SEC522: OnDemand

Provided by

Enquire about this course

What You Will Learn
Not A Matter of "If" but "When". Be Prepared For A Web Attack. We'll Teach You How.

During the course, we demonstrate the risks of web applications and the extent of sensitive data that can be exposed or compromised. From there, we offer real world solutions on how to mitigate these risks and effectively evaluate and communicate residual risks.

After attending the class, students will be able to apply what they learned quickly and bring back techniques to not only better secure their applications, but also do so efficiently by adding security early in the software development life cycle, "shifting left" security decisions and testing, thus saving time, money, and resources for the organization.

"If you want to know everything about web apps and web app security, this is the perfect course!" - Chris Kansas, ThreatX
Business Takeaways
  • Comply with PCI DSS 6.5 requirements
  • Reduce the overall application security risks, protect company reputation
  • Adopt the "shifting left" mindset where security issues addressed early and quickly. This avoids the costly rework.
  • Ability to adopt modern apps with API and microservices in a secure manner
  • This course prepares students for the GWEB certification
Skills Learned
  • Defend against the attacks specified in OWASP Top 10
  • Infrastructure security and configuration management
  • Securely integrating cloud components into a web application
  • Learn about Authentication and authorization mechanisms, including single sign-on patterns
  • Understand cross-domain web request security
  • Leverage protective HTTP headers
  • Defending SOAP, REST and GraphQL APIs
  • Securely implement Microservice architecture
  • Defending against input related flaws such as SQL injection, XSS and CSRF
Hands-On Training

The provided VM lab environment contains realistic application environment to explore the attacks and the effects of the defensive mechanisms. The exercise is structured in a challenge format with hints available along the way. The practical hands-on exercises help students gain experience to hit the ground running back at the office. There are 20 labs in section 1 to section 5 of the class and in the last section, there is a capstone exercise called Defending the Flag where there is 3-4 hours of dedicated competitive exercise time.
  • Section 1: HTTP Basics, HTTP/2 traffic inspection and spoofing, Environment isolation, SSRF and credential-stealing
  • Section 2: SQL Injection, Cross Site Request Forgery, Cross Site Scripting, Unicode and File Upload
  • Section 3: Authentication vulnerabilities and defense, Multifactor authentication, Session vulnerabilities and testing, Authorization vulnerabilities and defense, SSL vulnerabilities and testing, Proper encryption use in web application
  • Section 4: WSDL enumerations, Cross Domain AJAX, Front End Features and CSP (Content Security Policy), Clickjacking
  • Section 5: Deserialization and DNS rebinding, GraphQL, API gateways and JSON, SRI and Log review
  • Section 6: Defending the Flag capstone exercise
"Labs were fun and challenging." - Linh Sithihao, Dignity Health

"[Labs are] thought out and easy to follow with good practical knowledge learned." - Barbara Boone, CDC

"Lots of good hands-on exercises using real world examples." - Nicolas Kravec, Morgan Stanley

"The labs were very informative and useful to teach us the basics." - Omar Alshair, TRA

"The exercises are a good indicator of understanding the material. They worked flawlessly for me." - Robert Fratila, Microsoft
Syllabus Summary
  • Section 1: Understand web application architecture, vulnerability and configuration management.
  • Section 2: Detect, mitigate and defend input related threats.
  • Section 3: Authentication, Authorization and Cryptography
  • Section 4: Front end security with modern scripting engines
  • Section 5: REST & GraphQL API with microservice architecture
  • Section 6: Defending the Flag exercise
Additional Free Resources
  • Cloud Security & DevSecOps Best Practices, poster
  • Fix Security Issues Left of Prod, cheat sheet
  • SWAT Checklist, webpage
  • Cloud Ace Podcast
What You Will Receive
  • Printed and electronic courseware
  • Exercise workbook with over 100 pages of detailed step-by-step instructions
  • A virtual machine with Linux operating system and multiple container environments simulating various vulnerable conditions for students to explore during class exercise
  • A poster containing the summary of the most crucial defensive techniques covered in the course in a checklist format which can be used as a baseline Web defensive framework/standard for your organization.
  • MP3 audio files of the complete course lecture
What Comes Next:

DevSecOps Professionals:
  • SEC540: Cloud Security and DevSecOps Automation | GCSA
  • SEC542: Web Application Penetration Testing and Ethical Hacking | GWAPT
  • SEC588: Cloud Penetration Testing | GCPN


Start date Location / delivery
No fixed date Virtual Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...