Skip to main content

eLearning course catalog

Browse the current eLearning courses. For the latest updates on these courses, see Training updates.

The OWASP Top 10 2025 course supersedes OWASP 2021.

Download this course catalog

Secure Coding Foundations

CourseDescriptionOutline
Trust Boundaries
🕑
15 minutes
🗓️
Updated 4/29/2024
This training covers secure coding foundations topics related to trust boundaries, including determining where trust boundaries exist, and understanding best practices for securing data that passes a trust boundary.

Intended audience: Any
  • Module Overview
  • The Integrity of User Input
  • Summary and Quiz
Authentication
🕑
45 minutes
🗓️
Updated 4/29/2024
This training covers secure coding foundations topics related to authentication, including session management, service-based authentication, and cross-site request forgery.

Intended audience: Any
  • Module Overview
  • Authentication in Theory and Practice
  • Authentication and Session Management
  • Service Based Authentication
  • Cross-Site Request Forgery
  • Summary and Quiz
Authorization
🕑
20 minutes
🗓️
Updated 4/29/2024
This training covers secure coding foundation topics related to authorization, including authorizing system access, where authorization should occur, and common authorization vulnerabilities.

Intended audience: Any
  • Module Overview
  • Authorization
  • Summary and Quiz
Validation and Encoding
🕑
30 minutes
🗓️
Updated 4/29/2024
This training covers secure coding foundations topics related to input validation and output encoding, including validation strategies, SQL injection flaws, cross-site scripting, and other malicious input attempts.

Intended audience: Any
  • Module Overview
  • Input Validation and Output Encoding
  • Injection Flaws
  • Cross-Site Scripting
  • Unvalidated Redirects and Forwards
  • Summary and Quiz
Information Handling
🕑
20 minutes
🗓️
Updated 4/29/2024
This training covers secure coding foundation topics related to information handling, including information leakage, error handling, non-repudiation, auditing, and log files.

Intended audience: Any
  • Module Overview
  • Information and Error Handling
  • Non-Repudiation and Auditing
  • Summary and Quiz
Data Protection
🕑
25 minutes
🗓️
Updated 4/29/2024
This training covers secure coding foundations topics related to data protection, including data protection failures and cryptography.

Intended audience: Any
  • Module Overview
  • Data Protection
  • Cryptographic Algorithms
  • Summary and Quiz
Configuration and Deployment
🕑
35 minutes
🗓️
Updated 4/29/2024
This training covers secure coding foundation topics related to configuration and deployment, including failure to restrict URL access, malicious file execution, and using components with known vulnerabilities.

Intended audience: Any
  • Module Overview
  • Best Practices
  • Failure to Restrict URL Access
  • Malicious File Execution
  • Using Components with Known Vulnerabilities
  • Summary and Quiz

General Security

CourseDescriptionOutline
Application Security Testing
🕑
35 minutes
🗓️
Updated 4/29/2024
The Application Security Testing training covers assessment preparation, baseline review and testing, threat modeling, targeted testing, and assessment reporting.

Intended audience: Security Professionals and Software Developers
  • Introduction
  • General Assessment Approach
  • Scenario
  • Assessment Preparation
  • Threat Modeling
  • Baseline Review and Testing
  • Reviewing Techniques
  • Reporting
  • Scenario Conclusion
  • Summary and Quiz
C/C++ Memory Management Risks and Best Practices
🕑
45 minutes
🗓️
Updated 4/29/2024
This training reviews the safest way to work with C/C++ memory. Topics include stack and heap memory use, common coding flaws, and recommended memory management solutions.

