OWASP Proactive Controls, Part 2 of 2: Controls 6 through 10

OWASP Proactive Controls, Part 2 of 2: Controls 6 through 10

LearnNow Online
Updated Aug 23, 2018

Course description

In this course, you will learn about the OWASP Top 10 Proactive Controls document and the many guidelines it provides to help developers write better and more secure code. In particular, I will cover the last five controls. These include implementing access control to verify what a user is allowed to do in a system, methods of protecting data at rest and in transit, implementing logging and intrusion detection, and finally I will talk about using existing security frameworks and libraries as well as best practices for error and exception handling. Join me in this course as we continue our exploration of the OWASP Top 10 Proactive Controls.

Each LearnNowOnline training course is made up of Modules (typically an hour in length). Within each module there are Topics (typically 15-30 minutes each) and Subtopics (typically 2-5 minutes each). There is a Post Exam for each Module that must be passed with a score of 70% or higher to successfully and fully complete the course.


The assumption is the student is familiar with web and/or mobile development plus basic application security principles. Also, it is highly recommended the student be familiar with the OWASP Top 10 project. There are several other courses provided by LearnNowOnline which can prepare the student with knowledge of the OWASP Top 10 before taking this course. This course is about the OWASP Top 10 Proactive Controls, which is a supplement to the OWASP Top 10 for developers

Meet the expert

Robert Hurlbut

Robert Hurlbut is a software security architect and trainer. He is a Microsoft MVP for Developer Security / Visual Studio and Development Technologies and he holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in secure coding, software architecture, and software development and has served as a project manager, director of software development, chief software architect, and application security champion for several companies. He speaks at user groups, national and international conferences, and provides training for many clients.

Video Runtime

55 Minutes

Time to complete

102 Minutes

Course Outline

OWASP Proactive Controls 6-10

Implement Access Controls (15:00)

  • Introduction (00:33)
  • C6 - Implement Appropriate Access Controls (02:41)
  • Access Control Anti-Patterns (07:13)
  • Role-Based Access Control (01:22)
  • ASP.NET Roles vs. Claims Authorization (01:29)
  • Apache Shiro Permission-Based Access Control (01:16)
  • Summary (00:23)

Protect Data (18:54)

  • Introduction (00:31)
  • C7 - Protect Data (00:47)
  • Encrypting Data in Transit (03:52)
  • HSTS (Strict Transport Security) (04:22)
  • Certificate Pinning (02:45)
  • Browser-Based TOFU Pinning (01:32)
  • Pinning in Play (Chrome) (00:52)
  • Forward Secrecy (01:35)
  • Google KeyCzar (01:04)
  • Libsodium (01:13)
  • Summary (00:15)

Logging and Intrusion Detection (10:22)

  • Introduction (00:24)
  • C8 - Implement Logging and Intrusion Detection (01:15)
  • Tips for Proper Application Logging (03:13)
  • Detection Points Examples (05:07)
  • Summary (00:21)

Security Frameworks and Exception Handling (11:26)

  • Introduction (00:30)
  • C9 - Leverage Security Frameworks and Libraries (03:08)
  • Security Frameworks and Libraries (01:06)
  • C10 - Error and Exception Handling (02:18)
  • Best Practices for Error and Exception Handling (03:58)
  • Summary (00:23)