SEC522: Defending Web Applications Security Essentials

GIAC Certified Web Application Defender (GWEB)
GIAC Certified Web Application Defender (GWEB)
  • In Person (6 days)
  • Online
36 CPEs

This is the course to take if you have to defend web applications! The quantity and importance of data entrusted to web applications is increasing, and defenders need to learn how to secure these critical data. Traditional network defenses such as firewalls fail to secure web applications. In covering the OWASP Top 10 Risks and beyond, SEC522 will help you better understand web application vulnerabilities, thus enabling you to properly defend your organization's web assets.

What You Will Learn

Not A Matter of "If" but "When". Be Prepared For A Web Attack. We'll Teach You How.

The quantity and importance of data entrusted to web applications is increasing, and defenders need to learn how to secure these critical data. Traditional network defenses such as firewalls fail to secure web applications. In covering the OWASP Top 10 Risks and beyond, SEC522 will help you better understand web application vulnerabilities, thus enabling you to properly defend your organization's web assets.

The course will present mitigation strategies from an infrastructure, architecture, and coding perspective alongside real-world techniques that have been proven to work. We'll introduce the nature of each vulnerability to help you understand why it happens, then we'll show you how to identify the vulnerability and provide options to mitigate it.

To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. The focus will be maintained on security strategies rather than coding-level implementation.

SEC522: Defending Web Applications Security Essentials is intended for anyone tasked with implementing, managing, or protecting web applications. You will find the course useful if you are supporting or creating either traditional web applications or more modern web services for a wide range of front ends like mobile applications. The course is particularly well suited to application security analysts, developers, application architects, pen testers, auditors who are interested in recommending proper mitigations for web security issues, and infrastructure security professionals who have an interest in enhancing the defense of web applications.

The course will also cover additional issues the authors have found to be important in their day-to-day web application development practices. The topics that will be covered include:

  • The OWASP Top 10
  • Selected specific web application issues from the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors
  • Infrastructure security and configuration management
  • Securely integrating cloud components into a web application
  • Authentication and authorization mechanisms, including single sign-on patterns
  • Application language configuration
  • Application coding errors like SQL injection, cross-site request forgery, and cross-site scripting
  • Web 2.0 and its use of web services (REST/SOAP)
  • Cross-domain web request security
  • Business logic flaws
  • Protective HTTP headers

The SEC522 course features full-day lab with hands-on exercises on how to secure a web application, starting with securing the operating system and web server, finding configuration problems in the application language setup, and finding and fixing coding problems in the site.The course makes heavy use of hands-on exercises and will conclude with a large defensive exercise that reinforces the lessons learned throughout the week.

You Will Learn:

  • How to comprehensively remediate common web application vulnerabilities.
  • How to apply defensive application design and coding practices to avoid security vulnerabilities.
  • The HTTP protocol and new technologies such as HTTP/2, QUIC (HTTP/3), and Websockets that affect the protocol stack.
  • How to move away from basic web application security principles of "validating more" and implement effective security controls against vulnerabilities that input validation simply does not fix.
  • How to customize, implement, and maintain a baseline security standard for the web applications development lifecycle (SANS SWAT checklist), improving security and reducing exposure to common vulnerabilities such as the OWASP Top 10 Risks.
  • How to leverage HTTP header-level protection to apply strong defense systems on the client side by building another layer of defense on top of secure coding on the server side.
  • How to design better and stronger security architecture that includes infrastructure aspects in the design process.
  • How to leverage and uplift the modern security features in the web browser to further enhance the overall security of the application

You Will Be Able To:

  • Understand the major risks and common vulnerabilities related to web applications through real-world examples.
  • Mitigate common security vulnerabilities in web applications using proper coding techniques, software components, configurations, and defensive architecture.
  • Understand the best practices in various domains of web application security such as authentication, access control, and input validation.
  • Fulfill the training requirement as stated in PCI DSS 6.5.
  • Deploy and consume web services (SOAP and REST) in a more secure fashion.
  • Proactively deploy cutting-edge defensive mechanisms such as defensive HTTP response headers and Content Security Policy to improve the security of web applications.
  • Strategically roll out a web application security program in a large environment.
  • Incorporate advanced web technologies such as HTML5 and AJAX cross-domain requests into applications in a safe and secure manner.
  • Develop strategies to assess the security posture of multiple web applications.