Intended audience: Software Developers
  • Module Overview
  • Scenario
  • Stack and Heap Architecture
  • Common Coding Flaws
  • Other Security Vulnerabilities
  • Memory Management Solutions
  • Scenario Conclusion
  • Summary and Quiz
Introduction to PCI DSS for Developers
🕑
30 minutes
🗓️
Updated 4/29/2024
This training describes the Payment Card Industry Data Security Standards (PCI DSS) that were designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

Intended audience: Mobile Application Developers, Software Developers, Security Professionals, Penetration Testers
  • Module Overview
  • An Introduction to PCI DSS
  • Scenario
  • Requirements and Compliance
  • Requirement 6 In-Depth
  • Scenario Conclusion
  • Summary and Quiz
Introduction to Web Application Security
🕑
40 minutes
🗓️
Updated 4/29/2024
This training reviews web application security. The course begins with a summary of why application security is important, and a review of HTTP basics. It concludes with an application attack demonstration, and exploit examples.

Intended audience: Security Professionals, Software Developers, Project Managers, Quality Assurance Staff
  • Module Overview
  • Scenario
  • Real Case Studies: Notable Breaches
  • Application Attacks
  • Importance of Application Security
  • SQL Injection Activity
  • Basics of HTTP
  • Cross-Site Scripting Activity
  • Scenario Conclusion
  • Summary and Quiz
Secure Architecture and Design
🕑
40 minutes
🗓️
Updated 4/29/2024
A secure architecture and infrastructure are necessary to protect an organization's systems and assets. Topics include functional security solutions, use and abuse cases, business controls, dependency risks, data flow, and control flow analysis.

Intended audience: Mobile Application Developers, Software Developers, Security Professionals, Penetration Testers
  • Module Overview
  • Scenario
  • Functional Security Requirements and Solutions
  • Use and Abuse Cases
  • Business Controls and Risks from Dependencies
  • Data Flow and Control Flow Analysis
  • Scenario Conclusion
  • Summary and Quiz
Security Awareness
🕑
63 minutes
🗓️
Updated 4/29/2024
This training helps users to make smart decisions regarding security. It covers securing workplace information, security threats in the workplace, avoiding social engineering attacks, and best practices for email, password, and remote access use.

Intended audience: All employees and contractors
  • Module Overview
  • Information Security
  • Password Security
  • Security Threats in the Workplace
  • Security for Remote Employees
  • Summary and Quiz
Secure Software Remediation Basics
🕑
25 minutes
🗓️
Updated 4/29/2024
This training provides an overview of Software Security Remediation, from inception, through planning, and execution.

Intended audience: Security Professionals, Software Developers and Software Quality Assurance Staff
  • Module Overview
  • Introduction to Software Remediation
  • Scenario: Software Remediation Process
  • The Inception Phase
  • The Planning Phase
  • The Execution Phase
  • Scenario Conclusion
  • Summary and Quiz
Threat Modeling
🕑
25 minutes
🗓️
Updated 4/29/2024
This training describes threat modeling, when it is appropriate to use, and why it is useful. It also explains how to use threat modeling in application development.

Intended audience: Security Professionals and Software Developers
  • Module Overview
  • Scenario
  • Terminology and Approaches
  • Methodologies and Tools
  • Scenario Conclusion
  • Summary and Quiz
Cross Site Request Forgery (CSRF) Explained
🕑
20 minutes
🗓️
Updated 4/29/2024
This training explains how Cross-Site Request Forgery (CSRF) is used by malicious actors to leverage social media (such as an email link) to trick a victim into executing actions defined by the attacker.

Intended audience: Security Professionals and Software Developers
  • Module Overview
  • Scenario
  • CSRF Details
  • Detection and Prevention
  • Scenario Conclusion
  • Summary and Quiz

Security for Mobile Devices

CourseDescriptionOutline
Overview of Mobile Application Security
🕑
25 minutes
🗓️
Updated 4/29/2024
This training covers mobile device capabilities. It describes mobile platforms and application development tools, how mobile application threat models differ from typical web application threat models, and major security threats to mobile devices.

Intended audience: Mobile Application Developers, Software Developers, Security Professionals, Penetration Testers
  • Module Overview
  • Scenario
  • Mobile Application Threat Modeling
  • Mobile Security Threats
  • Comparison of Native Applications and Web Applications
  • Scenario Conclusion
  • Summary and Quiz
Authentication and Authorization for Android and iOS
🕑
20 minutes
🗓️
Updated 4/29/2024
This training covers authentication and authorization for mobile devices, including protecting data in transit, protecting resources with strong authentication, and mobile device credential handling.

