After this lesson, you will be able to: Map the top security threats organizations face today (ransomware, supply-chain attacks, zero-days, social engineering, insider threats) to the OWASP and NIST frameworks that organize the response.
The OWASP Top 10 names vulnerability classes in code. This lesson zooms out to the threats that exploit them: the attacker categories and campaigns that make headlines. Knowing the threat landscape, and how OWASP and the NIST Cybersecurity Framework map onto it, is what turns a coder into a security-minded engineer.
Ransomware: malware encrypts an organization's data and demands payment, often paired with data theft (double extortion). Supply-chain attacks: compromise one trusted vendor or dependency to reach thousands of downstream targets (SolarWinds, log4j-style component risk). Zero-days: exploits for vulnerabilities the vendor does not yet know about, so no patch exists. Social engineering / phishing: attacking people instead of code to harvest credentials or trigger actions; still the most common initial-access method. Insider threats: a current or former employee, contractor, or partner who misuses legitimate access, whether malicious or negligent.
Two frameworks, two altitudes. OWASP names the code-level weaknesses; NIST CSF organizes the whole program.
OWASP Top 10: the code/app-level weaknesses an attacker exploits (injection, broken access control, vulnerable components, etc.). Use it to harden what you build.
NIST Cybersecurity Framework (CSF): five functions that organize an organization's whole security program: Identify, Protect, Detect, Respond, Recover.
Map a threat through both: ransomware -> Protect (patching, least privilege, A06/A05 fixes) + Detect (logging/monitoring, A09) + Recover (tested, offline backups).
Phishing -> Protect (MFA, training) + Detect (anomalous-login alerts) + Respond (incident runbook).
Supply chain -> Identify (SBOM, know your dependencies) + Protect (signed/verified artifacts, A08).
Use OWASP when writing code; use NIST CSF when reasoning about the organization's posture.
No single control stops everything, which is why defense in depth matters (covered next lesson). Against ransomware: patch fast, least privilege, segmented networks, and tested offline backups. Against supply-chain attacks: dependency scanning, lockfiles, and signed artifacts. Against zero-days: layered controls so one unknown bug is not game over, plus fast patching when disclosure happens. Against social engineering: MFA everywhere, phishing-resistant factors, and user training. Against insider threats: least privilege, logging of high-value actions (A09), and separation of duties.
Pick the best answer.
Sign in and purchase access to unlock this lesson.