Hands-on Training:

  • HTTP Basics
  • Insepcting HTTP/2 traffic and crafting requests
  • Service Isolation
  • SSRF and Credential Stealing Services
  • SQL Injection
  • Guestbook CSRF
  • Cross Site Scripting
  • Unicode and File Upload
  • Authentication Exercise
  • Session Fixation and Session Breaking
  • OAuth and Access Control
  • Inspecting SSL Traffic with Wireshark
  • WSDL Enumeration and Parameter Tampering
  • XMLHttpRequest and Same Origin Policy
  • JavaScript Security Testing
  • Content Security Policy
  • DNS Rebinding
  • Clickjacking
  • HTML5
  • Subresource Integrity
  • Logging and Incident Response
  • Defending the Flag

What You Will Receive:

  • A Ubuntu Linux VMWare virtual machine containing:
    • Virtual server environment consisting of a DNS, FTP, web server, and database to simulate
    • Multiple sample applications for the in-class exercises
    • Pre-installed security tools (e.g., brute forcing, manipulating proxy, and exploiting tools)
  • Printed and Electronic Courseware for the six days of lecture
  • MP3 audio files of the complete course lecture

Other Courses Students Have Taken

Courses that lead in SEC522:

Courses that are good follow-ups to SEC522:

Please note that we have changed the prefix of this course from "DEV" to "SEC" to more accurately reflect the audience. Going forward, the course will be known as "SEC522: Defending Web Applications Security Essentials". If you are browsing the SANS website or reviewing a brochure and notice the new prefix change, please note this change has NO IMPACT on the content of the course.

Syllabus (36 CPEs)

Download PDF
  • Overview

    You cannot win the battle if you do not understand what you are trying to defend. Day one starts with an overview of recent web application attack and security trends, followed by an examination of the essential technologies that are at play in web applications. We arm you with the right information so you can understand how web applications work and the security concepts related to them.

    Modern web applications are supported by a combination of server infrastructure, cloud infrastructure, and possibly other data sources. The code in an application may be fully locked down, but if the server setting is insecure, the server running the application can be easily compromised. Locking down the web environment is essential, so we cover this basic concept of defending the platform and host. You will learn the common pitfalls of infrastructure and cloud security with web applications so you can properly secure them.

    As automation is becoming a critical element of the development process, infrastructure and development components are built and maintained through configurations. The management of these configurations is crucial to the security of the application. We cover the best-practice processes and key aspects of securing web-application-related configurations, from infrastructure to cloud environments and web-server-level configurations, so that you can protect your configurations and related supporting environments for precious web applications.

    • Introduction to HTTP protocol
    • Overview of web authentication technologies
    • Web application architecture
    • Recent attack trends
    • Web infrastructure security/Web application firewalls
    • Managing configurations for web apps
  • Overview

    Day two is devoted to protecting against threats arising from external input. Modern applications have to accept input from multiple sources, such as other applications, browsers, and web services. Web application attacks during the past few years have reminded us that these attack patterns are employed frequently.

    We start the day with a discussion of SQL injection. The basic mechanics of the attack are covered, followed by real-world examples and defense patterns that work in large applications. We then look at cross-site request forgery, which is a common attack against session mechanisms. We'll cover the history of the attack and the modern patterns of defense in-depth to protect your web application against cross-site request forgery.

    This is followed by a detailed discussion of cross-site scripting, the most common vulnerability in web applications. Cross-site scripting is not a complex attack, but the large attack surface makes it difficult to effectively defend against it. We'll focus on real-world cross-site scripting mitigation and testing strategies in enterprise environments.

    Next we will cover business logic flaws and concurrency. These are difficult topics to detect with automated scanners, so it is essential that security professionals understand these problems and avoid them at all costs.

    • Input-related vulnerabilities in web applications
    • SQL injection
    • Cross-site request forgery
    • Cross-site scripting vulnerability and defenses
    • Unicode handling strategy
    • File upload handling
    • Business logic and concurrency
  • Overview

    Day three starts with a discussion of authentication in web applications, followed by examples of exploitation and the mitigations that can be implemented in the short and long terms. Considering the trend to move towards less reliance on passwords for authentication, we cover the modern patterns of password-less authentication and multifactor authentications. We complete the discussion by providing information on how to discover and test for vulnerabilities.

    Another topic is the new generation of single-sign-on solutions such as OAuth and related technologies such as JWT and OpenID Connect. We cover the implications of using these authentication/authorization systems and the common "gotchas" to avoid.

    Authentication is followed by a discussion of authorization. A web application needs not only to accurately identify a user, but also needs to restrict access to information (access control) based on the user's privileges. You will learn the right way to plan for access control during the development life cycle and the common pitfalls when implementing such control. Similar to the discussion on authentication, we start with the vulnerabilities and then move on to mitigations and testing, followed by a section on best practices.

    The Internet does not guarantee the secrecy of information being transferred. Encryption is commonly used to protect the integrity and confidentiality of information exchanged with web applications. This course day covers the security of data in transit as well as on disk and how encryption can help secure that information in the context of web application security.

    We continue with a discussion of session management in web applications. We will go over a hacker's technique in attacking the session mechanism and related defense strategies. We'll present best practices of session security to ensure that your application's session management is as strong as possible.

    • Authentication vulnerabilities and defense
    • Multifactor authentication
    • Session vulnerabilities and testing
    • Authorization vulnerabilities and defense
    • SSL vulnerabilities and testing
    • Proper encryption use in web application
  • Overview

    We'll start day four by focusing on proactive defense mechanisms so that we can be ahead of the bad guys in the game of hack-and-defend. We will cover such topics as handling file uploads, intrusion detection, and the use of deception. The material is designed to give you the extra edge in defending your application.

    We'll then pivot to the security of asynchronous JavaScript and XML (AJAX) and web services, which are currently the most active areas in web application development. Security issues continue to arise as organizations dive headfirst into insecurely implementing new web technologies without first understanding them.

    We will cover security issues, mitigation strategies, and general best practices for implementing AJAX and web services (both SOAP and REST). We will also examine real-world attacks and trends to give you a better understanding of exactly what you are protecting against.

    We end the day with multiple client-side, header-based defense mechanisms such as Content Security Policy to help you further secure your applications. We go in-depth into how these headers can uplift the security level of an application, but we'll also look at the potential downfall of these mechanisms.

    • Honeytoken
    • Web services overview
    • Security in parsing of XML
    • XML security
    • AJAX technologies overview
    • AJAX attack trends and common attacks
    • REST security
    • Browser-based defense such as Content Security Policy
  • Overview

    Day five focuses on cutting-edge web application technologies and current research in this area. Topics such as serialization security, clickjacking, and DNS rebinding are covered. These vulnerabilities have emerged and changed in recent years, and we are refining our defense strategies against them. We cover recent developments on these topics and the latest defensive tactics to protect against these attacks.

    We will also cover the security issues related to HTML5 components and handling Unicode in the web applications world. Lots of vulnerabilities are emerging in these areas and we'll discuss the best practices to address them.

    We then look at the testing aspect of web application security - ranging from the basic testing methodologies to the strategies in the modern CI/CD pipeline. Testing web applications can be challenging given the current continuous delivery schedule, so our aim is to provide relevant information to help you navigate through the testing cycles of modern-day applications.

    To enable any detection of intrusion, logging and error handling must be done correctly. We will discuss the correct approach to handling incidents and logs, then dive even further to cover the modern intrusion detection aspect of web application security.

    • Serialization security
    • Clickjacking
    • DNS rebinding
    • HTML5 security
    • Logging collection and analysis for web apps
    • Security testing
    • IPv6 impact on web security
  • Overview

    Day six starts by introducing the secure software development life cycle and how to apply it to web development. The main activity will be a large lab that will tie together the lessons learned during the week and reinforce them with hands-on applications. Students will be provided with a virtual machine to implement a complete database-driven dynamic website. In addition, they will use a custom tool to enumerate security vulnerabilities and simulate a vulnerability assessment of the website. Students will then have to decide which vulnerabilities are real and which are false positives, then mitigate the vulnerabilities. The scanner will score the student as vulnerabilities are eliminated or checked off as false positives. Advanced students will be able to extend this exercise and find vulnerabilities not presented by the scanner.

    Students will learn through these hands-on exercises how to secure the web application, starting with securing the operating system and the web server, finding configuration problems in the application language setup, and finding and fixing coding problems on the site.

    • Mitigating server configuration errors
    • Discovering and mitigating coding problems
    • Testing business logic issues and fixing problems
    • Testing web services and mitigating security problems
    • Reinforcing key topics discussed throughout the course through comprehensive exercises

GIAC Certified Web Application Defender

The GIAC Web Application Defender certification allows candidates to demonstrate mastery of the security knowledge and skills needed to deal with common web application errors that lead to most security problems. The successful candidate will have hands-on experience using current tools to detect and prevent input validation flaws, cross-site scripting (XSS), and SQL injection as well as an in-depth understanding of authentication, access control, and session management, their weaknesses, and how they are best defended. GIAC Certified Web Application Defenders (GWEB) have the knowledge, skills, and abilities to secure web applications and recognize and mitigate security weaknesses in existing web applications.

