Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

Solutions for Emerging Risks

Discover tailored resources that translate emerging threats into actionable strategies

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

SEC522: Application Security: Securing Web Applications, APIs, and Microservices

SEC522Cloud Security
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course created by:
Jason LamDr. Johannes Ullrich
Jason Lam & Dr. Johannes Ullrich
Register NowCourse Preview
SEC522: Application Security: Securing Web Applications, APIs, and Microservices
Course created by:
Jason LamDr. Johannes Ullrich
Jason Lam & Dr. Johannes Ullrich
Register NowCourse Preview
  • GIAC Certified Web Application Defender (GWEB)

    Learn about certification

  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 21 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Gain the skills you need to understand and mitigate vulnerabilities and secure web applications, APIs, and microservices.

Featured Quote

[Labs are] thought out and easy to follow with good practical knowledge learned.
Barbara BooneCDC

Course Overview

SEC522 is a hands-on, advanced application security course that teaches security professionals how to identify and mitigate vulnerabilities in web applications, APIs, and cloud-native services. Through 20 practical labs and a final Defend–the-Flag challenge, participants gain the skills to defend against real-world threats, integrate security early in the development lifecycle, and protect modern application ecosystems. The course also prepares students for the GWEB certification and aligns with OWASP Top 10 and industry best practices.

What You’ll Learn

  • Defend against OWASP Top 10 attacks and input-related vulnerabilities like SQL injection, XSS, and CSRF
  • Enhance infrastructure security and configuration management for robust protection
  • Securely integrate cloud components, microservices, and AI tools into modern applications
  • Strengthen authentication and authorization with OAuth, SAML, SSO, and password-less mechanisms
  • Improve web security using protective HTTP headers and cross-domain request controls
  • Protect SOAP, REST, and GraphQL APIs from emerging threats

Business Takeaways

  • Comply with PCI DSS and other compliance requirements
  • Reduce the overall application security risks, and protect company reputation
  • Adopt the "shifting left" mindset: Address security issues early and quickly, reducing cost
  • Adopt modern apps with API and microservices in a secure manner
  • This course prepares students for the GWEB certification

Meet Your Authors

  • Slide 1 of 2
    Jason Lam
    Jason Lam

    Jason Lam

    Principal Instructor

    Jason is a leading consultant sought after by Global 500 companies across finance, healthcare, and technology sectors worldwide. Over the years, he has led intrusion detection, penetration testing, defense improvement programs, and incident response.

    Read more about Jason Lam
  • Slide 2 of 2
    Dr. Johannes Ullrich
    Dr. Johannes Ullrich

    Dr. Johannes Ullrich

    Fellow

    Dr. Johannes Ullrich is the Dean of Research for SANS Technology Institute, a SANS Faculty Fellow, and founder of the Internet Storm Center (DShield.org) which provides a free analysis and warning service to thousands of Internet users and organizations.

    Read more about Dr. Johannes Ullrich
Slide 1 of 0

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC522: Application Security: Securing Web Applications, APIs, and Microservices.

Section 1Web Fundamentals and Secure Configurations

The course begins with web application fundamentals, including the HTTP protocol and architecture, which are essential for security. It then covers securing configurations in modern development, focusing on Infrastructure as Code. It also explores best practices for managing infrastructure, cloud, and web-server configurations to enhance security.

Topics covered

  • Introduction to HTTP protocol
  • Overview of web authentication
  • Web application architecture
  • Recent attack trends
  • Web security & firewalls

Labs

  • HTTP basics
  • HTTP/2 traffic inspection and spoofing
  • Environment isolation
  • SSRF and credential-stealing

Section 2Input-Related Defenses

Section 2 focuses on defending against threats from external input, which modern applications receive from various sources, including browsers, web services, and non-web-standard systems. It covers common input-related attacks, real-world examples, and defense patterns.

Topics covered

  • Web application vulnerabilities
  • SQL injection
  • Cross-site Request Forgery
  • Unicode and file upload handling
  • Business logic and concurrency

Labs

  • SQL injection
  • Cross Site Request Forgery
  • Cross Site Scripting
  • Unicode and file upload

Section 3Authentication and Authorization

Section 3 covers authentication and authorization in web apps, including exploits and mitigations. It explores passwordless and multifactor authentication, modern SSO solutions like OAuth, JWT, and OpenID Connect, and their challenges. The section concludes with encryption best practices for data in transit and storage.

Topics covered

  • Authentication vulnerabilities
  • Multifactor authentication
  • Session vulnerabilities and testing
  • Authorization and SSL vulnerabilities
  • Encryption for web applications

Labs

  • Authentication
  • Session fixation
  • OAuth and access control
  • Inspecting SSL traffic with wireshark

Section 4Web Services and Front-End Security

This section begins with SOAP-based web services before shifting to JavaScript’s front-end security concerns, including CORS. It covers security risks, mitigation strategies, and best practices for AJAX applications. The section concludes with client-side defenses like Content Security Policy, exploring both benefits and limitations.

Topics covered

  • Web services overview
  • XML security
  • AJAX attack trends
  • Modern JavaScript frameworks
  • Browser features and defense

Labs

  • WSDL enumerations
  • Cross domain AJAX
  • Front end security features and CSP
  • Clickjacking

Section 5APIs and Microservices Security

This section covers deserialization security, DNS rebinding, and security risks in REST and GraphQL APIs. It explores microservices architecture, common attacks, and best practices. The day concludes with a discussion on securely integrating AI components into modern applications.

Topics covered

  • Deserialization
  • REST and Graph QL security
  • Microservices and AI security
  • Security testing
  • Logging and error handling

Labs

  • Deserialization and DNS Rebinding
  • GraphQL
  • API gateways and JSON
  • SRI and log review

Section 6DevSecOps and Defending the Flag

This section introduces DevSecOps in enterprise web development. A hands-on lab reinforces course lessons, challenging students to identify real vs. false vulnerabilities and apply mitigations. Exercises cover securing the OS, web server, configurations, and fixing coding flaws.

Topics covered

  • DevSecOps

Labs

  • Defending the Flag Capstone Exercise

Things You Need To Know

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Jason Lam
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    Self-Paced
  • Location & instructor

    Raleigh, NC, US & Virtual (live)

    Instructed by Joshua Barone
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Dr. Johannes Ullrich
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Denver, CO, US & Virtual (live)

    Instructed by Dr. Johannes Ullrich
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Dallas, TX, US & Virtual (live)

    Instructed by Dr. Johannes Ullrich
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Orlando, FL, US & Virtual (live)

    Instructed by Dr. Johannes Ullrich
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    San Diego, CA, US & Virtual (live)

    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Washington, DC, US & Virtual (live)

    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
Showing 8 of 8

Learn Alongside Leading Cybersecurity Professionals From Around The World

  • Slide 1 of 4
    Not only does SEC522 teach the defenses for securing web apps, it also shows how common and easy the attacks are and thus the need to secure the apps.
    Brandon Hardin ITC
  • Slide 2 of 4
    I think SEC522 is absolutely necessary to all techies who work on web applications. I don't think developers understand the great necessity of web security and why it is so important.
    Mahesh KandruCabela's
  • Slide 3 of 4
    Lots of good hands-on exercises using real world examples.
    Nicolas KravecMorgan Stanley
  • Slide 4 of 4
    The exercises are a good indicator of understanding the material. They worked flawlessly for me.
    Robert Fratila Microsoft
Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources