SEC522: Application Security: Securing Web Applications, APIs, and Microservices™

GIAC Certified Web Application Defender (GWEB)
GIAC Certified Web Application Defender (GWEB)
  • In Person (6 days)
  • Online
36 CPEs

Applications used in accounting, security monitoring, and industrial control systems have one thing in common: they are based on web applications and APIs. Understanding web vulnerabilities is essential to protect any organization, whether on-premises or in the cloud. SEC522 equips security professionals with the skills to identify and mitigate common vulnerabilities in web applications, cloud-native services, and APIs while integrating industry best practices into development processes.

With 20 hands-on labs and an exciting Defend the Flag challenge, this course offers the practical, hands-on experience to stay ahead of evolving security threats and protect modern, hybrid application ecosystems.

What You Will Learn

Not A Matter of "If" but "When". Be Prepared For A Web Attack. We'll Teach You How.

Over the course of SEC522, we demonstrate the real-world risks associated with web applications, emphasizing the many ways that sensitive data can be exposed or compromised. From here, participants learn practical techniques to mitigate these risks, assess vulnerabilities, and effectively communicate residual risks.

Students will be able to apply the skills that they learned in SEC522 the moment they return to work, recognizing and mitigating vulnerabilities across design, implementation, deployment and application maintenance. Students will learn to communicate these risks early in the development lifecycle ("shifting left"). This ensures more efficient testing and decision-making, saves time, money, and resources while improving overall application security within the organization.

"If you want to know everything about web apps and web app security, this is the perfect course!" - Chris Kansas, ThreatX

What Is Application Security?

Application security protects web applications andAPIss from a variety of current cyber threats. It identifies and mitigates vulnerabilities. Key strategies include implementing a secure architecture, secure coding practices, protecting against attacks like SQL injection and cross-site scripting (XSS), implementing proper access controls. Embedding security early in the development process to reduce risk and maintain data integrity.

Business Takeaways

  • Comply with PCI DSS and other compliancerequirements
  • Reduce the overall application security risks, protect company reputation
  • Adopt the "shifting left" mindset where security issues addressed early and quickly. This reduces cost.
  • Ability to adopt modern apps with API and microservices in a secure manner
  • This course prepares students for the GWEB certification

Skills Learned

  • Defend against the attacks specified in OWASP Top 10
  • Infrastructure security and configuration management
  • Securely integrating cloud components into a web application
  • Learn about Authentication and authorization mechanisms, including single sign-on patterns
  • Understand modern authentication/authorization protocols such as OAuth and SAML
  • Modernize authentication patterns with password-less and phish resilient mechanisms
  • Understand cross-domain web request security
  • Leverage protective HTTP headers
  • Defending SOAP, REST and GraphQL APIs
  • Securely implement Microservice architecture
  • Defending against input related flaws such as SQL injection, XSS and CSRF
  • Understand the effect of integrating AI components and tools into modern application development

Hands-On Cloud Application Security Training

The lab environment offers a realistic application setting where students can explore attacks and see the impact of defensive mechanisms. Structured as a challenge with helpful hints, the hands-on labs provide practical experience that students can apply immediately when they return to work. The 20 labs across Sections 1 to 5 culminate in an exciting 3-4 hour competitive Defend the Flag Capstone. This final challenge allows participants to put their skills to the test in a dedicated, immersive exercise.

  • Section 1: HTTP Basics, HTTP/2 traffic inspection and spoofing, Environment isolation, SSRF and credential-stealing
  • Section 2: SQL Injection, Cross Site Request Forgery, Cross Site Scripting, Unicode and File Upload
  • Section 3: Authentication vulnerabilities and defense, Multifactor authentication, Session vulnerabilities and testing, Authorization vulnerabilities and defense, SSL vulnerabilities and testing, Proper encryption use in web application
  • Section 4: WSDL enumerations, Cross Domain AJAX, Front End Features and CSP (Content Security Policy), Clickjacking
  • Section 5: Deserialization and DNS rebinding, GraphQL, API security deep dives and JSON
  • Section 6: Defending the Flag capstone exercise

"[Labs are] thought out and easy to follow with good practical knowledge learned." - Barbara Boone, CDC

"Lots of good hands-on exercises using real world examples." - Nicolas Kravec, Morgan Stanley

"The exercises are a good indicator of understanding the material. They worked flawlessly for me." - Robert Fratila, Microsoft

Syllabus Summary

  • Section 1: Understand web application architecture, vulnerability and configuration management.
  • Section 2: Detect, mitigate and defend input related threats.
  • Section 3: Authentication, Authorization and Cryptography
  • Section 4: Front end security with modern scripting engines
  • Section 5: REST & GraphQL API with microservice architecture
  • Section 6: Defending the Flag exercise