  • Access Control, AJAX Technologies and Security Strategies, Security Testing, and Authentication

  • Cross Origin Policy Attacks and Mitigation, CSRF, and Encryption and Protecting Sensitive Data

  • File Upload, Response Readiness, Proactive Defense, Input Related Flaws and Input Validation

  • Modern Application Framework Issues and Serialization, Session Security & Business Logic, Web

  • Application and HTTP Basics, Web Architecture, Configuration, and Security


This class requires a basic understanding of web application technology and concepts such as HTML and JavaScript.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class and it is also strongly advised that you do not bring a system storing any sensitive data.

System Hardware Requirements

  • CPU: Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. Your CPU and OS must support a 64-bit quest virtual machine.
    • VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines.
    • Windows users can use this article to learn more about their CPU and OS capabilities.
    • Apple users can use this support page to learn more information about Mac 64-bit capability
  • BIOS: Inte'ls VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access yoru system's BIOS throughout the class. If your BIOS is password-protected, you must have the password.
  • USB: At least one available USB 3.0 Type-A port is required for copying large data files from the USB 3.0 drives we provide in class. The USB port must not be locked in hardware or software. Some newer laptops may hav eonly the smaller Type-C ports. In this case, you will need to bring a USB Type-C to Type-A adapter.
  • RAM: 8 GB RAM is required for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About." Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac."
  • Hard Drive Free Space: 60 GB of FREE space on the hard drive is critical to hose the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.
  • Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
  • Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

Additional Hardware Requirements

The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

  • Network, Wireless Connection: A wireless 802.11 B, G, N or AC network adapter is required. This can be the internal wireless adapter in your system or an external USB wireless adapter. A wireless adapter allows you to connect to the network without any cables. If you can surf the Internet on your system without plugging in a network cable, you have wireless.

Additional Software Requirements

  • VMware Workstation Pro 15.5.X+ or Fusion 11.5+ is mandatory. VMware Player will not meet this requirement. You must have the ability to take virtual machine snapshots and you cannot do this with VMware Player. VirtualBox is not supported and may interfere with our labs. It should not be installed on a system you are planning to use for this class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial online.
  • Credential Guard: If your host computer is running Windows, Credential Guard may interfere with the ability to run VMs. It is important that you start up VMware prior to class and confirm that virtual machines can run. It is required that Credential Guard is turned off prior to coming to class.

If you have additional questions about the laptop specifications, please contact

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

"Too many websites are getting compromised. The goal of SEC522 is to arm students with real-world defensive strategies that work. You can apply these techniques immediately, regardless of your role in protecting these precious assets exposed online. We all know it is very difficult to defend a web application because there are so many different types of vulnerabilities and attack channels. Overlook one thing and your web app is owned. The defensive perimeter needs to extend far beyond just the coding aspects of web application. This course covers the security vulnerabilities so that students have a good understanding of the problems at hand. We then provide the defensive strategies and tricks, as well as the overall architecture that has been proven to help secure sites. I have also included some case studies throughout the course so that we can learn from the mistakes of others and make our defense stronger. The exercises in class are designed to help you further your understanding and help you retain this knowledge through hands-on practice. By the end of the course, you will have the practical skills and understanding of the defensive strategies to lock down existing applications and build more secure applications in the future."

- Jason Lam


I think SEC522 is absolutely necessary to all techies who work on web applications. I don't think developers understand the great necessity of web security and why it is so important.
Mahesh Kandru
This training is essential for anyone who needs to understand web protocol and application security and their limitations. This course provides a practical approach to many theoretical scenarios with relevant POCs within the course work.
Joel Samaroo
Visa, Inc.
Jason is the best teacher I have ever had. Amazing that he could keep it interesting for 7 hours.
Tuva Dybedokken
Ernst & Young
Jason was very informative and passionate about the material.
Daniel Mata
Not only does SEC522 teach the defenses for securing web apps, it also shows how common and easy the attacks are and thus the need to secure the apps.
Brandon Hardin

    Register for SEC522

    • In Person

    Training events and topical summits feature presentations and courses in classrooms around the world.

    Learn more
    • Live Online

    Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

    Learn more
    • OnDemand

    Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

    Learn more