbH
Gutheil-Schoder-Gasse 7a
1100 Vienna

Or online via Microsoft Teams


15 September 2023



Event language:



The event is free of charges.




Ernő has been working in the area of security for nearly fifteen years. He has been involved in a number of R&D projects in different areas of security and has numerous scientific publications in different topics of both physical and logical security. Some of his areas of interest include secure coding, software technologies, convergence of logical and physical security, data hiding, technological aspects of digital rights, remote biometrics and also video content analysis. He has several innovations in the area of ear-based human identification, integration of fingerprint biometrics with cryptosystems, computer vision and software watermarking.

Ernő has actively taken part in the elaboration of all course materials, and currently he manages Cydrill Software Security. He is a highly qualified trainer with several years of experience; he has already held numerous secure coding courses for leading software development companies all over Europe, Americas, Africa and Asia.

  • Engineer of Informatics, Budapest University of Technology and Economics
  • Managing director, lead trainer of Cydrill Software Security
  • Certified Information Systems Auditor (CISA)