GIAC – Certified Web Application Defender (GWEB)

What is GWEB?

The GIAC Web Application Defender certification allows candidates to demonstrate mastery of the security knowledge and skills needed to deal with common web application errors that lead to most security problems. The successful candidate will have hands-on experience using current tools to detect and prevent input validation flaws, cross-site scripting (XSS), and SQL injection as well as an in-depth understanding of authentication, access control, and session management, their weaknesses, and how they are best defended. GIAC Certified Web Application Defenders (GWEB) have the knowledge, skills, and abilities to secure web applications and recognize and mitigate security weaknesses in existing web applications.

Who Should Attend?

This course is designed for:

  • Application developers
  • Application security analysts or managers
  • Application architects
  • Penetration testers who are interested in learning about defensive strategies
  • Security professionals who are interested in learning about web application security
  • Auditors who need to understand defensive mechanisms in web applications
  • Employees of PCI compliant organizations who need to be trained to comply with PCI requirements

Learning Objectives

The topic areas for each exam part follow:

  • Access Control: will demonstrate understanding of access control attacks and mitigation strategies, as well as applying the best practice in avoiding access control issues.
  • AJAX Technologies and Security Strategies: will demonstrate an understanding of Asynchronous JavaScript and XML (AJAX) architecture, common attacks against AJAX technologies and best practices for securing applications using AJAX.
  • Authentication: will demonstrate understanding of web authentication, single sign on methods, third party session sharing and common weaknesses, as well as how to develop test strategies, and apply best practices.
  • Cross Origin Policy Attacks and Mitigation: will demonstrate an understanding of methods attackers use to circumvent single origin policy enforcement and best practices for preventing, detecting or mitigating these attacks in web applications.
  • CSRF: will demonstrate understanding of the conditions that make a CSRF attack possible, the steps an attacker takes and how to mitigate CSRF attacks.
  • Encryption and Protecting Sensitive Data: will demonstrate understanding of how cryptographic components work together to protect web application data in transit and in storage and also when and where to use encryption or tokenization to protect sensitive information.
  • File Upload, Response Readiness, Proactive Defense: will demonstrate an understanding of incident response as well as file upload, logging, and anti automation issues
  • Input Related Flaws and Input Validation: will demonstrate understanding of SQL injection, Cross site Scripting, HTTP Response splitting, and how to protect against them with proper input validation
  • Leading Edge Technologies and Web Security: will demonstrate an understanding of leading edge web application security issues and technologies
  • Modern Application Framework Issues and Serialization: will demonstrate understanding of miscellaneous security technolgies and techniques associated with web application security including REST, Java Frameworks, Serialization, and Browser Defense
  • Security Testing: will demonstrate an understanding of how to detect and respond to incidents and conduct security testing in the web application environment.
  • Session Security & Business Logic: will demonstrate understanding of what sessions are, how to test and mitigate common weaknesses, and how to properly implement session tokens and cookies in a web application as well as security issues associated with business logic.
  • Web Application and HTTP Basics: will demonstrate understanding of the building blocks of web applications and how components work together to provide HTTP content as well as high level attack trends.
  • Web Architecture and Configuration: will demonstrate an understanding of web application architecture and controls needed to secure servers and services that host web applications.
  • Web Services Security: will demonstrate an understanding of Service Oriented Architecture (SOA), common attacks against web services components (SOAP, XML, WSDL, etc) and best practices for securing web services.

Benefits of GWEB:

  • Access Control, AJAX Technologies and Security Strategies, Security Testing, and Authentication
  • Cross Origin Policy Attacks and Mitigation, CSRF, and Encryption and Protecting Sensitive Data
  • File Upload, Response Readiness, Proactive Defense, Input Related Flaws and Input Validation
  • Modern Application Framework Issues and Serialization, Session Security & Business Logic, Web
  • Application and HTTP Basics, Web Architecture, Configuration, and Security

Exam Format

  • 1 proctored exam
  • 75 questions
  • Time limit of 3 hours
  • Minimum Passing Score of 68%

Note: GIAC certification attempts will be activated in your GIAC account after your application has been approved and according to the terms of your purchase. Details on delivery will be provided along with your registration confirmation upon payment. You will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt.

General Information

  • Training is available in a variety of modalities including live conference training, online, and self study.
  • Practical work experience can help ensure that you have mastered the skills necessary for certification
  • College level courses or study through another program may meet the needs for mastery.
  • The procedure to contest exam results can be found at https://www.giac.org/about/procedures/grievance.

Signup to our Newsletter!

You will always be updated on news and courses of our company