Intended audience: Mobile Application Developers, Software Developers, Security Professionals, Penetration Testers
  • Module Overview
  • Scenario: Android Authentication and Authorization
  • Authentication Failures
  • Data Exploitation in Transit
  • Insecure On-Device Credential Storage
  • Scenario Conclusion
  • Summary and Quiz
Data Protection for Android
🕑
25 minutes
🗓️
Updated 4/29/2024
This course covers the types of Android local storage, methods of configuring locally stored data, how to choose proper encryption technologies for locally stored data, and how to secure network communication between the device and web services.

Intended audience: Mobile Application Developers, Software Developers, Security Professionals, Penetration Testers
  • Module Overview
  • Android Storage Types
  • Scenario: Security Data in Android
  • Securing Stored Data
  • Security Data in Transit
  • Scenario Conclusion
  • Summary and Quiz
Validation and Encoding for Android
🕑
30 minutes
🗓️
Updated 4/29/2024
This course covers best practices for input validation and output encoding on the Android platform, and common mobile vulnerabilities that proper validation and encoding can help address.

Intended audience: Mobile Application Developers, Software Developers, Security Professionals, Penetration Testers
  • Module Overview
  • Scenario
  • Defending Against Injection
  • IPCs and Their Security
  • Validating Data from Third-Party Web Services
  • Scenario Conclusion
  • Summary and Quiz

AppSec Tutorials

CourseDescriptionOutline
Directory Traversal
🕑
10 minutes
🗓️
Updated 4/29/2024
This training demonstrates a directory a traversal attack, and provides suggested methods to help prevent it.

Intended audience: Software Developers
  • Module Overview
  • Path Traversal Summary
  • Path Traversal Example
  • Conclusion and Module Summary
Information Leakage
🕑
10 minutes
🗓️
Updated 4/29/2024
This training demonstrates an information leakage example, and provides suggested methods to help prevent it.

Intended audience: Software Developers
  • Module Overview
  • Information Leakage Overview
  • Information Leakage Example
  • Conclusion and Module Summary
Open Redirects
🕑
10 minutes
🗓️
Updated 4/29/2024
This training demonstrates a classic Open Redirect scenario, and provides suggested methods to help prevent it.

Intended audience: Software Developers
  • Module Overview
  • Open Redirects Overview
  • Open Redirect Example
  • Conclusion and Module Summary
OS Command Injection
🕑
10 minutes
🗓️
Updated 4/29/2024
This training demonstrates an OS Command Injection attack, and provides suggested methods to help prevent it.

Intended audience: Software Developers
  • Module Overview
  • Operating System Command Injection (OSCi) Overview
  • Occurrence and Impact
  • Conclusion and Module Summary
CRLF Injection
🕑
10 minutes
🗓️
Updated 4/29/2024
This training demonstrates how an attacker might discover and exploit a CRLF Injection attack, and provides suggested methods to help prevent it.

Intended audience: Software Developers
  • Module Overview
  • CRLF Overview
  • CRLF Example
  • Conclusion and Module Summary
Cross Site Scripting
🕑
10 minutes
🗓️
Updated 4/29/2024
This training demonstrates how an attacker might discover and exploit a Cross Site Scripting attack, and provides suggested methods to help prevent it.

Intended audience: Software Developers
  • Module Overview
  • Cross-Site Scripting Overview
  • Cross-Site Scripting Example
  • Conclusion and Module Summary
CSRF
🕑
10 minutes
🗓️
Updated 4/29/2024
This training demonstrates a cross-site request forgery attack on a web application, and provides suggested methods to help prevent it.

Intended audience: Software Developers
  • Module Overview
  • CSRF Overview
  • CSRF Example
  • Conclusion and Module Summary
SQL Injection
🕑
15 minutes
🗓️
Updated 4/29/2024
This training demonstrates how an attacker might discover and exploit an SQL Injection attack, and provides suggested methods to help prevent it.