Additional Free Resources

What You Will Receive

  • Printed and electronic courseware
  • Exercise workbook with over 100 pages of detailed step-by-step instructions
  • A virtual machine with Linux operating system and multiple container environments simulating various vulnerable conditions for students to explore during class exercise
  • A poster containing the summary of the most crucial defensive techniques covered in the course in a checklist format which can be used as a baseline Web defensive framework/standard for your organization.
  • MP3 audio files of the complete course lecture

What Comes Next:

DevSecOps Professionals:

Syllabus (36 CPEs)

Download PDF
  • Overview

    The first section of the course will set the stage for the course with the fundamentals of web applications such as the HTTP protocol and the various mechanisms that make web applications work. We then transition over to the architecture of the web applications which plays a big role in securing the application.

    As automation is becoming a critical element of the development process, infrastructure and development components are built and maintained through configuration files ("Infrastructure as Code"). The management of these configurations is crucial to the security of the application. We cover the best-practice processes and key aspects of securing web-application-related configurations, from infrastructure to cloud environments and web-server-level configurations. This will help you protect your configurations and related supporting environments for web applications.

    Exercises
    • HTTP Basics
    • HTTP/2 traffic inspection and spoofing
    • Environment isolation
    • SSRF and credential-stealing
    Topics
    • Introduction to HTTP protocol (including HTTP/1.1, HTTP/2, HTTP/3)
    • Overview of web authentication technologies
    • Web application architecture
    • Recent attack trends
    • Web infrastructure security/Web application firewalls
    • Managing configurations for web apps
  • Overview

    Section two is devoted to protecting against threats arising from external input. Modern applications have to accept input from multiple sources, such as other applications, browsers, web services or other systems not build around web standards. The basic mechanics of the common input related attacks are covered, followed by real-world examples and defense patterns that work in large applications. Input related flaws take up multiple places in the OWASP Top 10 list, the coverage of these input related topics forms a great defense foundations against these common risks. This section closes with a discussion of flaws related to business logic and concurrency. The discussion of business logic flaws uses a number of real world examples to illustrate the dangers of improperly expressing business logic as code. It emphasizes the need to include security considerations in the design and requirements phase of development.

    Exercises
    • SQL Injection
    • Cross Site Request Forgery
    • Cross Site Scripting
    • Unicode and File Upload
    Topics
    • Input-related vulnerabilities in web applications
    • SQL injection
    • Cross-site request forgery
    • Cross-site scripting vulnerability and defenses
    • Unicode handling strategy
    • File upload handling
    • Business logic and concurrency
  • Overview

    Section three starts with a discussion of authentication and authorization in web applications, followed by examples of exploitation and the mitigations that can be implemented in the short and long terms. Considering the trend to move towards less reliance on passwords for authentication, we cover the modern patterns of password-less authentication and multifactor authentications.

    Another topic is the new generation of single-sign-on solutions such as OAuth and related technologies such as JWT and OpenID Connect. We cover the implications of using these authentication/authorization systems and the common "gotchas" to avoid.

    We end the section with an in-depth discussion on encryption usage in modern applications both from a data in transit and data in storage protection perspectives.

    Exercises
    • Authentication
    • Session Fixation
    • OAuth and Access Control
    • Inspecting SSL traffic with Wireshark
    Topics
    • Authentication vulnerabilities and defense
    • Multifactor authentication
    • Session vulnerabilities and testing
    • Authorization vulnerabilities and defense
    • SSL vulnerabilities and testing
    • Proper encryption use in web application
  • Overview

    In this section, we start with covering the concepts of Web services, initially focusing on SOAP based web services. Later, we pivot the focus to the front-end usage of JavaScript with the related security implications such as CORS (Cross Domain Requests). We will cover security issues, mitigation strategies, and general best practices for implementingAJAX based Web applications. We will also examine real-world attacks and trends to give you a better understanding of exactly what you are protecting against. We end the day with multiple client-side, header-based defense mechanisms such as Content Security Policy to help you further secure your applications. We go in-depth into how these headers can uplift the security level of an application, but we'll also look at the potential downfall of these mechanisms.

    Exercises
    • WSDL enumerations
    • Cross Domain AJAX
    • Front End Security Features and CSP (Content Security Policy)
    • Clickjacking
    Topics
    • Web services overview
    • XML security
    • AJAX attack trends and defenses
    • Modern JavaScript Frameworks
    • Browser features and defenses
    • Browser-based defense such as Content Security Policy
  • Overview

    The section starts off with the topic of deserialization security issues which are quickly rising to be a common attack amongst modern applications. We also cover the topic of DNS rebinding which lingers in the application world since the beginning of web applications. The focus then shift over to REST API and GraphQL ased Web services and APIs where these technologies exist in every modern application and have lots of potential security pitfalls. We then extend the discussion to microservices architecture and the security implications of this modern architecture. Across all these technology topics we cover the common attacks and the current best practices in keeping them secure. The day ends with a discussion on integrating AI components into modern applications in a secure fashion.

