GIAC Certified Web Application Defender (GWEB)
The GIAC Web Application Defender certification allows candidates to demonstrate mastery of the security knowledge and skills needed to deal with common web application errors that lead to most security problems.
The successful candidate will have hands-on experience using current tools to detect and prevent Input Validation flaws, Cross-site scripting (XSS), and SQL Injection as well as an in-depth understanding of authentication, access control, and session management, their weaknesses, and how they are best defended.
GIAC Certified Web Application Defenders (GWEB) have the knowledge, skills, and abilities to secure web applications and recognize and mitigate security weaknesses in existing web applications.
TargetDevelopers, Web Application Security Analysts, Auditors, Penetration Testers, Security Professionals responsible for web application security and anyone interested in learning the concepts of securing web applications.
Preparing for the GWEB Exam: Candidates may choose to prepare for the GWEB exam by taking the SANS Training Course: DEV522: Defending Web Applications Security Essentials
*No Specific training is required for any GIAC certification. If candidates need help in mastering the objectives for this certification, there are many sources of information available. Practical experience is one option; there are also numerous books on the market covering Computer Information Security. Another option is SANS training, or any relevant courses from other training providers.*
- 1 proctored exam
- 75 questions
- Time limit of 3 hours
- Minimum Passing Score of 68%
Certifications must be renewed every 4 years. Click here for details.
NOTE: GIAC exams are NOT given the day after the conference ends.
GIAC certification attempts purchased without SANS training will be activated in your SANS/GIAC account within 24 business hours of purchase. GIAC certification attempts purchased with SANS training will be activated in your SANS/GIAC account 7-10 business days after the end of the conference. In both cases, you will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt. GIAC exams must be proctored through Pearson VUE. Please click the following link for instructions on How to Schedule Your GIAC Proctored Exam. GIAC exams are delivered online through a standard web browser.
- Certified Professionals (GWEB)
- Exam Feedback Procedure
- Grievance Procedure
- Proctored exam procedure
- SANS Information Security Reading Room
Bulletin (Part 2 of Candidate Handbook)
Exam Certification Objectives & Outcome Statements
The topic areas for each exam part follow:
- Access Control
- The candidate will demonstrate understanding of access control attacks and mitigation strategies, as well as applying the best practice in avoiding access control issues.
- AJAX Technologies and Security Strategies
- The candidate will demonstrate understanding of web authentication, single sign on methods, third party session sharing and common weaknesses, as well as how to develop test strategies, and apply best practices.
- Business Logic and Concurrency
- The candidate will demonstrate a general understanding of business logic flaws and concurrency issues in web applications, and how to test for and mitigate against these weaknesses.
- Cross Origin Policy Attacks and Mitigation
- The candidate will demonstrate an understanding of methods attackers use to circumvent single origin policy enforcement and best practices for preventing, detecting or mitigating these attacks in web applications.
- Cross Site Scripting
- The candidate will demonstrate an understanding of what cross site scripting is and how to use best practices and browser controls to prevent it.
- The candidate will demonstrate understanding of the conditions that make a CSRF attack possible, the steps an attacker takes and how to mitigate CSRF attacks.
- Encryption and Protecting Sensitive Data
- The candidate will demonstrate understanding of how cryptographic components work together to protect web application data in transit and in storage and also when and where to use encryption or tokenization to protect sensitive information.
- Incident Detection and Handling
- The candidate will demonstrate an understanding of the controls and processes used to log errors and events, how to mitigate automated bot and spam scripts, and how to detect and respond to incidents in the web application environment.
- Input Validation and Encoding
- The candidate will demonstrate understanding of the threats related to user inputs of web applications and the strategies and general practice to handle user input properly to mitigate input related attacks.
- Rich Interface Addon Security
- The candidate will demonstrate an understanding of common Rich InterfaceApplication (RIA) platforms (such as Flash, Silverlight, HTML5), common attacks against these technologies and best practices for securing applications using RIA.
- Session Management
- The candidate will demonstrate understanding of what sessions are, how to test and mitigate common weaknesses, and how to properly implement session tokens and cookies in a web application.
- SQL Injection
- The candidate will demonstrate an understanding of what SQL Injection is and how to use best practices to prevent it.
- Vulnerability Management and Penetration Testing
- The candidate will demonstrate understanding of at a high level the processes for managing vulnerabilities and penetration testing a web application.
- Web Environment Configuration Hardening
- The candidate will demonstrate an understanding of environmental controls and operational procedures needed to secure servers and services that host web applications.
- Web Mechanism and Architecture Security
- The candidate will demonstrate understanding of the building blocks of web applications and how components work together to provide HTTP content as well as high level attack trends.
- Web Services Security
- The candidate will demonstrate an understanding of Service Oriented Architecture (SOA), common attacks against web services components (SOAP, XML, WSDL, etc) and best practices for securing web services.
Where to Get Help
Training is available from a variety of resources including on line, course attendance at a live conference, and self study.
Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.
Finally, college level courses or study through another program may meet the needs for mastery.
The procedure to contest exam results can be found at http://www.giac.org/about/procedures/grievance.