Intended audience: Software Developers
  • Module Overview
  • SQL Injection Attacks Overview
  • SQL Injection Attacks Examples and Prevention
  • Conclusion and Module Summary
Software and Data Integrity Failures
🕑
10 minutes
🗓️
Updated 4/29/2024
This training demonstrates how updates, critical data, and pipelines can be security attack vectors when integrity is not verified, and suggests methods to minimize risk.

Intended audience: Software Developers
  • Module Overview
  • What are Software and Data Integrity Failures?
  • Scenario
  • Impacts
  • Example
  • Prevention
  • Scenario Conclusion
  • Summary
Server-Side Request Forgery
🕑
15 minutes
🗓️
Updated 4/29/2024
This training demonstrates the risk to a web application when fetching a remote resource without validating the user-supplied URL, and provides suggested methods to minimize the vulnerability.

Intended audience: Software Developers
  • Module Overview
  • Introduction
  • Scenario
  • Impacts
  • Example
  • Prevention
  • Scenario Conclusion
  • Summary
Veracode Application Security Fundamentals Assessment
🕑
20 minutes
🗓️
Updated 4/29/2024
This quiz tests the learner's knowledge of the information covered in the Application Security tutorials. This is a QUIZ ONLY course and there is no lesson content.

Intended audience: Any
  • Module Overview
  • Quiz

OWASP Top 10:2025

CourseDescriptionOutline
Software Security Awareness
🕑
60 minutes
🗓️
Updated 3/4/2026
This training covers the OWASP Top 10 Security Vulnerabilities for 2025. Each section describes a vulnerability, and provides tips to help prevent it.

Intended audience: Software Developers and Security Professionals
  • Module Overview
  • A01:2025 Broken Access Control
  • A02:2025 Security Misconfiguration
  • A03:2025 Software Supply Chain Failures
  • A04:2025 Cryptographic Failures
  • A05:2025 Injection
  • A06:2025 Insecure Design
  • A07:2025 Authentication Failures
  • A08:2025 Software or Data Integrity Failures
  • A09:2025 Security Logging & Alerting Failures
  • A10:2025 Mishandling of Exceptional Conditions
  • Summary and Quiz
Secure Coding for .NET - OWASP Top 10:2025
🕑
60 minutes
🗓️
Updated 3/4/2026
This training covers the OWASP Top 10 Security Vulnerabilities for 2025 in .NET. Each section describes a vulnerability, and provides tips to help prevent it.

Intended audience: Software Developers and Security Professionals
  • Module Overview
  • A01:2025 Broken Access Control
  • A02:2025 Security Misconfiguration
  • A03:2025 Software Supply Chain Failures
  • A04:2025 Cryptographic Failures
  • A05:2025 Injection
  • A06:2025 Insecure Design
  • A07:2025 Authentication Failures
  • A08:2025 Software or Data Integrity Failures
  • A09:2025 Security Logging & Alerting Failures
  • A10:2025 Mishandling of Exceptional Conditions
  • Summary and Quiz
Secure Coding for Java - OWASP Top 10:2025
🕑
60 minutes
🗓️
Updated 3/4/2026
This training covers the OWASP Top 10 Security Vulnerabilities for 2025 in Java. Each section describes a vulnerability, and provides tips to help prevent it.

Intended audience: Software Developers and Security Professionals
  • Module Overview
  • A01:2025 Broken Access Control
  • A02:2025 Security Misconfiguration
  • A03:2025 Software Supply Chain Failures
  • A04:2025 Cryptographic Failures
  • A05:2025 Injection
  • A06:2025 Insecure Design
  • A07:2025 Authentication Failures
  • A08:2025 Software or Data Integrity Failures
  • A09:2025 Security Logging & Alerting Failures
  • A10:2025 Mishandling of Exceptional Conditions
  • Summary and Quiz
Secure Coding for JavaScript - OWASP Top 10:2025
🕑
60 minutes
🗓️
Updated 3/4/2026
This training covers the OWASP Top 10 Security Vulnerabilities for 2025 in JavaScript. Each section describes a vulnerability, and provides tips to help prevent it.