    Exercises
    • Deserialization and DNS rebinding
    • GraphQL
    • API gateways and JSON
    • SRI and Log review
    Topics
    • Deserialization
    • REST Security
    • GraphQL Security
    • Microservices
    • AI Security
    • Security Testing
    • Logging and Error Handling
  • Overview

    We start this section by introducing the concept of DevSecOps and how to apply it to web development and operations in enterprise environment. The main activity of this section will be a lab experience that will tie together the lessons learned during the entire course and reinforce them with hands-on implementation. Students will then have to decide which vulnerabilities are real and which are false positives, then mitigate the vulnerabilities. Students will learn through these hands-on exercises how to secure the web application, starting with securing the operating system and the web server, finding configuration problems in the application language setup, and finding and fixing coding problems on the site.

    Exercises
    • Defending the flag capstone exercise
    Topics
    • DevSecOps

GIAC Certified Web Application Defender

The GIAC Web Application Defender (GWEB) certification allows candidates to demonstrate mastery of the security knowledge and skills needed to deal with common web application errors that lead to most security problems. The successful candidate will have hands-on experience using current tools to detect and prevent input validation flaws, cross-site scripting (XSS), and SQL injection as well as an in-depth understanding of authentication, access control, and session management, their weaknesses, and how they are best defended. GWEB candidates have the knowledge, skills, and abilities to secure web applications and recognize and mitigate security weaknesses in existing web applications.

  • Access Control, AJAX Technologies and Security Strategies, Security Testing, and Authentication
  • Cross Origin Policy Attacks and Mitigation, CSRF, and Encryption and Protecting Sensitive Data
  • File Upload, Response Readiness, Proactive Defense, Input Related Flaws and Input Validation
  • Modern Application Framework Issues and Serialization, Session Security & Business Logic, Web
  • Application and HTTP Basics, Web Architecture, Configuration, and Security
More Certification Details

Prerequisites

This class requires a basic understanding of web application technology and concepts such as HTML and JavaScript. To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. Attendees should have some understanding of concepts like databases (SQL) and scripting languages used in modern web applications.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

Mandatory SEC522 System Hardware Requirements

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 8GB of RAM or more is required.
  • 60GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.

Mandatory SEC522 Host Configuration And Software Requirements

  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact customer service.

Author Statement

"Too many websites are getting compromised. The goal of SEC522 is to arm students with real-world defensive strategies that work. You can apply these techniques immediately, regardless of your role in protecting these precious assets exposed online. We all know it is very difficult to defend a web application because there are so many different types of vulnerabilities and attack channels. Overlook one thing and your web app is owned. The defensive perimeter needs to extend far beyond just the coding aspects of web application. This course covers the security vulnerabilities so that students have a good understanding of the problems at hand. We then provide the defensive strategies and tricks, as well as the overall architecture that has been proven to help secure sites. I have also included some case studies throughout the course so that we can learn from the mistakes of others and make our defense stronger. The exercises in class are designed to help you further your understanding and help you retain this knowledge through hands-on practice. By the end of the course, you will have the practical skills and understanding of the defensive strategies to lock down existing applications and build more secure applications in the future." - Jason Lam and Johannes Ullrich

"I am very glad I took this course because there are not many instructors on platforms like Udemy or YouTube that have the knowledge the instructor has. He is very knowledgeable and when asking a question, he goes in-depth about the concept. What I love the most is that his professional experience working in the field helps us understand more about real-life examples." - Alisa C.

Reviews

Not only does SEC522 teach the defenses for securing web apps, it also shows how common and easy the attacks are and thus the need to secure the apps.
Brandon Hardin
ITC
This training is essential for anyone who needs to understand web protocol and application security and their limitations. This course provides a practical approach to many theoretical scenarios with relevant POCs within the course work.
Joel Samaroo
Visa, Inc.
I think SEC522 is absolutely necessary to all techies who work on web applications. I don't think developers understand the great necessity of web security and why it is so important.
Mahesh Kandru
Cabela's
Jason was very informative and passionate about the material.
Daniel Mata
TMRS
Jason is the best teacher I have ever had. Amazing that he could keep it interesting for 7 hours.
Tuva Dybedokken
Ernst & Young

    Register for SEC522

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

    Loading...