We'll discuss each kind of the most prevalent security flaws at the theoretical level, then using a specially-crafted, deliberately vulnerable Django app, individuals or pairs will carry out exploits against these flaws, and we'll illustrate solutions to mitigate each kind of attack. We'll be using the [OWASP Top 10](https://www.owasp.org/index.php/Top_10_2013-Top_10) as our topic roadmap, addressing issues such as: * Injection Attacks * Broken Authentication & Session Management * Cross-Site Scripting (XSS) * Insecure Direct Object References * Security Misconfiguration * Sensitive Data Exposure * Missing Function-Level Access Control * Cross-Site Request Forgery (CSRF) * Using Components with Known Vulnerabilities * Unvalidated Redirects and Forwards You'll want to set your brain to "devious" mode; you'll also need a laptop with Python 2.7 or 3.3 (or a buddy you can pair with). Having pip and virtualenv will be useful too, as will having Git installed to pull down the code we'll be working with. Attendees **do not need prior security experience**; this tutorial is aimed at **intermediate web developers** who are interested in gaining hands-on experience with **simple forms of the most common attacks**. Attendees should have some experience with **Python, Javascript, and SQL**, and may benefit from at least a passing familiarity with Django (eg, previously attending a Django tutorial or working through the [online tutorial](https://docs.djangoproject.com/en/1.4/intro/tutorial01/)).