Intended audience: Software Developers and Security Professionals
  • Module Overview
  • A01:2025 Broken Access Control
  • A02:2025 Security Misconfiguration
  • A03:2025 Software Supply Chain Failures
  • A04:2025 Cryptographic Failures
  • A05:2025 Injection
  • A06:2025 Insecure Design
  • A07:2025 Authentication Failures
  • A08:2025 Software or Data Integrity Failures
  • A09:2025 Security Logging & Alerting Failures
  • A10:2025 Mishandling of Exceptional Conditions
  • Summary and Quiz
Secure Coding for PHP - OWASP Top 10:2025
🕑
60 minutes
🗓️
Updated 3/4/2026
This training covers the OWASP Top 10 Security Vulnerabilities for 2025 in PHP. Each section describes a vulnerability, and provides tips to help prevent it.

Intended audience: Software Developers and Security Professionals
  • Module Overview
  • A01:2025 Broken Access Control
  • A02:2025 Security Misconfiguration
  • A03:2025 Software Supply Chain Failures
  • A04:2025 Cryptographic Failures
  • A05:2025 Injection
  • A06:2025 Insecure Design
  • A07:2025 Authentication Failures
  • A08:2025 Software or Data Integrity Failures
  • A09:2025 Security Logging & Alerting Failures
  • A10:2025 Mishandling of Exceptional Conditions
  • Summary and Quiz
Secure Coding for Python - OWASP Top 10:2025
🕑
60 minutes
🗓️
Updated 3/4/2026
This training covers the OWASP Top 10 Security Vulnerabilities for 2025 in Python. Each section describes a vulnerability, and provides tips to help prevent it.

Intended audience: Software Developers and Security Professionals
  • Module Overview
  • A01:2025 Broken Access Control
  • A02:2025 Security Misconfiguration
  • A03:2025 Software Supply Chain Failures
  • A04:2025 Cryptographic Failures
  • A05:2025 Injection
  • A06:2025 Insecure Design
  • A07:2025 Authentication Failures
  • A08:2025 Software or Data Integrity Failures
  • A09:2025 Security Logging & Alerting Failures
  • A10:2025 Mishandling of Exceptional Conditions
  • Summary and Quiz

Product Skill Assessments

CourseDescriptionOutline
User and Application Setup - Skills Assessment
🕑
20 minutes
🗓️
Updated 10/14/2025
This quiz tests the learner's knowledge of the information covered in the 'User and application setup' learning path. This is a QUIZ ONLY course and there is no lesson content.

Intended audience: Any
  • Module Overview
  • Quiz
Static Analysis - Skills Assessment
🕑
20 minutes
🗓️
Updated 10/14/2025
This quiz tests the learner's knowledge of the information covered in the 'Static Analysis' learning path. This is a QUIZ ONLY course and there is no lesson content.

Intended audience: Any
  • Module Overview
  • Quiz
Dynamic Analysis - Skills Assessment
🕑
20 minutes
🗓️
Updated 10/14/2025
This quiz tests the learner's knowledge of the information covered in the 'Dynamic Analysis' learning path. This is a QUIZ ONLY course and there is no lesson content.

Intended audience: Any
  • Module Overview
  • Quiz
Scan and Fix in Your IDE - Skills Assessment
🕑
20 minutes
🗓️
Updated 10/14/2025
This quiz tests the learner's knowledge of the information covered in the 'Scan and fix in your IDE' learning path. This is a QUIZ ONLY course and there is no lesson content.

Intended audience: Any
  • Module Overview
  • Quiz
SCA Agent-Based Scanning - Skills Assessment
🕑
20 minutes
🗓️
Updated 10/14/2025
This quiz tests the learner's knowledge of the information covered in the 'SCA Agent-based Scan' learning path. This is a QUIZ ONLY course and there is no lesson content.

Intended audience: Any
  • Module Overview
  • Quiz
Last updated on